When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Microsoft is making an important security change in Windows soon

Microsoft has revealed new Windows authentication capabilities designed to reduce NTLM reliance as broader security changes move closer.

Neowin · with 9 comments

windows 11 logo

For the past few years, Microsoft has been phasing out NTLM in Windows in favor of Kerberos-based alternatives. Starting with the next versions of client and server editions of Windows, Microsoft will also be disabling the legacy authentication protocol by default. In the latest security baseline package for Windows Server 2025, the company is already allowing customers to audit incoming configurations. Now, it has announced a wave of changes to further reduce dependencies on NTLM.

With an upcoming Insider release of Windows 11 client and server, certain scenarios which previously required NTLM will be able to fall back on Initial and Pass-Through Authentication using Kerberos (IAKerb) and Local Key Distribution Center (LocalKDC).

For those unaware, IAKerb enables Kerberos to work when a client does not have direct access to a domain controller (DC). While traditional Kerberos authentication requires direct connectivity, IAKerb enables the target service to act as a proxy for the Kerberos-based exchange. It is useful in various enterprise scenarios where the visibility of DCs is restricted, or where client services can reach target services but not relevant DCs.

Meanwhile, LocalKDC enables Kerberos-based authentication for local account scenarios, rather than relying on NTLM. This makes it especially useful on standalone devices, workgroup environments, and more.

Together, IAKerb and LocalKDC will reduce NTLM dependency in both remote enterprise and local environment scenarios. Developers will also be able to rely on modern authentication flows that are consistent and secure. Microsoft understands that while most customers are pivoting away from NTLM due to security concerns, other continue to use the legacy protocol for niche use-cases. It hopes that IAKerb and LocalKDC will help close some of those gaps and enable organizations to ditch NTLM.

With the next Canary Channel release in the Windows Insider Program, Microsoft will be previewing these capabilities. IAKerb will be enabled by default while LocalKDC will be disabled, but users will have the ability to toggle this behavior through Windows Registry keys, as explained here.

As the company gradually moves towards general availability, it will begin surfacing these options in management tools and Group Policy too. For now, Microsoft has heavily encouraged customers still using NTLM to begin testing and validating these security functionalities as soon as they become available in the next preview.

MS Office promo
Next Article

Microsoft faces heat after quietly blocking promised Office features on Apple systems

Microsoft Web IQ
Previous Article

Microsoft introduces Web IQ, a Bing-powered search system built for AI agents

9 Comments

Load the comments and join the conversation!

Read the comments, ask the editors questions, show respect and join the conversation.

Click here