Microsoft has announced a major shift in how Windows handles authentication. After more than 30 years of relying on NTLM (New Technology LAN Manager) — a legacy challenge-response authentication protocol — Windows is moving toward stronger and safer authentication models, especially Kerberos-based ones.
NTLM originally helped users prove their identity across a network when Kerberos wasn’t available. However, it has several long-standing security weaknesses that modern attackers can exploit:
- It doesn’t authenticate servers — only clients.
- It’s vulnerable to replay, relay, and pass-the-hash attacks.
- It uses weak cryptography by today’s standards.
- Until recently, it offered limited visibility in security logs.
Because of these issues, Microsoft now considers NTLM deprecated — meaning it’s still present but no longer recommended or updated — and wants organizations to start preparing for it to be disabled by default in future Windows releases.
The Three-Phase Roadmap to Disable NTLM
Rather than suddenly turning off NTLM, Microsoft has planned a phased approach so enterprises can adapt without breaking things.
Phase 1: Visibility and Control (Available Now)
Windows systems already include enhanced NTLM auditing, which helps administrators see exactly where NTLM is still used. This visibility is critical for planning a safe transition to better authentication. It’s supported on Windows 11 (version 24H2 and later) and Windows Server 2025.
Phase 2: Reducing NTLM Dependencies (Coming Later in 2026)
Microsoft is building solutions for common scenarios where NTLM often takes over because Kerberos couldn’t:
- IAKerb and Local KDC: These features help Kerberos work even when domain controllers aren’t reachable.
- Local Account Authentication: Reduces NTLM fallbacks for local logons.
- Improved negotiate behavior: Core OS components will prefer Kerberos first instead of defaulting to NTLM.
These tools are planned for systems running modern builds later in 2026.
Phase 3: NTLM Off by Default (Future Windows Releases)
In an upcoming major Windows Server and corresponding client release:
- Network NTLM will be disabled by default.
- You’ll need explicit policies to re-enable NTLM if needed.
- New built-in handling will make sure common legacy scenarios still work (e.g., authentication using IP addresses, services without SPNs, local accounts on domain machines, etc.).
This doesn’t remove NTLM from Windows yet — it just ensures it isn’t automatically used. You can still turn it on through policy if your environment requires it.
What “Disabled by Default” Really Means
When Microsoft says NTLM will be disabled by default, it means:
- Windows will no longer fall back to NTLM automatically.
- The operating system will prefer modern, secure authentication methods like Kerberos.
- NTLM support will still exist temporarily for compatibility, but only if explicitly re-enabled.
This approach balances security improvements with real-world compatibility needs.
What You Should Do Now
Microsoft recommends organizations begin preparing now. Key steps include:
- Turn on enhanced NTLM auditing in your environment to understand where NTLM is still used.
- Map dependencies in applications and services that rely on NTLM.
- Validate Kerberos support for critical workloads.
- Test NTLM-off configurations in non-production environments.
- Enable upcoming Kerberos-enhancing features as they become available.
Bottom Line
NTLM served Windows environments for decades, but it’s increasingly out of step with today’s security needs. By shifting Windows defaults toward Kerberos and giving enterprises time to adapt, Microsoft aims to significantly reduce a major attack surface and modernize authentication across the platform.
