The Final Sunset: Microsoft Lays Out the 3-Phase Plan to Kill NTLM After 30 Years

Microsoft has resolved to finally relegate NTLM to the periphery of its ecosystem, decreeing that in forthcoming Windows iterations, the protocol shall no longer be invoked by default. The corporation justifies this transition by highlighting the accumulation of cryptographic frailties that have, over decades, rendered NTLM a favored vector for adversaries infiltrating enterprise networks.

NTLM (New Technology LAN Manager) emerged in 1993 alongside Windows NT 3.1, superseding the archaic LAN Manager. While Kerberos assumed the mantle of primary authentication within domain environments starting with Windows 2000, NTLM persisted as a ubiquitous fallback mechanism. Regrettably, this “contingency plan” has devolved into a convenient loophole; its inferior cryptography and susceptibility to diverse attack scenarios have made it an enduring liability.

One of the most pervasive exploitation archetypes is the NTLM Relay attack. In this maneuver, an antagonist coerces a compromised device to authenticate with a rogue server under their dominion rather than the intended legitimate destination. This facilitates lateral movement and privilege escalation, culminating in the total subversion of the Windows Domain. Although defensive counters exist, they are frequently circumvented by the presence of legacy servers that continue to honor NTLM. Techniques such as PetitPotam, ShadowCoerce, DFSCoerce, and RemotePotato0 are specifically designed to bypass these restrictions and restore a viable path for relaying authentication.

A second formidable category is the Pass-the-Hash incursion. Here, adversaries forgo the laborious process of credential cracking. Instead, they exfiltrate the NTLM hash—the derived value of the password—and utilize it directly as a surrogate for authentic credentials. Harvested via system vulnerabilities or specialized malware, these hashes empower an attacker to impersonate legitimate users, extract sensitive data, and expand their foothold across the network.

In the next major release of Windows Server and its corresponding client versions, the protocol will cease to function as an automatic safety net. Microsoft clarifies that while the components will not be immediately excised, Windows will ship in a “secure by default” state. In this configuration, network-based NTLM is blocked, and the system exclusively prioritizes modern Kerberos-based alternatives.

The transition is engineered to be phased, ensuring that administrators can avoid abrupt service disruptions. The inaugural stage emphasizes expanded auditing capabilities, available in Windows 11 24H2 and Windows Server 2025, allowing IT professionals to pinpoint where NTLM remains active and identify the legacy applications necessitating its use.

The second phase, anticipated in the latter half of 2026, will introduce features designed to mitigate common “fallback” scenarios. Key elements include IAKerb and a Local Key Distribution Center (Local KDC). These components act as bridges to Kerberos in environments where NTLM was previously the path of least resistance due to architectural idiosyncrasies.

In the final stage, network NTLM will be deactivated by default in future releases. The protocol will remain dormant within the OS, accessible only through explicit policy overrides. Microsoft thus preserves an “emergency switch” for organizations burdened by legacy infrastructure while ensuring the standard operational state is as resilient and predictable as possible.

This strategic pivot follows years of deliberate preparation. The intention to sunset NTLM was publicly articulated in October 2023, followed by its official designation as a deprecated mechanism in July 2024. Microsoft’s exhortations to developers to abandon NTLM in favor of Kerberos or Negotiate date back to 2010, underscoring a long-standing commitment to eradicating this legacy vulnerability.