NTLM off-game on Windows Microsoft disables default protocol and pushes Kerberos

Microsoft has decided to take a strong step against one of the oldest - and most problematic - parts of Windows authentication: the NTLM protocol will no longer be automatically activated in the next main versions of the operating system. After three decades being the default alternative in inherited environments, the company argues that keeping NTLM enabled by default exposes organizations to attack vectors that are no longer acceptable in 2026 et seq.

NTLM (New Technology LAN Manager) was born with Windows NT in the 1990s as a challenge method - response to authenticate users and equipment. It was eventually replaced by Kerberos in modern domains, but remained present as a backup mechanism. This persistent presence is dangerous because NTLM uses obsolete cryptographic schemes and has been repeatedly exploited by attackers to scale privileges and move laterally within corporate networks.

The history of abuse is long: from the classic NTLM Relay Techniques to specific farms that allow to force teams committed to authenticate against servers controlled by the attacker. Vulnerabilities and tools such as PetitPotam, which abused remote services to facilitate relays, or RemotePotato0, which allowed to supplant the LocalSystem account, illustrate why experts have been recommending eliminating or mitigating NTLM for years. Microsoft and the security community have documented these risks extensively; for example, PetitPotam's description and follow-up appears in Microsoft's vulnerability log CVE-2021-36942, and the RemotePotato0 technique was analyzed by response and public analysis teams as Rapid7.

Beyond the relays, pass- the- hash-type attacks remain a practical problem: adversaries extract hashes of authentication from compromised machines and reuse them to authenticate themselves as legitimate users. Microsoft offers guides to mitigate these threats, but the most solid solution is to prevent NTLM from being used as a fallback in the first place; in that sense, official recommendations remain a reference for managers.

The announced change is not intended to erase NTLM from the system overnight. According to Microsoft, the intention is to deliver Windows in a "default secure" state where NTLM network authentication is blocked and not used automatically, while the system will prefer modern Kerberos-based alternatives and phishing-resistant authentication mechanisms. You can read the official details of the plan in the Windows team's release on the Microsoft Tech Community blog Here..

To minimize the operational impact, Microsoft proposes a three-phase transition. In the first stage, improved audit tools (already present in Windows 11 24H2 and in the Windows Server 2025 preview) will be made available for managers to locate where NTLM is still used in their environments. This visibility is key: many failures and patches per unit of inherited services arise precisely because they do not know which applications or devices delegate to NTLM.

The second phase, scheduled for the second half of 2026, introduces capacities designed to cover legitimate scenarios that have historically led to the fall to the use of NTLM, such as IAKerb (Integrated Authentication for Kerberos) and a Local Key Distribution Center that facilitates local operations without resorting to the old protocol. Finally, in a third stage, network NTLM authentication will be disabled by default in future versions; the protocol will remain present in the system for compatibility and can be reactivated by explicit policies if any organization needs it temporarily.

This itinerary was already announced by Microsoft months ago and is part of a broader strategy that seeks to advance towards password-free and phishing-resistant authentication models. The company began to warn about the need to stop using NTLM years ago and, since 2010, has been inviting developers and administrators to migrate to Kerberos or to safer trading mechanisms. Technical documentation on NTLM and its deprecation is available in Microsoft's official documentation Here., and the deprecation route was publicly formalized in 2024.

For IT teams the practical recommendation is clear: start as soon as possible with inventory and testing. Activate NTLM audit to discover dependencies, evaluate third-party applications and devices (printers, legacy equipment, old integrations) and plan mitigation or replacements. Where NTLM cannot be removed immediately, Microsoft and other suppliers recommend specific settings and protections - for example, the use of Active Directory Certificate Services (AD CS) certificates and services to reduce the effectiveness of the relays - and apply all official hardening guides.

The transition will not be free of friction: many organizations depend on legalized solutions that have not received updates in years, and in industrial or control environments there are devices that only support old schemes. This is why the possibility of reactivating NTLM through administrative policies offers a temporary mattress, but it should not be understood as an excuse to delay modernization. Finally, strengthening authentication is only one piece: combining it with network segmentation, monitoring and early detection dramatically increases resilience to intrusions.

In short, the Microsoft ad is a wake-up call for all security officials: the immediate future of Windows will prioritize Kerberos and password-free methods, and NTLM will be blocked by default unless explicit need is made. Those who manage infrastructure should take advantage of the audit tools already available, plan for the migration of services and review integration with suppliers, because the window to adapt invites action now and avoid surprises when the new policy is widely implemented.