Microsoft has announced a three-phase approach to phase out New Technology LAN Manager (NTLM) as part of its efforts to shift Windows environments toward stronger, Kerberos-based options This article explores ntlm consists security. . The development comes more than two years after the tech giant revealed its plans to deprecate the legacy technology, citing its susceptibility to weaknesses that could facilitate relay attacks and allow bad actors to gain unauthorized access to network resources.

NTLM was formally deprecated in June 2024 and no longer receives updates. "NTLM consists of security protocols originally designed to provide authentication, integrity, and confidentiality to users," Mariam Gewida, Technical Program Manager II at Microsoft, explained. "However, as security threats have evolved, so have our standards to meet modern security expectations.

Due to its use of weak cryptography, NTLM is vulnerable to a number of attacks today, such as replay and man-in-the-middle attacks. Microsoft stated that despite NTLM's deprecation, it is still widely used in enterprise settings where modern protocols like Kerberos cannot be implemented because of legacy dependencies, network constraints, or deeply embedded application logic. This, in turn, exposes organizations to security risks, such as replay, relay, and pass-the-hash attacks.

To mitigate this problem in a secure manner, the company has adopted a three-phase strategy that paves the way for NTLM to be disabled by default - Phase 1: Building visibility and control using enhanced NTLM auditing to better understand where and why NTLM is still being used (Available now) Phase 2: Updating core Windows components to prioritize Kerberos authentication (anticipated in H2 2026) and addressing common obstacles that prevent a migration to NTLM through features like IAKerb and local Key Distribution Center (KDC) (pre-release). Phase 3: NTLM will be disabled in the upcoming Windows Server and related Windows client versions, and new policy controls will need to explicitly enable it again. Microsoft has positioned the transition as a major step toward a passwordless, phishing-resistant future.

Additionally, NTLM-dependent organizations must perform audits, map dependencies, migrate to Kerberos, test NTLM-off configurations in non-production environments, and enable Kerberos upgrades. "Disabling NTLM by default does not mean completely removing NTLM from Windows yet," Gewida said. "Instead, it means that Windows will be delivered in a secure-by-default state where network NTLM authentication is blocked and no longer used automatically."

"The OS will prefer modern, more secure Kerberos-based alternatives. At the same time, common legacy scenarios will be addressed through new upcoming capabilities such as Local KDC and IAKerb (pre-release)."