Microsoft Details NTLM Phase-Out Plan in Windows — How IT Teams Can Prepare

Microsoft is moving to a more secure authentication posture by disabling New Technology LAN Manager (NTLM) by default and shifting to stronger, Kerberos-based authentication. The company has published a phased roadmap to give organizations time to identify dependencies and prepare for NTLM’s disablement in future Windows client releases and the next major Windows Server version.

Why Microsoft is disabling NTLM?

NTLM (NT LAN Manager) is a legacy Microsoft authentication protocol that verifies a user’s identity by using a challenge‑response mechanism based on password hashes rather than transmitting passwords directly over the network. It is primarily used when more modern authentication methods like Kerberos are unavailable, such as in workgroup environments, legacy systems, or misconfigured domains.

Microsoft is disabling NTLM because the protocol no longer meets modern security requirements and has become a persistent attack vector in enterprise environments, particularly for credential theft and lateral movement. NTLM relies on outdated cryptographic mechanisms and does not support mutual authentication. This makes it susceptible to relay, replay, and pass‑the‑hash attacks that attackers frequently exploit to escalate privileges within Windows networks.

Microsoft’s phased roadmap for NTLM deprecation

In a recent blog post, Microsoft outlined a phased rollout designed to reduce NTLM-related risks while minimizing disruption in enterprise environments. The first phase gives organizations clearer visibility into where and how NTLM is still used across Windows systems. Administrators can use enhanced NTLM auditing in newer Windows versions to identify dependencies, analyze authentication flows, and prioritize remediation efforts.

In the second phase, Microsoft will roll out new features (such as the Local Key Distribution Center (Local KDC) and IAKerb) to address scenarios that previously required NTLM fallback. This phase is set to begin in the second half of this year. The third phase will disable NTLM authentication by default in future Windows releases, though administrators can still enable it manually at their own risk through policy settings.

“Disabling NTLM by default does not mean completely removing NTLM from Windows yet. Instead, it means that Windows will be delivered in a secure-by-default state where network NTLM authentication is blocked and no longer used automatically. The OS will prefer modern, more secure Kerberos-based alternatives. At the same time, common legacy scenarios will be addressed through new upcoming capabilities such as Local KDC and IAKerb (pre-release),” Microsoft explained.

How can IT administrators prepare now?

Microsoft recommends that organizations begin proactively preparing for a future where NTLM is no longer available by default. This preparation includes enabling enhanced NTLM auditing to identify where and why NTLM is still being used, inventorying applications and devices that depend on it, and prioritizing migration to Kerberos or other modern authentication methods. Microsoft also encourages updating or replacing legacy systems that cannot support secure protocols and testing NTLM‑disabled configurations in controlled environments to detect hidden dependencies.

For IT administrators, Microsoft advises collaborating more closely with application owners, vendors, and security teams to remediate technical debt that has accumulated over years of NTLM fallback usage. Day‑to‑day responsibilities will increasingly include monitoring authentication logs, validating Kerberos readiness, and enforcing stricter authentication policies.