Microsoft to Ship Windows with NTLM Blocked by Default, Pressing Enterprises to Migrate to Kerberos (US)

Microsoft is preparing to change the default authentication posture of Windows by blocking NTLM network authentication in forthcoming server and client releases. The vendor plans a staged rollout that begins with enhanced auditing so administrators can locate where NTLM remains in use and why, providing those diagnostics in Windows Server 2025 and Windows 11 builds starting with the 24H2 branch. Subsequent phases will address technical blockers — interactions with domain controllers, local account scenarios, and applications that call NTLM directly — through new components and policy controls arriving later in the rollout. Microsoft will introduce Kerberos-first negotiation behavior, preview options such as IAKerb and a local KDC to enable Kerberos without NTLM fallback, and update core components to prefer modern authentication. Practically, Windows images will still include NTLM for compatibility, but it will no longer run automatically; administrators who require legacy support will have to enable it explicitly. From a defender’s viewpoint, this reduces the attack surface exploited for relay, replay and man-in-the-middle techniques. Operationally, teams face a remediation program: inventorying service dependencies, identifying hardcoded uses, and validating systems under an NTLM-off configuration. The task list grows more urgent because independent research and tool releases have recently made NTLMv1 credential recovery far faster in practice, lowering the bar for attackers to obtain usable credentials. That work automates and accelerates known weaknesses in older NTLM negotiations, meaning environments that still accept NTLMv1 are subject to quicker compromise. Microsoft’s staged timeline and tooling aim to lower friction, but the balance between security gain and operational disruption will depend on disciplined discovery, prioritized remediation, and staged rollouts. Organizations with custom or unsupported software are most likely to encounter authentication failures and will need targeted fixes or mitigations. In sum, the move solidifies a push toward passwordless and phishing-resistant authentication methods, positions Kerberos and future alternatives as the default paths, and comes at a moment where practical attacks against legacy NTLM pushes migration from a best practice to an operational imperative.