Overview
- Enhanced NTLM auditing is available now in Windows Server 2025 and Windows 11 version 24H2 to help organizations locate and understand remaining NTLM use.
- Phase 2, slated for the second half of 2026, will introduce mitigations such as IAKerb and a Local Key Distribution Center and update core components to negotiate Kerberos first.
- In a future major Windows release, network NTLM authentication will be disabled by default, with the protocol remaining re‑enableable through explicit policy controls.
- Microsoft classifies NTLM as deprecated and no longer updates it, noting continued use in legacy scenarios and risks including relay, replay, and man‑in‑the‑middle attacks.
- Administrators are urged to begin NTLM reduction now by auditing usage, mapping dependencies, migrating critical workloads to Kerberos, and testing NTLM‑off configurations in non‑production.