Microsoft will disable network NTLM authentication by default in upcoming Windows Server and client releases due to long-standing vulnerabilities that enable NTLM relay and pass-the-hash attacks. A three-phase rollout will add enhanced auditing, introduce IAKerb and a Local KDC to reduce NTLM fallback, and ultimately block network NTLM while allowing admins to re-enable it via policy. #NTLM #Kerberos
Keypoints
- Microsoft will block network NTLM by default in future Windows releases to improve security.
- NTLM has been widely abused in relay attacks and pass-the-hash attacks to escalate privileges and compromise domains.
- Phase one adds enhanced auditing tools in Windows 11 24H2 and Windows Server 2025 to identify NTLM usage.
- Phase two (second half of 2026) will introduce IAKerb and a Local Key Distribution Center to mitigate common NTLM fallback scenarios.
- NTLM will remain present in the OS and can be explicitly re-enabled via policy, but Microsoft urges migration to Kerberos and other modern methods.