Microsoft is making a significant move to strengthen Windows security by phasing out NTLM (New Technology LAN Manager).
This legacy authentication protocol has been part of Windows for over 30 years. The company plans to disable NTLM by default in upcoming Windows releases, replacing it with more secure Kerberos-based alternatives.
NTLM is an old authentication protocol that uses challenge-response verification to grant access to network resources.
However, modern security threats have exposed serious weaknesses in NTLM’s outdated design.
The protocol relies on weak cryptography and is vulnerable to multiple attacks, including replay, man-in-the-middle, and pass-the-hash attacks.
Despite being classified as deprecated, NTLM remains widely used in many organizations due to legacy system dependencies and network limitations.
Microsoft’s Three-Phase Transition Plan
Microsoft is implementing a carefully structured roadmap to ensure organizations can transition smoothly without disrupting operations.
| Phase | Focus area | Key capabilities | Target platforms | Timeline / status |
|---|---|---|---|---|
| Phase 1 | Visibility and control | Enhanced NTLM auditing to identify where and why NTLM is used | Windows Server 2025, Windows 11 24H2 and later | Available now |
| Phase 2 | Reducing NTLM dependencies | IAKerb, local KDC for Kerberos without DC line-of-sight, reduced hardcoded NTLM | Windows Server 2025, Windows 11 24H2 and later | Second half of 2026 |
| Phase 3 | NTLM disabled by default | Network NTLM blocked by default, policy-based re‑enable, built-in legacy support | Next major Windows Server and client releases | Future major release |
Phase 1: Enhanced Visibility (Available Now) – Organizations can deploy enhanced NTLM auditing tools with Windows Server 2025 and Windows 11 version 24H2 and later. This helps IT teams identify exactly where and why NTLM is still in use in their environments, laying the foundation for migration efforts.
Phase 2: Addressing Key Blockers (Second Half of 2026) – Microsoft will release new features to solve common NTLM dependencies. These include IAKerb and local Key Distribution Center (KDC) technology to enable Kerberos authentication when domain controllers aren’t directly accessible, support for local account authentication without NTLM fallback, and upgrades to Windows components to prioritize Kerberos over NTLM.
Phase 3: NTLM Disabled by Default (Next Major Windows Release) -Network NTLM will be blocked automatically, and re-enabling it will require explicit administrative policy changes. The system will default to modern Kerberos authentication while maintaining built-in support for handling legacy scenarios.
Microsoft recommends immediate action to deploy enhanced NTLM auditing to identify dependencies, map applications requiring NTLM, prioritise remediation efforts, test NTLM-disabled configurations in non-production environments, and work with application developers to migrate critical systems to Kerberos.
This transition represents a critical step toward Microsoft’s broader goal of a passwordless, phishing-resistant future while maintaining security-first authentication across Windows environments.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.