Microsoft in a recent blog post has announced that it will disable the legacy NTLM authentication protocol by default in upcoming Windows Server and Windows client releases, citing long-standing security weaknesses.
NTLM (New Technology LAN Manager) is an authentication protocol that was introduced in 1993 with Windows NT and was the default for domain-joined systems until Kerberos replaced it starting with Windows 2000. Even so, NTLM has remained in use as a fallback mechanism when Kerberos is unavailable.
Security researchers have repeatedly shown that NTLM can be exploited in relay and pass-the-hash attacks, allowing threat actors to escalate privileges, move laterally within networks, and compromise Windows domains. Several well-known attack techniques have continued to abuse NTLM on modern Windows servers.
As part of Microsoft’s broader push toward passwordless and phishing-resistant authentication, the company will ship future Windows versions in a secure-by-default state where network NTLM authentication is blocked and no longer used automatically. Kerberos-based authentication will be preferred instead.
Microsoft outlined a three-phase transition plan. Administrators can already audit NTLM usage using tools available in Windows 11 24H2 and Windows Server 2025. New capabilities, including IAKerb and a Local Key Distribution Center, are expected in the second half of 2026 to reduce NTLM fallback scenarios. In later releases, NTLM will be disabled by default but can still be re-enabled through policy if required.
Microsoft first announced plans to retire NTLM in 2023 and officially deprecated the protocol in 2024. For organizations still relying on NTLM, the transition window is open now and acting early will help avoid potential disruptions once it’s disabled.
Leave a Reply