Microsoft to Disable NTLM by Default in Major Push for Stronger Authentication Security

Microsoft is making a significant move to strengthen Windows security by phasing out NTLM (New Technology LAN Manager), a legacy authentication protocol that has been part of Windows for over 30 years.

The company plans to disable NTLM by default in upcoming Windows releases, replacing it with more secure Kerberos-based alternatives.

This transition addresses critical security vulnerabilities that have plagued the aging protocol and represent a major step toward Microsoft’s broader goal of a passwordless, phishing-resistant authentication ecosystem.

Understanding NTLM’s Security Vulnerabilities

NTLM is an old authentication protocol that uses challenge-response verification to grant access to network resources.

However, modern security threats have exposed serious weaknesses in NTLM’s outdated design. The protocol relies on weak cryptography and is vulnerable to multiple attacks, including replay attacks, man-in-the-middle (MITM) attacks, and pass-the-hash attacks.

These vulnerabilities have been known for years, yet NTLM remains widely used in many organizations due to legacy system dependencies and network limitations, creating persistent security risks across enterprise environments.

Microsoft is implementing a carefully structured roadmap to ensure organizations can transition smoothly without disrupting operations.

The phased approach allows enterprises time to identify dependencies, plan migrations, and test new configurations.

Phase 1: Enhanced Visibility (Available Now)

Organizations can deploy enhanced NTLM auditing tools with Windows Server 2025 and Windows 11 version 24H2 and later.

This helps IT teams identify exactly where and why NTLM is still in use in their environments, laying the foundation for migration efforts.

The auditing tools provide detailed insights into NTLM authentication patterns and legacy application dependencies.

Phase 2: Addressing Key Blockers (Second Half of 2026)

Microsoft will release new features to solve common NTLM dependencies. These include IAKerb and local Key Distribution Center (KDC) technology to enable Kerberos authentication when domain controllers aren’t directly accessible.

Additional support includes local account authentication without NTLM fallback and upgrades to Windows components to prioritize Kerberos over NTLM.

This phase directly tackles the technical obstacles that have kept organizations dependent on the legacy protocol.

Phase 3: NTLM Disabled by Default (Next Major Windows Release)

Network NTLM will be blocked automatically in the final phase, and re-enabling it will require explicit administrative policy changes.

The system will default to modern Kerberos authentication while maintaining built-in support for handling legacy scenarios.

This ensures security-first authentication across Windows environments without completely breaking backward compatibility.

Microsoft recommends immediate action to prepare for the transition. Organizations should deploy enhanced NTLM auditing to identify dependencies, map applications requiring NTLM, prioritize remediation efforts, test NTLM-disabled configurations in non-production environments, and work with application developers to migrate critical systems to Kerberos.

These proactive steps will minimize disruption during the eventual default disabling of NTLM.

This transition represents a critical step toward modernizing Windows authentication infrastructure. By disabling NTLM by default, Microsoft is addressing decades-old security risks while advancing its broader security vision.

Organizations that begin their transition now will be well-positioned to meet the security-first requirements of modern enterprise environments and reduce their exposure to authentication-based attacks.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Microsoft to Disable NTLM by Default in Major Push for Stronger Authentication Security appeared first on Cyber Security News.