Cyber Blog

Microsoft has unveiled a new three-stage plan to phase out the legacy NT LAN Manager (NTLM) authentication protocol as part of its efforts to improve security in Windows environments. The move is aimed at reducing reliance on the decades-old technology and transitioning systems toward more secure, modern alternatives like Kerberos. Although NTLM has been deprecated for some time, it remains widely used in enterprise networks due to legacy dependencies and compatibility issues.

NTLM was originally designed to provide basic authentication, integrity, and confidentiality, but advancements in security threats have exposed significant weaknesses in its design. The protocol’s cryptographic methods are now considered outdated, making it vulnerable to attacks such as replay and man-in-the-middle exploits. Despite these flaws, many organizations still rely on NTLM because older applications and network configurations do not yet support newer authentication methods.

To address this, Microsoft’s phased strategy begins with tools to help organizations understand and monitor where NTLM is still in use. In the first phase, enhanced NTLM auditing capabilities are available now, giving administrators visibility into how and why NTLM is being utilized across their systems. This insight is intended to help teams plan their transition away from the protocol without risking service disruptions.

The second phase, expected in the second half of 2026, focuses on removing common obstacles that prevent migration to Kerberos. Microsoft plans to introduce features like IAKerb and a local Key Distribution Center (KDC), which are designed to support authentication scenarios that have traditionally fallen back to NTLM. Additionally, core Windows components will be updated to prioritize Kerberos authentication whenever possible.

In the final phase of the strategy, NTLM will be disabled by default in future versions of Windows Server and Windows client releases. Organizations that still require NTLM for specific legacy scenarios will need to explicitly re-enable it through policy controls. Microsoft frames this as moving toward a secure-by-default state, where the operating system favors modern, robust Kerberos-based authentication but still accommodates legacy needs during the transition.

Microsoft is positioning this phase-out as a key step toward a more secure, resilient authentication framework, aligned with broader industry trends such as passwordless and phishing-resistant environments. Organizations are being encouraged to audit their current NTLM usage, identify dependencies, and begin the process of migrating to Kerberos to ensure continued secure access and compliance.