Posted in

Microsoft phases out NTLM for Kerberos-first Windows

by ailona

Windows is preparing to disable network NTLM authentication by default in upcoming Windows releases. The change pushes organizations toward Kerberos-based authentication, with new auditing and migration tooling to reduce disruption. Microsoft is rolling this out in phases, starting with better visibility in current builds.

Main change: NTLM moves from deprecated to disabled by default

NTLM has been deprecated, but it still runs widely as a Kerberos fallback. Microsoft now plans to block network NTLM by default in the next major Windows Server release and related client releases. NTLM will remain in the OS during the transition, but it will not auto-negotiate. Re-enablement will require explicit policy controls, reducing exposure to relay and pass-the-hash attacks.

Practical implications: audit, remediate, and test NTLM-off paths

Teams should treat this as an identity dependency project, not a simple policy change. Start by deploying enhanced NTLM auditing, available on Windows Server 2025 and Windows 11 24H2 and later. Use logs to map NTLM callers, including legacy apps, IP-based access, and unknown SPNs. Then prioritize Kerberos fixes, validate with staging NTLM-off baselines, and plan for exception policies where replacement is impossible.

Microsoft is also addressing common blockers that force NTLM fallback today. IAKerb and Local KDC are intended to help when domain controllers are unreachable or when local accounts are involved. Core Windows components will also negotiate Kerberos first to shrink hardcoded NTLM usage. These capabilities are targeted for the second half of 2026 on supported platforms.

“Disabling NTLM by default does not mean completely removing NTLM from Windows yet.”

The immediate next step is to enable enhanced auditing and build an inventory of NTLM dependencies across services and endpoints. After that, begin controlled testing of NTLM-disabled configurations and define clear exception criteria. Expect future documentation and policy controls to shape how long NTLM can remain enabled in production.

Key points from the article:

  • NTLM is deprecated and vulnerable to relay, replay, and pass-the-hash attacks.
  • Enhanced NTLM auditing shows where NTLM is still used and why.
  • IAKerb and Local KDC reduce NTLM fallback when DC access is limited.
  • Core Windows components will negotiate Kerberos first to limit NTLM usage.
  • Future releases will block network NTLM by default, with policy-based re-enable.

    • Related Coverage:

    From the Windows IT Pro Blog articles