TheWindowsClub News

TheWindowsClub Tech News covers the latest Microsoft Windows 10 news, along with other products & services like Office, etc.

Microsoft to disable NTLM by default in Windows

Microsoft recently announced that it will disable NTLM by default in upcoming Windows releases. New Technology LAN Manager (NTLM) is a legacy authentication protocol that uses a challenge-response mechanism to grant access to network resources. Today, Windows uses NTLM when Kerberos authentication fails. In this article, we will discuss why Microsoft has decided to disable NTLM by default for all upcoming Windows releases.

Microsoft to disable NTLM by default

Microsoft to disable NTLM by default in Windows

NTLM has been a part of Windows authentication for more than three decades. It consists of security protocols originally designed to provide authentication, integrity, and confidentiality to users. However, due to weak cryptography, NTLM is vulnerable to various attacks, including replay and MITM. That’s why Microsoft decided to disable it by default in all upcoming Windows releases.

The 3-phased approach

Instead of disabling NTLM immediately, Microsoft designed a 3-phase roadmap.

  • Phase 1: NTLM is enabled by default on all supported Windows systems. During this phase, organizations can use the enhanced NTLM auditing tools to understand exactly where and why NTLM is still being used in their environment.
  • Phase 2: This phase will occur in the second half of 2026, during which Microsoft will enhance Kerberos and Windows authentication to reduce reliance on NTLM. This phase focuses on scenarios in which Windows still falls back to NTLM. Kerberos is an authentication protocol. which replaced NTLM as the default/standard authentication tool on Windows 2000 and later releases.
  • Phase 3: Microsoft will disable NTLM by default across major Windows Server and Windows Client releases.

Reason for disabling NTLM instead of deprecating it

Microsoft highlighted the need to move from deprecating NTLM to disabling it. Deprecated features receive no longer updates and can be removed in the future. However, deprecating NTLM can create issues for many organizations that continue to rely on it due to legacy applications and network constraints.

What does ‘NTLM disabled by default’ mean?

“NTLM disabled by default” means Windows automatically blocks NTLM authentication to improve security; it will be used only if an administrator enables it. Windows will prefer modern, more secure Kerberos-based alternatives.

The complete information is available on the official Windows IT blog.

Related read: Block NTLM attacks over SMB in Windows 11 using GPEDIT or PowerShell.

AnandKhanse@TWC

Anand Khanse is the Admin of TheWindowsClub.com, a 10-year Microsoft MVP Awardee in Windows (2006-16) & a Windows Insider MVP (2016-2022). He enjoys following and reporting Microsoft news and developments in the world of Personal Computing.