Ravie LakshmananFeb 02, 2026Kerberos / Enterprise Safety
Microsoft has introduced a three-phase method to section out New Know-how LAN Supervisor (NTLM) as a part of its efforts to shift Home windows environments towards stronger, Kerberos-based choices.
The event comes greater than two years after the tech big revealed its plans to deprecate the legacy expertise, citing its susceptibility to weaknesses that would facilitate relay assaults and permit dangerous actors to realize unauthorized entry to community assets. NTLM was formally deprecated in June 2024 and not receives updates.
“NTLM consists of safety protocols initially designed to offer authentication, integrity, and confidentiality to customers,” Mariam Gewida, Technical Program Supervisor II at Microsoft, defined. “Nonetheless, as safety threats have developed, so have our requirements to satisfy fashionable safety expectations. Right this moment, NTLM is vulnerable to varied assaults, together with replay and man-in-the-middle assaults, because of its use of weak cryptography.”
Regardless of the deprecated standing, Microsoft stated it continues to search out using NTLM prevalent in enterprise environments the place fashionable protocols like Kerberos can’t be carried out because of legacy dependencies, community limitations, or ingrained software logic. This, in flip, exposes organizations to safety dangers, corresponding to replay, relay, and pass-the-hash assaults.
To mitigate this downside in a safe method, the corporate has adopted a three-phase technique that paves the best way for NTLM to be disabled by default –
Section 1: Constructing visibility and management utilizing enhanced NTLM auditing to higher perceive the place and why NTLM continues to be getting used (Obtainable now)
Section 2: Addressing frequent roadblocks that stop a migration to NTLM via options like IAKerb and native Key Distribution Heart (KDC) (pre-release), in addition to updating core Home windows elements to prioritize Kerberos authentication (Anticipated in H2 2026)
Section 3: Disabling NTLM within the subsequent model of Home windows Server and related Home windows shopper, and requiring express re-enablement via new coverage controls
Microsoft has positioned the transition as a significant step towards a passwordless, phishing-resistant future. This additionally requires organizations counting on NTLM to conduct audits, map dependencies, migrate to Kerberos, take a look at NTLM-off configurations in non-production environments, and allow Kerberos upgrades.
“Disabling NTLM by default doesn’t imply utterly eradicating NTLM from Home windows but,” Gewida stated. “As an alternative, it implies that Home windows will likely be delivered in a secure-by-default state the place community NTLM authentication is blocked and not used mechanically.”
“The OS will desire fashionable, safer Kerberos-based options. On the similar time, frequent legacy situations will likely be addressed via new upcoming capabilities corresponding to Native KDC and IAKerb (pre-release).”
