Microsoft recently announced its plans to disable the legacy New Technology LAN Manager (NTLM) protocol by default in upcoming Windows releases. The software giant disclosed that the move is designed to address critical security vulnerabilities that would expose organizations to malicious attacks by bad actors, including "replay and man-in-the-middle attacks, due to its use of weak cryptography".
For context, the tech giant first introduced the protocol in 1993 with Windows NT 3.1 as the LAN Manager (LM) protocol's successor (via BleepingComputer). The protocol is designed to help authenticate a user's identity while simultaneously protecting the integrity and confidentiality of their activity.
Microsoft further indicated that NTLM is now classified as deprecated, which means that continued use of the security protocol could expose your organization to several risks, including no server authentication, weak cryptography, limited diagnostic data and auditing visibility (until recently), and vulnerability to replay, relay, and pass-the-hash attacks.
Disabling NTLM by default does not mean completely removing NTLM from Windows yet. Instead, it means that Windows will be delivered in a secure-by-default state where network NTLM authentication is blocked and no longer used automatically. The OS will prefer modern, more secure Kerberos-based alternatives. At the same time, common legacy scenarios will be addressed through new upcoming capabilities such as Local KDC and IAKerb (pre-release).
Microsoft
Microsoft plans to disable NTLM by default in future Windows releases in three phases. First, enhanced NTLM auditing tools will remain available for Windows Server 2025 and Windows 11 version 24H2, allowing organization admins to identify where the tool is still in use.
Microsoft has scheduled the second phase to start in the second half of 2026, where it plans to ship new features, including IAKerb and a Local Key Distribution Center, which will help mitigate the top NTLM pain points, such as domain controller connectivity limitations, local account authentication requirements, and hardcoded protocol selections in core Windows components.
As for the final phase, Microsoft will disable network NTLM authentication by default in the next major Windows Server release and associated Windows client releases. However, the protocol will still be available in the operating system. It's worth noting that it can be enabled again explicitly through policy controls if needed.
In the interim, Microsoft urges organizations to deploy enhanced auditing immediately and map application and service dependencies. The software giant has also reiterated the importance of transitioning to Kerberos for critical workloads and testing NTLM-disabled configurations in a non-production environment.
Follow Windows Central on Google News to keep our latest news, insights, and features at the top of your feeds!
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
