Microsoft is transitioning Windows authentication from the legacy New Technology LAN Manager (NTLM) protocol to stronger Kerberos-based alternatives. This way, the company resolves critical security vulnerabilities and supports modern authentication standards.
Advertisеment
NTLM has served as a challenge-response authentication mechanism in Windows environments for over thirty years, typically functioning as a fallback when Kerberos is unavailable. Its cryptographic weaknesses now expose systems to replay attacks, man-in-the-middle exploits, and other security threats that fail to meet contemporary requirements.
Organizations using NTLM encounter significant risks including absent server authentication, susceptibility to relay and pass-the-hash attacks, weak cryptographic protection, and historically limited auditing capabilities.
Transition Roadmap
Microsoft has defined a three-phase approach to disable NTLM by default in future Windows releases, ensuring organizations can migrate securely without operational disruption.
Phase One: Immediate Auditing Deployment
Enhanced NTLM auditing tools are available today for Windows Server 2025 and Windows 11 version 24H2. These capabilities provide organizations with precise visibility into NTLM usage patterns across their infrastructure.
Phase Two: Resolution of Authentication Challenges
Microsoft will introduce features including IAKerb and Local Key Distribution Center in the second half of 2026. These tools will eliminate common NTLM dependencies such as domain controller connectivity limitations, local account authentication requirements, and hardcoded protocol selections in core Windows components.
Phase Three: Default Disablement
The next major Windows Server release will disable network NTLM authentication by default. Administrators may explicitly re-enable NTLM through new policy controls. Built-in support mechanisms will handle legacy scenarios involving unknown Service Principal Names, IP address-based requests, and local accounts on domain-joined machines.
Microsoft advises organizations to deploy enhanced auditing immediately, map application and service dependencies, prioritize Kerberos migration for critical workloads, and test NTLM-disabled configurations in non-production environments. Engagement with identity, security, and application teams is essential for successful transition planning.
Support us
Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:
