Windows Drops NTLM: Microsoft Boosts Security with Kerberos

Microsoft is taking a crucial step to bolster security in Windows 11, announcing the deprecation of NTLM, its oldest authentication protocol, in favor of Kerberos. This change, set to roll out in upcoming client and server versions of the operating system, aims to close known vulnerabilities and protect against password theft attacks.

For decades, NTLM (NT LAN Manager) has been responsible for verifying user and device identities on Windows local networks. While functional, this protocol carries known vulnerabilities and no longer aligns with modern security standards, prompting Microsoft to gradually seek its replacement.

To ensure a smooth transition without leaving security gaps, the company has introduced two new Kerberos-based technologies. Kerberos has been Microsoft's designated successor for authentication for years, and these new solutions are designed to cover scenarios where NTLM was previously considered indispensable.

The first of these innovations is IAKerb, designed for enterprise environments. It allows a device to authenticate even without direct access to the domain controller, using the target service as an intermediary. This addresses a primary reason many organizations continued to rely on NTLM.

LocalKDC, on the other hand, focuses on authenticating local accounts. This means devices not part of a corporate network or operating independently will also benefit from enhanced security. Together, IAKerb and LocalKDC close the major gaps that prevented a complete shift to Kerberos.

The goal of replacing NTLM with Kerberos will help reinforce protection against attacks that try to steal your passwords.

While the default deactivation of NTLM marks a significant milestone, Microsoft has been preparing the groundwork for some time. The tech giant promoted Kerberos usage and enabled configuration audits in Windows Server 2025, demonstrating a methodical approach to this security migration. NTLM will remain available for very specific cases, but it will be disabled by default.

The initial preview of these changes will arrive via the Canary channel of the Windows Insider program, as reported by Neowin. In this preliminary version, IAKerb will be enabled by default, while LocalKDC will be disabled, though both settings can be manually adjusted through the Windows Registry. Microsoft plans to integrate these options into administration tools and group policies later on.

For most home Windows users without advanced network configurations, this change will not be directly noticeable. Login will function as usual, but with a more robust security layer operating behind the scenes. However, in corporate environments, administrators will need to review their dependencies before these transitions reach stable versions of the operating system, ensuring a seamless migration.