Microsoft has confirmed plans to disable the legacy New Technology LAN Manager (NTLM) authentication protocol by default in upcoming Windows releases, marking a significant step in its broader effort to modernize Windows security. The company says the decision is driven by persistent vulnerabilities in NTLM that expose organizations to serious threats, including replay attacks and man-in-the-middle exploits enabled by weak cryptography.
NTLM was originally introduced in 1993 with Windows NT 3.1 as a successor to the older LAN Manager (LM) protocol. At the time, it provided a more advanced way to authenticate users and protect session integrity. More than three decades later, however, Microsoft says the protocol no longer meets modern security requirements.
NTLM Formally Classified as Deprecated
According to Microsoft, NTLM is now officially classified as deprecated. While still present in Windows for compatibility reasons, the protocol is increasingly viewed as a liability in enterprise environments.
Microsoft has warned that continued reliance on NTLM can expose organisations to multiple risks, including the absence of server authentication, outdated cryptographic protections, limited auditing visibility, and susceptibility to well-known attack techniques such as relay attacks and pass-the-hash exploitation.
To address these issues, Microsoft is pushing customers toward Kerberos, which supports stronger encryption, mutual authentication, and modern security standards.
What “Disabled by Default” Means in Practice
Disabling NTLM by default does not mean removing it entirely from Windows—at least not yet. Instead, future versions of Windows will ship with a “secure-by-default” configuration that blocks network-based NTLM authentication and no longer uses it automatically. When possible, the operating system will fall back to Kerberos-based authentication instead.
Microsoft says it is also working to address common legacy scenarios that still depend on NTLM. Upcoming features such as a Local Key Distribution Center (Local KDC) and IAKerb—currently in pre-release—are intended to reduce friction in areas where NTLM has historically been required, including local account authentication and environments with limited domain controller connectivity.
Three-Phase Transition Plan
Microsoft plans to roll out the change in three distinct phases.
In the first phase, enhanced NTLM auditing tools will remain available in Windows Server 2025 and Windows 11 version 24H2. These tools allow administrators to identify where NTLM is still being used across applications and services, helping organizations understand their exposure before any defaults change.
The second phase is scheduled to begin in the second half of 2026. During this period, Microsoft will introduce new capabilities such as IAKerb and the Local KDC. These additions are designed to mitigate some of the most common NTLM-related pain points, including hardcoded authentication dependencies in core Windows components.
The final phase will see network NTLM authentication disabled by default in the next major Windows Server release, along with its associated Windows client versions. Even then, NTLM will still exist within the operating system and can be re-enabled explicitly through policy controls if absolutely necessary.
Guidance for Organizations
Microsoft is urging organizations not to wait for the final phase before taking action. The company recommends enabling enhanced NTLM auditing immediately, mapping out application and service dependencies, and prioritizing a transition to Kerberos for critical workloads.
Administrators are also encouraged to test NTLM-disabled configurations in non-production environments to identify potential issues early. According to Microsoft, proactive planning will be essential to avoid disruptions as Windows moves further away from legacy authentication methods.
The phased approach reflects a balance between improving security and maintaining compatibility, but the message from Redmond is clear: NTLM’s days as a default authentication mechanism in Windows are coming to an end.
 authentication protocol by default in upcoming){kind=link}