MICROSOFT has announced a three-phase plan to phase out New Technology LAN Manager (NTLM) and move Windows environments toward Kerberos-based authentication. Phase 1 is already available and focuses on enhanced NTLM auditing to build visibility and control over where NTLM is used. Phase 2 will address migration roadblocks with features like IAKerb and local KDC (pre-release) and will see core Windows components prioritise Kerberos in H2 2026.
Phase 3 will disable NTLM in the next version of Windows Server and the corresponding client, with explicit re-enablement controlled by new policy settings. NTLM was formally deprecated in June 2024 and no longer receives updates, though it remains in use in some enterprises due to legacy dependencies.
According to Mariam Gewida, Technical Program Manager II at Microsoft, disabling NTLM by default means Windows will be delivered in a secure-by-default state where network NTLM authentication is blocked and not used automatically, with the OS favouring Kerberos-based alternatives.