Microsoft is advancing its effort to modernize Windows authentication by outlining a phased plan to disable New Technology LAN Manager (NTLM) by default in upcoming Windows releases.
The shift is intended to reduce exposure to credential-based attacks, while giving organizations time and tools to transition safely to stronger authentication methods.
For context, NTLM has existed in Windows environments for more than three decades. It relies on a challenge-response process to authenticate users and systems, typically when Kerberos authentication cannot be used.
While NTLM remains widely deployed, it does not meet current security expectations. The protocol lacks server authentication, uses weak cryptography, and is susceptible to replay, relay, and pass-the-hash attacks, all of which increase enterprise risk.
Building Toward Secure-by-Default Authentication
Microsoft’s roadmap follows a three-phase approach. The first phase provides increased visibility and control over NTLM usage and availability. The ability to audit NTLM is available now in both Windows Server 2025 and Windows 11 version 24H2. This phase is intended to allow security teams to identify areas where NTLM is still in use, and find out the reasons for this. The enhanced auditing is also designed to enable informed planning for remediation actions prior to enforcement.
The second phase, scheduled for the second half of 2026, targets common technical blockers that force NTLM fallback. Microsoft plans to introduce capabilities such as Initial and Pass-Through Authentication Using Kerberos (IAKerb) and a local Key Distribution Center (KDC).
These features are designed to support Kerberos authentication, even when domain controllers are not directly reachable. In parallel, all of the core Windows services will be updated to prefer Kerberos authentication over NTLM.
The final phase will coincide with the next major Windows Server release. At that point, network NTLM will be disabled by default, and organizations will need to explicitly re-enable it through new policy controls if required.
The company clarified NTLM will still exist in the operating system at this point, so organizations will continue to have the opportunity to support unique edge cases such as unknown Service Principal Names (SPNs), IP-based authentication, or local accounts on domain-joined systems.
