Microsoft Begins NTLM Phase-Out With Three-Stage Plan to Move Windows to Kerberos

Microsoft has announced a three-phase approach to phase out New Technology LAN Manager (NTLM) as part of its efforts to shift Windows environments toward stronger, Kerberos-based options.

The development comes more than two years after the tech giant revealed its plans to deprecate the legacy technology, citing its susceptibility to weaknesses that could facilitate relay attacks and allow bad actors to gain unauthorized access to network resources. NTLM was formally deprecated in June 2024 and no longer receives updates.

“NTLM consists of security protocols originally designed to provide authentication, integrity, and confidentiality to users,” Mariam Gewida, Technical Program Manager II at Microsoft, explained. “However, as security threats have evolved, so have our standards to meet modern security expectations. Today, NTLM is susceptible to various attacks, including replay and man-in-the-middle attacks, due to its use of weak cryptography.”

Despite the deprecated status, Microsoft said it continues to find the use of NTLM prevalent in enterprise environments where modern protocols like Kerberos cannot be implemented due to legacy dependencies, network limitations, or ingrained application logic. This, in turn, exposes organizations to security risks, such as replay, relay, and pass-the-hash attacks.

To mitigate this problem in a secure manner, the company has adopted a three-phase strategy that paves the way for NTLM to be disabled by default –

• Phase 1: Building visibility and control using enhanced NTLM auditing to better understand where and why NTLM is still being used (Available now)
• Phase 2: Addressing common roadblocks that prevent a migration to NTLM through features like IAKerb and local Key Distribution Center (KDC) (pre-release), as well as updating core Windows components to prioritize Kerberos authentication (Expected in H2 2026)
• Phase 3: Disabling NTLM in the next version of Windows Server and associated Windows client, and requiring explicit re-enablement through new policy controls

Microsoft has positioned the transition as a major step toward a passwordless, phishing-resistant future. This also requires organizations relying on NTLM to conduct audits, map dependencies, migrate to Kerberos, test NTLM-off configurations in non-production environments, and enable Kerberos upgrades.

“Disabling NTLM by default does not mean completely removing NTLM from Windows yet,” Gewida said. “Instead, it means that Windows will be delivered in a secure-by-default state where network NTLM authentication is blocked and no longer used automatically.”

“The OS will prefer modern, more secure Kerberos-based alternatives. At the same time, common legacy scenarios will be addressed through new upcoming capabilities such as Local KDC and IAKerb (pre-release).”