Microsoft Begins NTLM Phase-Out With Three-Stage Plan to Move Windows to Kerberos

Microsoft Begins NTLM Phase-Out With Three-Stage Plan to Move Windows to Kerberos

Briefly

"Microsoft has announced a three-phase approach to phase out New Technology LAN Manager (NTLM) as part of its efforts to shift Windows environments toward stronger, Kerberos-based options. The development comes more than two years after the tech giant revealed its plans to deprecate the legacy technology, citing its susceptibility to weaknesses that could facilitate relay attacks and allow bad actors to gain unauthorized access to network resources."

"NTLM was formally deprecated in June 2024 and no longer receives updates. "NTLM consists of security protocols originally designed to provide authentication, integrity, and confidentiality to users," Mariam Gewida, Technical Program Manager II at Microsoft, explained. "However, as security threats have evolved, so have our standards to meet modern security expectations. Today, NTLM is susceptible to various attacks, including replay and man-in-the-middle attacks, due to its use of weak cryptography.""

"Phase 1: Building visibility and control using enhanced NTLM auditing to better understand where and why NTLM is still being used (Available now) Phase 2: Addressing common roadblocks that prevent a migration to NTLM through features like IAKerb and local Key Distribution Center (KDC) (pre-release), as well as updating core Windows components to prioritize Kerberos authentication (Expected in H2 2026) Phase 3: Disabling NTLM in the next version of Windows Server and associated Windows client, and"