Microsoft Finally Pulls the Plug on NTLM — And It's About Time

If you've been in IT security for any length of time, you've probably muttered some choice words about NTLM. The authentication protocol has been a favorite punching bag for penetration testers and a recurring nightmare for defenders since... well, since before some of you were born. Microsoft just announced they're finally killing it off, and honestly, the only surprise here is that it took this long.

The company laid out a three-phase plan to move Windows environments away from NTLM and toward Kerberos. Phase one is already live — enhanced auditing tools that let you see where NTLM is still lurking in your environment. Phase two drops in the second half of 2026 and brings features like IAKerb and local Key Distribution Center support to help bridge the gap for edge cases. Phase three is the big one: future versions of Windows Server and Windows client will ship with NTLM disabled by default. If you want it back, you'll have to explicitly flip it on.

For anyone wondering why this matters, here's the short version. NTLM was designed in the 1990s when "cybersecurity" meant hoping nobody physically stole your computer. The protocol uses cryptographic techniques that were considered adequate back when Nirvana was still touring. Today, it's vulnerable to a greatest-hits collection of attack techniques — relay attacks, pass-the-hash, man-in-the-middle. Every red teamer's toolkit includes at least three different ways to abuse NTLM, and most of them work embarrassingly well.

The problem is that NTLM has been impossible to kill because it's everywhere. Legacy applications depend on it. Weird network configurations require it. That ancient print server in the corner that nobody wants to touch still speaks NTLM because that's all it knows. Microsoft officially deprecated NTLM back in June 2024, but deprecation and removal are very different things. Until now, the protocol has continued to ship and work by default, which means most organizations never bothered to turn it off.

Microsoft's approach here is actually pretty reasonable. They're not just flipping a switch and breaking half the enterprise world. The phased rollout gives organizations time to audit their environments, figure out where NTLM dependencies live, and migrate to Kerberos before the default changes. The new auditing capabilities in Windows 11 24H2 and Windows Server 2025 make it easier to find those dependencies without just turning off NTLM and seeing what explodes.

That said, if your organization hasn't started planning for this, now would be a good time. The second phase hits later this year, and while Microsoft says they're not removing NTLM entirely, they're making it opt-in rather than opt-out. That's a significant shift in posture, and it means your next Windows upgrade could break things you didn't know still relied on NTLM.

The bigger picture here is Microsoft's push toward passwordless, phishing-resistant authentication. Kerberos is just a stepping stone. The endgame is things like FIDO2 keys, Windows Hello, and certificate-based authentication that don't rely on passwords at all. NTLM is the opposite of that vision — a relic from an era when we thought four-character passwords and challenge-response hashing was state of the art.

So pour one out for NTLM. It had a good run. Thirty-plus years of service, countless security incidents, and an absolutely legendary reputation in the penetration testing community. It will be missed by exactly nobody except the people who have to migrate away from it.