Microsoft to disable NTLM by default in future Windows releases

Microsoft Set to Disable 30-Year-Old NTLM Protocol by Default in Upcoming Windows Releases

In a landmark move aimed at bolstering cybersecurity, Microsoft has announced plans to disable the 30-year-old NTLM (New Technology LAN Manager) authentication protocol by default in upcoming Windows releases. This decision comes as part of a broader strategy to phase out legacy authentication methods that have long been plagued by security vulnerabilities, exposing organizations to a myriad of cyberattacks.

NTLM, introduced in 1993 with Windows NT 3.1, was designed as a successor to the LAN Manager (LM) protocol. However, over the years, it has become increasingly clear that NTLM is no longer fit for purpose in today’s threat landscape. While Kerberos has since superseded NTLM as the default protocol for domain-connected devices running Windows 2000 or later, NTLM has persisted as a fallback authentication method when Kerberos is unavailable. Unfortunately, this persistence has come at a cost, as NTLM relies on weak cryptography and is highly susceptible to various forms of attack.

The vulnerabilities associated with NTLM have been well-documented. The protocol has been widely exploited in NTLM relay attacks, where threat actors force compromised network devices to authenticate against attacker-controlled servers. This allows them to escalate privileges and gain complete control over Windows domains. Despite the availability of mitigations, NTLM remains in use on many Windows servers, leaving them exposed to attacks such as PetitPotam, ShadowCoerce, DFSCoerce, and RemotePotato0. These attacks exploit vulnerabilities in NTLM to bypass existing security measures and take over entire networks.

In addition to relay attacks, NTLM has also been a prime target for pass-the-hash attacks. In these scenarios, cybercriminals exploit system vulnerabilities or deploy malicious software to steal NTLM hashes—essentially hashed passwords—from targeted systems. These stolen hashes are then used to authenticate as the compromised user, enabling attackers to steal sensitive data and move laterally across the network.

Recognizing the urgent need to address these risks, Microsoft has unveiled a comprehensive plan to disable NTLM by default in the next major Windows Server release and associated Windows client versions. This marks a significant shift away from the legacy protocol toward more secure, Kerberos-based authentication methods.

The transition will occur in three phases. In the first phase, administrators will be able to leverage enhanced auditing tools available in Windows 11 24H2 and Windows Server 2025 to identify where NTLM is still in use. This will provide organizations with the visibility needed to plan their migration away from the protocol.

The second phase, scheduled for the second half of 2026, will introduce new capabilities such as IAKerb and a Local Key Distribution Center (KDC). These features are designed to address common scenarios that trigger NTLM fallback, ensuring that organizations can transition to modern authentication methods without disruption.

The final phase will see NTLM network authentication disabled by default in future Windows releases. While the protocol will remain present in the operating system and can be re-enabled through policy controls if necessary, it will no longer be used automatically. This approach ensures that Windows will be delivered in a secure-by-default state, prioritizing modern, more secure authentication methods.

Microsoft’s decision to disable NTLM by default is part of a broader push toward passwordless, phishing-resistant authentication methods. The company has been warning developers and administrators about the risks associated with NTLM for years. In 2010, Microsoft advised developers to stop using NTLM in their applications, and in July 2024, the company officially deprecated NTLM authentication on Windows and Windows servers. Administrators were encouraged to transition to Kerberos or Negotiation authentication to prevent future issues.

The move to disable NTLM by default is a significant step forward in the ongoing effort to secure Windows environments. By eliminating a long-standing source of vulnerability, Microsoft is helping organizations reduce their exposure to cyberattacks and improve their overall security posture. As the transition unfolds, administrators and developers will need to adapt to the new authentication landscape, but the benefits of a more secure, modern approach to authentication will be well worth the effort.

Tags: Microsoft, NTLM, Windows, cybersecurity, authentication, Kerberos, NTLM relay attacks, pass-the-hash attacks, Windows Server, Windows 11, security vulnerabilities, passwordless authentication, phishing-resistant authentication, IAKerb, Local KDC, Windows 2025, PetitPotam, ShadowCoerce, DFSCoerce, RemotePotato0, Active Directory Certificate Services, AD CS, legacy protocol, modern authentication, secure-by-default, Windows IT Pro, Windows security, Microsoft Tech Community.

Viral Phrases: “Microsoft takes a bold step to disable NTLM by default,” “The end of an era: NTLM’s 30-year reign comes to an end,” “Microsoft’s three-phase plan to eliminate NTLM vulnerabilities,” “NTLM relay attacks: A thing of the past?” “Pass-the-hash attacks: Microsoft’s new strategy to stop them,” “Kerberos rises: The future of Windows authentication,” “Secure-by-default: Microsoft’s vision for Windows security,” “IAKerb and Local KDC: The new guardians of Windows authentication,” “Windows 11 24H2 and Windows Server 2025: The tools to identify NTLM usage,” “Microsoft’s push for passwordless, phishing-resistant authentication,” “NTLM deprecated: What it means for developers and administrators,” “Active Directory Certificate Services: The key to blocking NTLM relay attacks,” “Windows security gets a major upgrade with NTLM’s disablement,” “The transition to modern authentication: Challenges and opportunities,” “Microsoft’s commitment to a more secure Windows ecosystem.”

,