Microsoft is flipping the switch on a cornerstone of its multi-year plan to eradicate NT LAN Manager (NTLM) authentication from Windows. An upcoming Windows Insider preview build, scheduled to land later in June 2026, will enable Initial Authentication Kerberos (IAKerb) by default and introduce a local Key Distribution Center (LocalKDC) service directly on the device. The move lets enterprises and enthusiasts validate Kerberos-based replacements for scenarios that still fall back to the decades-old NTLM protocol — a crucial step before Microsoft removes NTLM entirely in a future Windows release.

This isn't a mere toggle. It's a fundamental rewire of how Windows handles authentication in edge cases that have stubbornly resisted modernization. With IAKerb and LocalKDC, Microsoft aims to close the remaining gaps where applications and services silently downgrade to NTLM because Kerberos isn't available. For IT admins who've been dreading the day they must hunt down every NTLM dependency, this Insider build provides the first real sandbox to test the replacements with production workloads.

The NTLM Problem: Why It Has to Go

NTLM is an authentication protocol born in the Windows NT era. It's notoriously weak by modern standards: vulnerable to relay attacks, pass-the-hash, and brute force. Microsoft has been pleading with customers to disable it for over a decade, but legacy systems and hard-coded dependencies kept it alive. In Windows 11 24H2, Microsoft flipped the NTLM deprecation toggle in the Canary channel, and in Windows Server 2025, the deprecation plan entered the "active phase" — NTLM isn't removed yet, but all new features must support Kerberos or other modern protocols.

The problem is that Kerberos requires a line-of-sight to a Domain Controller (DC) during the initial authentication request. Without a DC reachable, many components fall back to NTLM silently. This breaks in bring-your-own-device (BYOD) scenarios, VPNs before user logon, remote desktop to machines without domain connectivity, and countless third-party applications that were coded with the assumption that NTLM is always there as a safety net.

IAKerb: Kerberos Over HTTP for Off-DC Scenarios

IAKerb is the first piece of the puzzle. Short for "Initial Authentication Kerberos," it allows a Windows client to obtain a Kerberos Ticket Granting Ticket (TGT) by tunneling the Kerberos AS-REQ/REP exchange over HTTP, specifically using the MS-KKDCP protocol (Kerberos Key Distribution Center Proxy Protocol). This means clients can authenticate against a domain controller located behind a firewall, across the internet, or in a hybrid cloud environment — as long as they can reach the KDC proxy endpoint over HTTPS.

In previous Windows Insider builds, IAKerb shipped as an opt-in feature, requiring administrators to manually configure client and server settings. With the June 2026 build, IAKerb is enabled by default. The Windows client will automatically try IAKerb if a direct DC connection fails during AS exchange. This behavior is controlled by a new Group Policy setting under Computer Configuration > Administrative Templates > System > Kerberos named "Enable Initial Authentication Kerberos (IAKerb)."

Microsoft says IAKerb will work out-of-the-box for Azure AD-joined machines with line-of-sight to the KDC proxy on Azure, but on-premises environments will need to deploy the Kerberos KDC Proxy role service on at least one Windows Server 2025 domain controller. The support matrix is broad: Windows 11 version 24H2 and later, Windows Server 2025, and any up-to-date third-party KDC proxy implementation that follows the MS-KKDCP specification.

LocalKDC: Bringing Kerberos Home

The second, more radical change is LocalKDC. For situations where even a KDC proxy is unreachable — think isolated lab machines, kiosks, or branch offices with total internet blackout — Microsoft is introducing a lightweight Kerberos Key Distribution Center that runs directly on the Windows device. LocalKDC issues short-lived service tickets for local services, effectively removing the fallback to NTLM for local authentication scenarios such as:

  • Windows services running as NetworkService or LocalSystem that need to authenticate to local SMB shares
  • Remote Desktop sessions to a machine not joined to a domain
  • Web Application Proxy (WAP) and AD FS scenarios in DMZ environments
  • WinRM and PowerShell remoting to a non-domain-joined host

LocalKDC is not a full-blown domain controller. It does not replicate with Active Directory, does not issue TGTs for the domain, and only supports service principals registered locally. The component is built into the Windows Local Security Authority (LSA) process. When a local authentication request arrives and no domain DC or IAKerb conduit is available, LSA consults LocalKDC instead of falling back to NTLM.

Microsoft engineers stressed in a recent Tech Community blog post that LocalKDC is designed for low-trust scenarios. The service tickets it issues are signed with a local keypair that is machine-specific and regenerated on every reboot. No secrets are persisted across sessions. Administrators will find a new event log channel — Microsoft-Windows-LocalKDC/Operational — for monitoring and debugging.

Inside the June 2026 Insider Build

Microsoft says the preview will land in the Windows Insider Dev Channel late in June 2026, with a flight number in the 26xxx range. The build introduces:

  • IAKerb enabled by default — no more registry keys to flip.
  • LocalKDC service — installed automatically, with a manual override through the Turn on Local KDC policy.
  • New PowerShell cmdlets: Get-LocalKDCTicket, Clear-LocalKDCCache, and Test-IAKerbConnectivity for diagnostics.
  • Updated Kerberos event logs to distinguish between tickets obtained via DC, IAKerb proxy, or LocalKDC.
  • Group Policy template updates to manage IAKerb proxy servers, LocalKDC scope, and fallback behavior.

The build will also include an out-of-the-box experience (OOBE) enhancement: when a user sets up a new device with a Microsoft account or local account, Windows will use LocalKDC for local authentication needs without ever touching NTLM. This is a major win for consumer Windows editions, where NTLM has been a constant low-level attack surface.

What Testers Should Do

Microsoft is explicitly asking Windows Insider enterprise participants to validate the following scenarios:

  1. VPN Pre-Logon Authentication Providers (PLAP): Connect to a lab VPN that requires authentication before logon. Check that IAKerb can reach the KDC proxy over the VPN tunnel and that logon succeeds without NTLM.
  2. Direct Access/Always On VPN: Verify that off-premises domain-joined machines can change passwords, unlock with cached credentials and re-authenticate without NTLM.
  3. Workgroup File Sharing: On a non-domain-joined machine, enable LocalKDC and then mount an administrative share (\hostname\C$). In Task Manager, check the LSA process for LocalKDC activity.
  4. Remote Desktop to Standalone Server: Configure a Windows Server 2025 Core edition not joined to any domain. Enable Remote Desktop and LocalKDC, then connect from a Windows 11 client. Audit logs to confirm Kerberos ticket exchange, not NTLM.
  5. Third-Party Applications: Many legacy applications use InitializeSecurityContext with the NTLM package hardcoded. Microsoft cannot fix those, but it is asking testers to run the IAKerb/LocalKDC audit mode (available via policy) to identify such applications. The audit mode logs NTLM fallback events but still allows them, giving admins a chance to contact vendors.

Microsoft has published a detailed test matrix on the Windows Insider blog, along with sample PowerShell scripts to simulate blocked DC environments and trigger IAKerb/LocalKDC paths.

Potential Gotchas and Known Issues

No preview is without quirks. Based on early discussion on the Windows forum and internal notes, a few pain points are expected:

  • IPv6 only networks: IAKerb has a known bug where the HTTP tunnel fails over IPv6 when the KDC proxy is dual-stacked. A workaround is to temporarily disable IPv6 on the client or force IPv4 in the proxy URL. Fix expected in a later build.
  • LocalKDC cannot handle cross-machine service tickets: If a service running on one machine needs to authenticate to a service on another machine and both lack domain connectivity, LocalKDC will not work. That's by design — the intended replacement in such scenarios is Azure AD Kerberos or cloud-based KDC proxies.
  • Performance impact: LocalKDC caches are in-memory only. On machines with limited RAM, the added LSA memory footprint (~15 MB) might be noticeable. Microsoft plans to add a disk cache in a future release.
  • Backward compatibility: Some legacy VPN clients inject their own NTLM authentication and may interfere with IAKerb. Testers should update to VPN clients that support the MS-KKDCP awareness flag.

A particularly active Microsoft forum thread highlighted that many enterprise security tools still rely on NTLM audit logs for intrusion detection. Admins will need to port their detections to the new LocalKDC and IAKerb event logs or risk losing visibility.

The Broader NTLM Deprecation Timeline

This Insider build is a precursor to the full NTLM removal in Windows 12 (or whatever the next major version is called). Microsoft's public roadmap states:

  • Current (Windows 11 2025–2026): NTLM still present but deprecation warning in all supported versions. IAKerb and LocalKDC in preview.
  • Windows Insider (June 2026): IAKerb default, LocalKDC introduced. NTLM can be disabled via a Feature on Demand removal.
  • Next LTSC release (projected late 2027): NTLM completely removed from the base OS. Only available as an optional component for legacy compatibility, with an end-of-support deadline.

IT decision-makers should use this Insider build to start their NTLM extinction project now. The most painful part isn't the Windows configuration; it's identifying and fixing the hundreds of applications and scripts that bake in NTLM.

Community Reaction

The Windows Insider community has met the announcement with cautious optimism. "Finally, a real path forward for air-gapped labs," wrote one tester in the Windows forum's authentication board. Another noted, "I tested IAKerb in the previous Canary build — it works smoothly with Azure AD Kerberos but on-prem proxy setup is clunky." Expect a surge in how-to guides and YouTube walkthroughs once the build drops.

Skepticism remains, however. Many point out that Microsoft's own first-party products — like System Center Configuration Manager and older SQL Server versions — still rely on NTLM. Until those are updated or customers migrate to modern cloud equivalents, the full NTLM shutdown will feel abstract.

How to Get the Build

When the build becomes available, Windows Insiders in the Dev Channel will receive it automatically via Windows Update. System requirements remain identical to other Insider builds. IT pros should spin up a dedicated virtual machine or second bare-metal test rig; do not deploy this on a production device unless you're prepared for authentication hiccups.

Microsoft is also hosting an Insider Mixer event on June 18, 2026, where the Kerberos engineering team will demo IAKerb and LocalKDC live and take questions. Registration links are already in the Insider Hub.

Looking Ahead

With this build, Microsoft is delivering on a promise it made back in 2023: to make Kerberos the universal authentication protocol for Windows, eliminating one of the most stubborn attack surfaces. The combination of IAKerb for remote scenarios and LocalKDC for isolated machines fills the last major gaps that forced applications to fall back to NTLM.

For Windows enthusiasts and enterprise admins alike, the June 2026 Insider preview isn't just another weekly flight — it's a dress rehearsal for the post-NTLM world. The time to start testing is now.