Windows: Microsoft clarifies NTLM phase-out, but still no date
Microsoft intends to disable the insecure NTLM protocol by default with the next Windows Server version. However, its release date remains open.
(Image: Curt Bauer / Shutterstock)
In another blog post, Microsoft promises to eliminate the NTLM security problem. "With the next version of Windows Server" it should happen; however, when it will be released remains uncertain. Currently, NTLM is deprecated but still active in many Windows systems, and administrators have to manage the associated risks.
Past Sins
NTLM is an authentication method that has been obsolete for decades, with well-known security issues that are still exploited by ransomware gangs to gain access to privileged accounts. NTLMv1 hashes, in particular, can be easily cracked – for example, with the Rainbow Tables provided by Google. Additionally, NTLM hashes can also be used for Pass-The-Hash attacks.
Nevertheless, Microsoft is hesitant to completely disable the outdated protocol, as too many systems still use it. This is because they may not have a direct connection to a Domain Controller, which would be necessary for Kerberos authentication, or because they involve local accounts, or NTLM is hardcoded, Microsoft explains. However, in the second half of 2026, they aim to have resolved these critical points for migrating away from NTLM. IAKerb, local Key Distribution Centers, and updates to central Windows components are intended to address this by then.
(Image:Â Quelle: Microsoft)
The End is Near
And then it will finally happen. With the next major Windows Server version and the associated Windows clients, NTLM will be disabled by default, Microsoft now states. However, it will not be completely gone, as they preempt exaggerated expectations from the security community. The NTLM code will still remain part of Windows, allowing admins to reactivate the insecure protocol. The company has not provided any further details on when this final step of NTLM deprecation will be taken.
Those responsible for the security of Windows networks should not wait for this uncertain end, but rather take immediate action to contain the risks posed by NTLM. The heise security webinar on "Understanding and Closing Security Gaps in NTLM and Kerberos" explains how this can be done effectively. Because even the designated NTLM successor, Kerberos, suffers from security problems that attackers specifically exploit, for example, in Kerberoasting.
(ju)
