MC1227478: Advancing Windows security: Disabling NTLM by default
Windows is moving toward a more secure authentication model by phasing out New Technology LAN Manager (NTLM) in favor of stronger, Kerberos‑based alternatives. This transition is taking a three-phased approach, leading toward disabling NTLM by default in upcoming Windows releases. With each phase come new capabilities so that your organization has the tools, visibility, and compatibility support needed. When will this happen:
- NTLM has been deprecated since June 2024.
- Today, enhanced auditing is available as part of Phase 1 toward NTLM disablement.
- In the second half of 2026, new tools will be available to Windows Server 2025 and Windows 11, version 24H2 and later: IAKerb, Local KDC, upgrade to negotiate Kerberos.
- With the next version of Windows Server and its corresponding client version, NTLM will be disabled by default. Additional support for handling NTLM-only cases will be built in.
How this will affect your organization: Disabling NTLM represents a major evolution in Windows authentication, and a critical step toward a passwordless, phishing resistant future. A phased strategy enables you to mitigate NTLM-related risks in a secure and predictable manner, without disrupting your organization. What you need to do to prepare: If your organization is beginning or accelerating its NTLM reduction efforts, now is the right time to engage your identity, security, and application owners to take concrete steps:
- Deploy enhanced NTLM auditing to identify where NTLM is still used.
- Map dependencies across applications and services and prioritize remediation. This may include reaching out to application developers to update critical applications.
- Migrate and validate that critical workloads succeed with Kerberos. The capabilities that will be released in the second half of 2026 will significantly expand the scenarios where you can use Kerberos successfully.
- Begin testing NTLM-off configurations in non-production environments.
- Enable Kerberos upgrades as they become available through the Windows Insider Program, and then more broadly later this calendar year.
Additional information: