Microsoft's Three-Phase Plan to Phase Out NTLM Authentication

Microsoft has unveiled a comprehensive three-phase strategy to phase out New Technology LAN Manager (NTLM) authentication, marking a significant shift toward stronger security protocols across Windows environments. The move addresses long-standing vulnerabilities in NTLM that have made it susceptible to various attacks, including relay attacks, replay attacks, and pass-the-hash exploits.

The Problem with NTLM

NTLM, originally designed to provide authentication, integrity, and confidentiality for users, has become increasingly vulnerable as security threats have evolved. According to Mariam Gewida, Technical Program Manager II at Microsoft, "NTLM is susceptible to various attacks, including replay and man-in-the-middle attacks, due to its use of weak cryptography."

Despite being formally deprecated in June 2024 and no longer receiving updates, NTLM remains prevalent in enterprise environments. Organizations continue to rely on it due to legacy dependencies, network limitations, or ingrained application logic that prevents migration to modern protocols like Kerberos.

Microsoft's Three-Phase Approach

Phase 1: Building Visibility and Control

Currently available, this phase focuses on enhanced NTLM auditing to help organizations understand where and why NTLM is still being used. This visibility is crucial for planning migration strategies and identifying critical dependencies.

Phase 2: Addressing Migration Roadblocks

Expected in the second half of 2026, this phase introduces several key features:

• IAKerb (Identity-Aware Kerberos): A new capability that helps address common scenarios preventing NTLM migration
• Local Key Distribution Center (KDC): Enables Kerberos authentication in environments where traditional KDC deployment isn't feasible
• Updated Windows components: Core Windows components will be updated to prioritize Kerberos authentication over NTLM

Phase 3: Default Disablement

The final phase involves disabling NTLM by default in the next version of Windows Server and associated Windows clients. Organizations will need to explicitly re-enable NTLM through new policy controls if required for specific scenarios.

What This Means for Organizations

Microsoft emphasizes that disabling NTLM by default doesn't mean completely removing it from Windows immediately. Instead, the operating system will be delivered in a "secure-by-default state" where network NTLM authentication is blocked and no longer used automatically.

Organizations relying on NTLM should take several preparatory steps:

1. Conduct comprehensive audits to identify all NTLM usage across the environment
2. Map dependencies to understand which applications and services require NTLM
3. Migrate to Kerberos where possible, leveraging new capabilities like Local KDC and IAKerb
4. Test NTLM-off configurations in non-production environments before full deployment
5. Enable Kerberos upgrades to ensure compatibility with modern authentication requirements

The Path to a Passwordless Future

This transition represents a major step toward Microsoft's vision of a passwordless, phishing-resistant future. By moving away from NTLM's weaker cryptography and toward Kerberos-based authentication, organizations can significantly reduce their attack surface and better protect against common attack vectors.

The phased approach allows organizations time to adapt their infrastructure while providing new tools to address legacy scenarios that might otherwise prevent migration. As Gewida noted, "Common legacy scenarios will be addressed through new upcoming capabilities such as Local KDC and IAKerb (pre-release)."

This strategic shift underscores Microsoft's commitment to modern security standards and its recognition that legacy authentication protocols pose significant risks in today's threat landscape. Organizations should begin planning their migration strategies now to ensure a smooth transition when these changes take effect.