Microsoft is making a significant security change by phasing out the legacy NTLM (NT LAN Manager) authentication protocol in Windows 11 24H2 and Windows Server 2025. This move marks a pivotal shift in Microsoft's security strategy as the company pushes organizations toward more modern authentication methods.

The End of an Era: Why NTLM is Being Retired

NTLM has been a core part of Windows authentication since Windows NT 4.0 in the 1990s. While it served its purpose for decades, security experts have long criticized NTLM for several vulnerabilities:

  • Susceptibility to pass-the-hash attacks
  • Lack of mutual authentication
  • Weak encryption standards
  • No protection against replay attacks

Microsoft's Principal Program Manager Ned Pyle stated, "NTLM is being deprecated because it's fundamentally insecure by today's standards. Kerberos has been the better choice for over 20 years."

What Replaces NTLM? Kerberos Takes Center Stage

Kerberos will become the default authentication protocol, offering significant security advantages:

  • Stronger encryption
  • Mutual authentication
  • Ticket-based system that prevents credential passing
  • Better support for modern security requirements

Timeline for the NTLM Phase-Out

Microsoft is taking a gradual approach to ensure minimal disruption:

  1. Windows 11 24H2 (2024): NTLM disabled by default in new installations
  2. Windows Server 2025: NTLM disabled in default configurations
  3. Future Updates: Complete removal expected by 2025-2026

Impact on Enterprises and Legacy Systems

The deprecation will particularly affect:

  • Older line-of-business applications
  • Systems using NTLM for single sign-on
  • Certain legacy server configurations
  • Some third-party applications with hardcoded NTLM dependencies

Microsoft recommends enterprises use the NTLM Audit Tool to identify where NTLM is still being used in their environments.

Migration Paths and Best Practices

Organizations should:

  1. Audit current NTLM usage using Event Viewer and the NTLM Audit Tool
  2. Update or replace applications that rely on NTLM
  3. Configure systems to prefer Kerberos authentication
  4. Test systems thoroughly before disabling NTLM
  5. Consider implementing Azure AD for cloud-based authentication

Temporary Workarounds and Exceptions

Microsoft understands some systems can't immediately move away from NTLM. Temporary solutions include:

  • Using Group Policy to re-enable NTLM where absolutely necessary
  • Implementing the NTLM Compatibility Administrator tool
  • Creating exception policies for specific applications

The Bigger Security Picture

This change is part of Microsoft's broader "Secure Future Initiative" that includes:

  • Passwordless authentication push
  • Wider adoption of FIDO2 security keys
  • Implementation of post-quantum cryptography
  • Enhanced identity protection measures

What This Means for Home Users

Most home users won't notice significant changes as:

  • Modern consumer applications already use newer protocols
  • Microsoft accounts typically use modern authentication
  • Home networks rarely rely on NTLM authentication

However, users running very old software or games might encounter compatibility issues.

Looking Ahead: The Future of Windows Authentication

Microsoft's roadmap suggests even more changes coming:

  • Possible deprecation of basic authentication in future releases
  • Increased emphasis on certificate-based authentication
  • Tighter integration with Azure AD and Microsoft Entra ID
  • Potential for AI-driven authentication methods

As Ned Pyle concluded, "This is about bringing Windows authentication into the modern security era. The few pain points today will prevent countless security headaches tomorrow."