Microsoft Previews IAKerb And LocalKDC To Reduce NTLM Reliance in Windows 11

Microsoft is preparing to introduce two new authentication features in Windows 11 that are designed to reduce reliance on NTLM. The capabilities are currently available in public preview for Windows Insiders enrolled in the Canary Channel.

NTLM (NT LAN Manager) is an older Microsoft authentication protocol that verifies a user’s identity using a challenge‑response mechanism instead of sending passwords directly. It’s considered less secure than Kerberos, but remains in use because many real‑world environments depend on it.

For instance, when systems cannot reach a domain controller, when users log in with local (non-domain) accounts, or in standalone and legacy setups that lack modern infrastructure. This means removing NTLM entirely would break authentication in these scenarios, so it remains a fallback option while organizations gradually transition to more secure methods.

How do IAKerb and LocalKDC reduce dependence on NTLM?

Microsoft highlighted that IAKerb and LocalKDC are designed to address some of these issues in Windows devices. IAKerb (Initial and Pass‑Through Authentication using Kerberos) is an extension of the Kerberos authentication system that allows a client to authenticate even when it cannot directly reach a domain controller. The client sends its Kerberos requests through the target application server, which acts as a proxy and forwards the messages to the KDC on its behalf.

This approach keeps the authentication process within the Kerberos framework rather than falling back to weaker methods like NTLM. This makes it especially useful in restricted or segmented network environments where direct access to the domain controller is not available.

LocalKDC is a lightweight Key Distribution Center in Windows that allows Kerberos authentication for local user accounts instead of domain accounts. Kerberos depends on a domain controller to issue authentication tickets, which is why systems using local accounts or operating outside a domain had to rely on NTLM.

LocalKDC removes this limitation by acting as a KDC on the local machine itself, which generates Kerberos tickets for locally stored credentials. Consequently, it allows secure Kerberos-based authentication in standalone systems, workgroup environments, and other scenarios where no domain infrastructure is present.

These new authentication features are currently available in public preview in the Canary Channel. Microsoft plans to make them generally available for Windows 11 version 24H2 and Windows Server 2025 in the second half of 2026.

What should IT administrators do before turning off NTLM?

Microsoft recommends that administrators analyze where NTLM is still used before disabling this feature within their organizations. The new logging features in Windows show who is using NTLM, why Kerberos was not used, and which systems are involved. Administrators can find these logs in Event Viewer by heading to Applications and Services Logs > Microsoft > Windows > NTLM > Operational.

Microsoft notes that while IAKerb and LocalKDC reduce situations where systems fall back to NTLM, they do not eliminate it. Some legacy applications and older systems still rely on NTLM, and certain use cases may continue to trigger it.

Microsoft is following a gradual strategy to eliminate NTLM by first giving organizations better visibility into its usage through enhanced auditing capabilities. The next stage involves introducing newer technologies like IAKerb and LocalKDC this year to expand where Kerberos can be used and reduce dependence on NTLM. In the final phase, Microsoft plans to turn off NTLM by default in a future Windows release, which is expected in 2027–2028.