Microsoft plans to disable NTLM by default on Windows 11

• Microsoft outlines its plan to disable NTLM authentication by default in future Windows 11 and Windows Server releases.
• NTLM is a legacy authentication protocol with known weaknesses, including replay, relay, and pass-the-hash attacks.
• The protocol will not be removed immediately, but blocked by default unless explicitly re-enabled by policy.

Microsoft is preparing to further improve Windows 11 security by disabling New Technology LAN Manager (NTLM) authentication by default in future Windows Server and Windows client releases. The change signals the beginning of the end for one of the oldest legacy authentication protocols as the company pushes toward stronger, Kerberos-based alternatives.

NTLM has existed in Windows for more than 30 years. Originally designed as a challenge-response protocol for network authentication, it later became a fallback when Kerberos was unavailable. While still widely used today, NTLM no longer meets modern security standards.

Why Microsoft is moving away from NTLM

Microsoft says NTLM exposes organizations to unnecessary risk. The protocol lacks server authentication, relies on weak cryptography, and is vulnerable to attacks such as replay, relay, man-in-the-middle, and pass-the-hash. As threat models have evolved, these weaknesses have become harder to justify in enterprise environments.

Related

23 Best security settings to change on Windows 11 (2026)

Windows 11 to eliminate NTLM authentication in favor of Kerberos

Although the company previously marked NTLM as deprecated, usage has remained high due to legacy programs, hard-coded dependencies, and network configurations that make Kerberos deployment difficult. Deprecation alone, Microsoft acknowledges, has not been enough.

What “disabled by default” means for Windows 11

Disabling NTLM by default does not mean the protocol will be removed from the operating system immediately. Instead, Windows 11 will ship with a secure-by-default configuration that blocks network NTLM authentication by default. Kerberos-based authentication will be preferred, and NTLM will only work if administrators explicitly re-enable it through policy.

A phased roadmap to reduce disruption

Microsoft is rolling out the change through a three-phase roadmap to provide network administrators with visibility and time to make the necessary changes:

• Phase 1 (available now): Enhanced NTLM monitoring provides organizations with visibility into where and why NTLM is still in use. It’s supported on Windows Server 2025 and Windows 11 24H2 and later, and serves as the foundation for reducing reliance on NTLM.
• Phase 2 (second half of 2026): Microsoft will reduce common NTLM fallback scenarios by introducing features such as IAKerb and a local Key Distribution Center. Core Windows components will also be updated to prefer Kerberos and improve local account authentication without forcing NTLM.
• Phase 3 (future Windows releases): NTLM will be disabled by default for network authentication. Organizations will need to explicitly re-enable it using new policy controls, with built-in handling for legacy scenarios to minimize application breakage.

What organizations should do now

Microsoft is urging organizations to start preparing immediately. That includes enabling enhanced NTLM monitoring, mapping application dependencies, working with vendors to modernize authentication, and testing NTLM disabled configurations in non-production environments.

Disabling NTLM by default marks another step in Microsoft’s long-running effort to secure the operating system. For organizations that still rely on NTLM, the announcement isn’t surprising, but it does make the timeline harder to ignore.