NTLM to Be Disabled in Future Releases

• NTLM will be disabled by default in the next versions of Windows Server and client.
• New tools and documentation, rolling out throughout 2026, are intended to help ease the transition.
• With roughly two years to plan, customers should start now to avoid last-minute scrambling.

NTLM will be disabled by default, although customers will be able to apply policy settings to reenable it. NTLM has largely been replaced by more secure authentication methods, such as Kerberos, but has been enabled by default as a fallback for legacy systems and applications. With the next version of Windows Server expected in 2027 or 2028, customers have roughly two years to plan for the change, and Microsoft is promising additional tools and documentation over the course of 2026.

Why NTLM’s Time Has Come

By any standards, NTLM is old. It was initially released in 1993 as part of Windows NT 3.1, well before the rise of modern cybersecurity attacks. Thirty years later, it’s cryptographically weak and vulnerable to numerous modern attack methods, including replay and pass-the-hash attacks. Kerberos has been the default authentication method since Windows 2000, with NTLM acting as a fallback for scenarios where Kerberos couldn’t be used.