Microsoft to Disable NTLM by Default in Future Windows Releases

Introduced in 1993, NTLM has long served as a fallback authentication mechanism for Windows domains, but its reliance on weak cryptography makes it a prime target for relay, pass‑the‑hash, and other credential‑theft attacks. Over the past decade, high‑profile exploits such as PetitPotam and ShadowCoerce have demonstrated how attackers can bypass modern mitigations by abusing NTLM hashes. Recognizing that the protocol’s inherent weaknesses outweigh its legacy convenience, Microsoft has moved NTLM from a default to an opt‑in feature, aligning Windows with contemporary security standards.

The rollout follows a three‑phase plan designed to give administrators time to inventory and remediate NTLM usage. Phase 1, already available in Windows 11 24H2 and Server 2025, adds granular auditing logs that pinpoint lingering NTLM dependencies. Phase 2, slated for the second half of 2026, introduces IAKerb and a Local Key Distribution Center to handle scenarios where Kerberos cannot be used, such as workgroup machines or legacy services. Phase 3 will automatically block network NTLM, though the protocol remains in the OS and can be re‑enabled via Group Policy for exceptional cases.

The shift has immediate implications for security teams and developers. Organizations must audit applications, scripts, and services that still invoke NTLM and migrate them to Kerberos, Negotiation, or emerging password‑less solutions like FIDO2. Compliance frameworks that reference credential‑theft mitigation will increasingly expect NTLM deprecation, making early adoption a competitive advantage. By forcing a move away from legacy authentication, Microsoft not only reduces the attack surface but also accelerates the industry’s transition toward more resilient, cryptographically sound identity models.