Microsoft’s recent announcement to deprecate NTLM and shift to Kerberos-first authentication addresses security vulnerabilities and mitigates risks.

Microsoft’s Game-Changing Announcement: Deprecating NTLM and Embracing Kerberos-first Authentication

Get ready for a major shift in the tech world! Microsoft, the tech giant, has recently announced its intention to deprecate NTLM (NT LAN Manager) authentication and move towards a Kerberos-first approach. This move is aimed at enhancing security and mitigating risks for tech professionals like you.

Why the Need for Change?

NTLM, an outdated authentication protocol, has been a target for various attacks, including relay, replay, and pass-the-hash attacks. These vulnerabilities pose significant risks to your organization’s security.

“NTLM is an outdated authentication protocol that is vulnerable to various attacks. It’s time to move on.” – Microsoft

Identifying and Addressing NTLM Usage

Microsoft’s latest offerings, Windows Server 2025 and Windows 11 24H2+, come with enhanced NTLM auditing capabilities. This feature helps you identify where and why NTLM is still in use in your organization. Armed with this knowledge, you can take steps to minimize NTLM usage and transition to Kerberos.

Minimizing NTLM Fallback with New Tools

Tools like IAKerb and Local KDC can help minimize NTLM fallback when DC (Domain Controller) access is limited. These tools enhance security by limiting the use of NTLM and promoting the use of Kerberos.

“IAKerb and Local KDC are essential tools for organizations looking to minimize NTLM fallback and improve security.” – Microsoft

Prioritizing Kerberos Authentication

Core Windows components will prioritize Kerberos authentication to limit NTLM usage and improve overall security. This shift will lead to a more secure environment for your organization.

The Future: Blocking NTLM by Default

Future releases from Microsoft will block network NTLM by default. However, they will provide policy-based re-enable to maintain compatibility with legacy systems. This approach strikes a balance between security and compatibility.

In conclusion, Microsoft’s decision to deprecate NTLM and promote Kerberos-first authentication is a significant step towards enhancing security and mitigating risks for tech professionals. By understanding the reasons behind this change and taking advantage of the new tools and features, you can ensure a smooth transition and a more secure IT environment for your organization.

Stay informed and stay ahead of the curve! Keep an eye on Microsoft’s announcements and updates to make the most of these changes and secure your organization’s digital future.

Key points from the article:

NTLM, the outdated authentication protocol, is susceptible to relay, replay, and pass-the-hash attacks, making it a security risk.

Windows Server 2025 and Windows 11 24H2+ offer enhanced NTLM auditing to help identify and eliminate its usage.

Tools like IAKerb and Local KDC minimize NTLM fallback when DC access is limited, enhancing security and reducing reliance on NTLM.

Core Windows components will prioritize Kerberos authentication to improve overall security and limit NTLM usage.

Future releases will block network NTLM by default, with policy-based re-enable to maintain compatibility with legacy systems, ensuring a more secure infrastructure.

Related Coverage:

• Claude Opus 4.6: Anthropic’s powerful model for coding, agents, and enterprise workflows is now available in Microsoft Foundry
• What’s New in Microsoft Intune – January 2026
• Microsoft SDL: Evolving security practices for an AI-powered world

From the Windows IT Pro Blog articles

---