NTLM phase-out model: Partially removed from Windows 11 24H2 and Server 2025
Microsoft improves protection against NTLM relay attacks. Largely unnoticed, NTLMv1 has also been removed in Windows 11 24H2 and Server 2025.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Microsoft is making every effort to improve the security of its operating systems. The company recently implemented better protection against NTLM relay attacks. However, one protective measure went largely unnoticed: support for NTLMv1 was removed from Windows 11 with the 24H2 update.
At the request of heise online, Microsoft has now updated the list of removed functions from Windows. Microsoft has removed support for the outdated protocol not only in the Windows desktop client, but also in Windows Server 2025. A corresponding entry has now also been added to the list of removed functions for Windows Server 2025.
Microsoft updates documentation
As the Redmond-based company has so far only officially described the removal from Windows 11, we asked the company about the status of Windows Server 2025. "NTLMv1 has been removed from both Server 2025 and Windows 11 version 24H2. More details can be found on the updated web pages in English," Microsoft replied on Friday this week. "We are working to update the documentation in the other languages to reflect these updates," the company continued.
Videos by heise
The Windows Server 2025 entry on the removed NTLMv1 also gives admins a recommendation: "NTLMv1 has been removed. Calls to NTLM should be replaced with calls to Negotiate, which will attempt to authenticate with Kerberos first and only fall back to NTLM if necessary. Further information can be found in the article " Evolution of Windows Authentication".
Last week, Microsoft announced that it was taking security measures against frequently observed NTLM relay attacks. This involves malicious actors misusing tapped credentials to gain unauthorized access to network resources. In Windows Server 2025, Extended Protection for Authentication (EPA) is used for this purpose. The LDAP Channel Binding feature is in the same vein. With both, clients can only log on to certain servers, which prevents NTLM relay attacks that require access to any server under the attacker's control.
(dmk)
