Microsoft has announced a fundamental change in Windows authentication: in upcoming client and server releases, the NTLM (New Technology LAN Manager) protocol will be disabled by default. This decision directly impacts corporate networks worldwide and reflects the long history of NTLM weaknesses and its central role in modern lateral-movement and credential-theft attacks.
Why Microsoft Is Deprecating NTLM Authentication in Windows
NTLM was introduced in 1993 with Windows NT 3.1 as a successor to LAN Manager and for years served as the primary Windows authentication protocol. Starting with Windows 2000, Kerberos became the default standard for domain-joined devices, yet NTLM remained as a fallback when Kerberos could not be used, for example when a host cannot contact a domain controller or in legacy, workgroup, and cross-forest scenarios.
From a cryptographic standpoint, NTLM is now considered weak. It relies on outdated hash functions and does not provide modern protections against credential interception, replay, or downgrade attacks. Critically, it lacks strong mutual authentication and robust session binding, which makes it far easier for an attacker inside the network to impersonate services, relay credentials, and escalate privileges.
Key NTLM Attack Techniques: Relay and Pass-the-Hash
NTLM relay attacks and domain compromise
One of the most damaging abuses of NTLM is the NTLM relay attack. In this scenario, an adversary tricks a compromised or coerced system into authenticating to a malicious server, then transparently “relays” those NTLM credentials to legitimate services elsewhere in the domain. The attacker does not need to know the password; they simply forward the authentication exchange in real time.
NTLM relay underpins a wide range of real-world techniques and tools, including well-known attack chains such as PetitPotam, ShadowCoerce, and RemotePotato0. These methods have repeatedly enabled red teams and threat actors to pivot from a single compromised endpoint to high-value servers, often achieving full domain takeover if additional controls like Extended Protection for Authentication or certificate hardening are not in place.
Pass-the-hash and stealthy lateral movement
Another classic NTLM-based technique is pass-the-hash (PtH). Instead of stealing cleartext passwords, attackers extract NTLM password hashes from memory, local databases, or the SAM/NTDS files using malware or post-exploitation tools. Because NTLM permits authentication directly with the hash, the attacker can log on as the victim without ever cracking the password.
In many incident-response cases cited by industry reports such as the Verizon Data Breach Investigations Report and guidance from the NSA, pass-the-hash has enabled quiet lateral movement across file servers, application servers, and administrative workstations. A single high-privilege NTLM hash can be equivalent to a master key for large parts of the environment.
Microsoft’s Phased Roadmap to Disable NTLM by Default
Phase 1: NTLM usage auditing in Windows 11 24H2 and Windows Server 2025
The first step, shipping with Windows 11 24H2 and Windows Server 2025, is enhanced NTLM auditing. Administrators gain more granular telemetry to identify which applications, protocols, and hosts still depend on NTLM. This visibility is essential, because many organizations underestimate how deeply NTLM is embedded in legacy applications, network shares, and third-party integrations.
A structured audit allows security teams to map business processes tied to NTLM, prioritize high-risk dependencies, and plan remediation before settings change in a future release. Without this inventory, disabling NTLM can lead to unexpected outages and authentication failures.
Phase 2: IAKerb and Local KDC as NTLM replacements
In the second half of 2026, Microsoft intends to introduce capabilities that remove the primary reasons systems fall back to NTLM. Key technologies include support for IAKerb and a Local Key Distribution Center (Local KDC).
IAKerb enables clients to use Kerberos even when they cannot directly contact a domain controller, by tunneling Kerberos through an intermediate service. Local KDC, meanwhile, provides a local Kerberos-style key distribution function for scenarios that historically relied on NTLM, such as workgroup or offline machines. Together, these features are designed to cover many of the “hard” legacy cases that previously forced organizations to keep NTLM enabled.
Phase 3: NTLM disabled by default with controlled opt-in
In a later wave of Windows and Windows Server releases, NTLM will be turned off by default. The protocol will still exist in the operating system but will need to be explicitly enabled via Group Policy or equivalent management tools for narrowly defined use cases.
Microsoft’s stated goal is a secure-by-default configuration, where network-based NTLM authentication is blocked and priority is given to Kerberos and modern, phishing-resistant methods such as FIDO2 security keys, Windows Hello for Business, and cloud-based strong authentication. Legacy requirements are expected to be handled primarily through the new Local KDC and IAKerb capabilities rather than continued reliance on NTLM.
What Enterprises and Security Teams Should Do Now
This shift is a clear signal for organizations to accelerate the retirement of NTLM. Application teams should begin migrating from explicit NTLM usage to Kerberos or Negotiate authentication, ensuring that services properly support service principal names (SPNs), constrained delegation where necessary, and modern encryption types.
Security and infrastructure teams should conduct a thorough inventory of NTLM traffic using the new audit features, existing Windows event logs, and network monitoring. High-priority tasks include updating or replacing legacy applications, tightening Active Directory Certificate Services to resist NTLM relay, and implementing hardened configurations recommended in Microsoft’s security baselines.
Training administrators, incident responders, and SOC analysts to recognize NTLM relay and pass-the-hash patterns is equally important. Combining this knowledge with strong credential hygiene, tiered administration, and multifactor authentication significantly reduces the blast radius of any single account compromise.
As Microsoft phases out NTLM and advances toward Kerberos and passwordless, phishing-resistant authentication, organizations that act early will be better positioned. Systematic NTLM auditing, application modernization, and adoption of robust identity security controls can reduce attack surface, protect critical data, and prevent last-minute crises when NTLM is no longer the default option in Windows environments.
