Microsoft sets a path to switch off NTLM across Windows

Windows is shifting to a more secure authentication approach, moving away from New Technology LAN Manager (NTLM) and toward stronger, Kerberos-based options.

NTLM has been part of Windows for decades and continues to appear in some environments, particularly where legacy systems and older applications are present. Security threats have changed over time, and security expectations have risen with them. Today, NTLM’s weaker cryptography leaves it open to attacks such as replay attacks and man-in-the-middle attacks.

“Disabling NTLM by default does not mean completely removing NTLM from Windows yet. Instead, it means that Windows will be delivered in a secure-by-default state where network NTLM authentication is blocked and no longer used automatically. The OS will prefer modern, more secure Kerberos-based alternatives,” Mariam Gewida, Technical Program Manager II at Microsoft, explained.

NTLM is classified as deprecated and no longer receives updates, with removal planned for a future Windows release. The next step is to disable NTLM by default in upcoming Windows versions. A phased approach supports risk reduction while giving organizations time to prepare and transition without disruption.

In Phase 1, which is available now, IT teams can use enhanced auditing tools to understand where NTLM is being used, how it is triggered, and which systems depend on it. This phase is designed to give organizations visibility before any default behavior changes occur.

Phase 2 is expected to begin in the second half of 2026. During this phase, Microsoft plans to address common blockers that keep NTLM in use. This includes capabilities such as Local KDC, currently in preview, to prevent local account authentication from falling back to NTLM, along with updates to core Windows components so they prioritize Kerberos authentication.

Phase 3 will begin with a future major Windows release. At that point, network NTLM authentication will be disabled by default. Organizations that still require NTLM will need to explicitly re-enable it through policy controls, with built-in handling intended to limit application disruption.