Table of Contents
- Is your legacy Windows environment ready for the mandatory switch to Kerberos?
- The Security Risks of Legacy Protocols
- The 2026 Transition Roadmap
- Phase 1: Audit and Discovery (Immediate)
- Phase 2: Compatibility and Mitigation (2H 2026)
- Phase 3: Disabled by Default (Next Major Release)
- Advisory Recommendation
Is your legacy Windows environment ready for the mandatory switch to Kerberos?
Microsoft has officially classified the NTLM (NT LAN Manager) authentication protocol as “deprecated.” This designation signals that the protocol will receive no further development and will be disabled by default in the next major iterations of Windows Server and Windows client operating systems. While NTLM remains present for legacy compatibility, the operating system will prioritize Kerberos to ensure a secure-by-default posture.
The Security Risks of Legacy Protocols
Security professionals have considered NTLM obsolete for years. This proprietary protocol, a staple of Windows networking for over three decades, possesses severe vulnerabilities. Attackers can easily compromise NTLM encryption using rainbow tables, a method demonstrated effectively by security firm Mandiant.
Current Windows environments prioritize Kerberos but retain NTLM as a fallback mechanism. This fallback creates a security gap: if a network participant fails to support Kerberos, the connection reverts to the insecure NTLM standard. To mitigate this risk, administrators must transition away from this fallback reliance.
The 2026 Transition Roadmap
On January 29, 2026, Microsoft outlined a structured timeline to phase out NTLM usage. This roadmap allows organizations to adapt before the protocol is disabled by default.
Phase 1: Audit and Discovery (Immediate)
Administrators should begin monitoring NTLM usage immediately. Windows Server 2025 and Windows 11 24H2 include enhanced auditing capabilities. These tools provide granular visibility, helping IT teams identify exactly which applications or devices still rely on NTLM.
Phase 2: Compatibility and Mitigation (2H 2026)
In the second half of 2026, Microsoft will release updates to resolve common friction points preventing a full switch to Kerberos.
- IAKerb and Local KDC: These features allow Kerberos authentication even in scenarios lacking direct Domain Controller connectivity, a situation that previously forced an NTLM fallback.
- Core Component Updates: Windows components will be updated to aggressively negotiate Kerberos, reducing unintentional NTLM usage.
Phase 3: Disabled by Default (Next Major Release)
In the upcoming major versions of Windows, NTLM will be disabled out of the box.
- Default Behavior: Network NTLM authentication attempts will be blocked automatically.
- Exception Handling: Organizations requiring NTLM for specific legacy applications must explicitly re-enable it via Group Policy.
- Fail-safe Measures: The OS will support exceptions for specific scenarios, such as authentication via IP address or local accounts, to prevent critical application failures.
Advisory Recommendation
Organizations must treat this deprecation as a call to action. Do not wait for the default disablement. Utilize the current auditing tools to map your dependency on NTLM. Prepare your environment to leverage IAKerb and Local KDC as they become available later this year to ensure seamless connectivity without compromising security.