Microsoft is preparing one of the most consequential security shifts in Windows in decades, turning off NTLM authentication by default and pushing organizations toward modern, Kerberos based sign in. After roughly 30 years as a core building block of Windows networking, the legacy protocol is being treated as a liability rather than a convenience. For enterprises that still depend on NTLM in forgotten corners of their infrastructure, the change will be as much about discovery and cleanup as it is about new features.
Instead of a sudden cutover, Microsoft is staging the move through a structured transition that culminates in NTLM being disabled in upcoming Windows and Windows Server releases. The company is framing the decision as part of a broader push to deliver Windows in a secure by default state, where older authentication paths that enable relay and pass the hash attacks are no longer available out of the box.
Why Microsoft is finally pulling the plug on NTLM
At the heart of this shift is a simple security reality, NTLM is classified as deprecated and has become a favorite target for attackers who rely on credential relays and hash theft to move laterally inside networks. Microsoft has been explicit that it will disable the 30 year old NTLM authentication protocol by default in future Windows releases because of these security vulnerabilities, a move that directly responds to long standing abuse of the protocol in real world breaches, as highlighted in its own NTLM announcement.
Kerberos is the alternative Microsoft wants front and center, and the company is clear that Kerberos will identify critical security vulnerabilities impacting organizations while supporting modern authentication standards. By leaning on Kerberos based mechanisms, Microsoft can better mitigate pass the hash attacks that have plagued NTLM, a point underscored in its explanation that Kerberos is central to the new default posture. The company is not just swapping one protocol for another, it is trying to close off entire classes of attacks that thrive on legacy behavior.
The three phase roadmap to a world without NTLM
Rather than flipping a single global switch, Microsoft has laid out a three phase roadmap that is meant to meet organizations where they are and minimize disruption. In Phase 1, which is available now, IT teams can use enhanced auditing tools to identify where NTLM is still in use across Windows environments, a capability that Microsoft describes as essential research to map dependencies before anything is turned off, as detailed in its description of In Phase 1 audit features.
Phase 2 focuses on addressing the top NTLM pain points by giving administrators more control and compatibility options, and Microsoft groups this under a broader strategy it calls a phased approach that includes Building visibility and Addressing the most common NTLM issues before any default blocking occurs. The company has described this as a Phase that smooths the path to Phase 3, when NTLM is disabled by default and organizations are expected to have already remediated or isolated their remaining dependencies.
Phase 3: NTLM disabled by default in new Windows releases
The most dramatic change arrives in Phase 3, when Microsoft will ship the next major Windows Server release and associated Windows client releases with network NTLM authentication blocked out of the box. In this phase, Microsoft describes Network NTLM as disabled by default, which means Windows will be delivered in a secure by default state where network NTLM authentication is blocked and no longer available as a standard path, a shift the company spells out in its Phase 3 guidance.
Instead of leaving administrators to guess when this will land, Microsoft has tied the change to specific platform milestones, stating that the solutions will be released in the second half of the year for Windows Server 2025 or Windows 11, version 24H2 and later. Administrators are being urged to prepare for these upgrades as they become available, since the secure by default posture will be the norm on new deployments, a point reinforced in Microsoft’s description of how Windows Server and Windows 11 will incorporate the change.
What “secure by default” really means for Windows environments
When Microsoft says Windows will be secure by default, it is not promising that NTLM disappears entirely, but that the operating system will ship with network NTLM authentication blocked unless administrators explicitly re enable it. Instead, it means that Windows will be delivered in a secure by default state where network NTLM authentication is blocked and no longer silently available to legacy applications, a framing Microsoft uses to emphasize that the default posture is changing even if the protocol can still be turned back on, as described in its explanation that Instead of removal, NTLM is being hardened.
For organizations, this secure by default model shifts the burden of proof, any remaining NTLM use must be justified, documented and often isolated, rather than being the path of least resistance. Microsoft has been clear that NTLM is classified as deprecated and that the new defaults are intended to limit application disruption while still forcing a move toward Kerberos and other modern methods, a balance it outlines in its Windows security roadmap for the protocol.
How admins can find and fix lingering NTLM dependencies
The practical challenge for IT teams is not the switch itself, but uncovering where NTLM still lurks in production. Microsoft has already shipped enhanced NTLM auditing tools that help administrators identify where the protocol is still in use, including which applications and services are making NTLM calls, a capability it highlights as the first step in its plan to bury the old protocol after 30 years, as described in its enhanced auditing guidance.
On the bright side, enabling and disabling NTLM controls is effective immediately and does not require a reboot, and the same diagnostic logging settings that help track NTLM usage can be used to validate that changes are working as expected. Microsoft notes that this immediate effect applies when administrators adjust policies that govern which accounts can use NTLM to access a resource, a detail spelled out in its On the Active Directory hardening guidance.
More from Morning Overview