The End of an Era: Microsoft to Disable NTLM Authentication Protocol in Future Windows Releases

Microsoft recently announced its decision to disable the decades-old NTLM authentication protocol by default in upcoming Windows releases due to significant security vulnerabilities that could expose organizations to cyberattacks.

NTLM, which stands for New Technology LAN Manager, was introduced in 1993 with Windows NT 3.1 as a challenge-response authentication protocol. It served as the successor to the LAN Manager (LM) protocol.

However, Kerberos has since superseded NTLM and is now the default protocol for domain-connected devices running Windows 2000 or later. Despite this, NTLM is still utilized as a fallback authentication method when Kerberos is unavailable, even though it poses security risks due to weak cryptography and susceptibility to attacks.

Over the years, NTLM has been exploited in various cyberattacks, including NTLM relay attacks and pass-the-hash attacks. These vulnerabilities have allowed threat actors to escalate privileges, take control over Windows domains, and steal sensitive data from targeted systems.

The Phasing Out of NTLM

In a strategic move towards passwordless and phishing-resistant authentication methods, Microsoft announced that NTLM will be disabled by default in the next major Windows Server release and associated Windows client versions. This marks a significant shift towards more secure Kerberos-based authentication.

Microsoft has outlined a three-phase transition plan to mitigate NTLM-related risks while minimizing disruptions. In the first phase, administrators will have access to enhanced auditing tools to identify where NTLM is still in use.

The second phase, scheduled for the second half of 2026, will introduce new features such as IAKerb and a Local Key Distribution Center to address common scenarios that trigger NTLM fallback.

Finally, in the third phase, network NTLM will be disabled by default in future releases, although the protocol will remain present in the operating system and can be explicitly re-enabled through policy controls if necessary.

Microsoft clarified that disabling NTLM by default does not entail completely removing it from Windows yet. Instead, Windows will prioritize modern, secure Kerberos-based alternatives while addressing legacy scenarios through upcoming capabilities like Local KDC and IAKerb.

In October 2023, Microsoft initially announced plans to retire the NTLM authentication protocol, emphasizing the importance of transitioning to more secure authentication methods to prevent future vulnerabilities. By July 2024, Microsoft officially deprecated NTLM authentication on Windows and Windows servers, urging developers to switch to Kerberos or Negotiation authentication.

Developers have been advised to stop using NTLM in their applications since 2010, and Windows admins are encouraged to disable NTLM or configure their servers to block NTLM relay attacks using Active Directory Certificate Services (AD CS).