When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Microsoft is making Windows more secure, here is how IT admins need to prepare

Microsoft is disabling a legacy component in Windows, calling it a "major evolution in Windows authentication", but IT admins need to make sure that it doesn't break their infrastructure.

Neowin · · Hot! with 9 comments

Windows server

For the past few years, Microsoft has been talking about how it is slowly, but surely, phasing out NTLM in Windows installations in favor of Kerberos-based alternatives. Although some versions of the protocol are still supported in a deprecated state, Microsoft has begun removing some ancient NTLM versions in Windows 11 and Windows Server 2025. Now, the Redmond-based firm has explained how IT admins can prepare for the disablement of NTLM in their respective environments.

NTLM has been a component of Windows authentication for over 30 years, but as the security landscape has become more sophisticated, this protocol is not suitable for use in enterprise environments either. If organizations continue to use NTLM despite it being deprecated, they will run into many security issues, including the lack of server authentication, trivial exposure to replay, relay, and pass-the-hash attacks, and weak cryptographic algorithms.

As it currently stands, Microsoft is moving NTLM from the deprecated stage to the state where it is disabled by default. The ultimate goal is to get rid of the protocol entirely, of course.

In Phase 1 of this disablement process, IT admins can leverage some tools offered by Microsoft to find out where, how, and why NTLM is being used within their infrastructure. Phase 2 will begin in the second half of this year, where Microsoft will try to make it easier for you to get rid of NTLM by removing some blockers. It will offer Local KDC (preview) so that local accounts don't fall back to NTLM during authentication, and it will also update "core" Windows components so that they prioritize Kerberos-based negotiations.

Windows logo on a black background with red circles

Phase 3 will kick off with the release of the next version of Windows Server and client SKUs where NTLM will be disabled by default. Organizations will still be able to utilize it, but they will have to explicitly enable it at their own risk.

Microsoft has touted the disablement of NTLM as a "major evolution in Windows authentication", which will make the OS more secure. IT admins should follow the steps below to make sure that they are ready for this change:

  1. Deploy enhanced NTLM auditing to identify where NTLM is still used.
  2. Map dependencies across applications and services, and prioritize remediation. This may include reaching out to application developers to update critical applications.
  3. Migrate and validate that critical workloads succeed with Kerberos. The capabilities that will be released in the second half of 2026 will significantly expand the scenarios where you can use Kerberos successfully.
  4. Begin testing NTLM-off configurations in non-production environments.
  5. Enable Kerberos upgrades as they become available through the Windows Insider Program, and then more broadly later this calendar year.

If you come across edge-cases where you simply cannot get rid of NTLM, reach out to Microsoft directly through the following email address: [email protected]

Perplexity
Next Article

AWS case-study Perplexity signs $750M, three-year Azure deal with Microsoft

The ASUS TUF VG259Q5A
Previous Article

Get an ASUS TUF 200Hz gaming monitor for just $129.99 with this deal

9 Comments

Load the comments and join the conversation!

Read the comments, ask the editors questions, show respect and join the conversation.

Click here