Various versions of Windows have used Kerberos as their primary authentication protocol for over 20 years. However, in certain cases, the operating system must use another method, such as NTLM (NT LAN Manager).
NTLM is an older authentication protocol from Microsoft and was replaced by Kerberos in Windows 2000. However, NTLM is still used to store Windows passwords locally or in the NTDS.dit file in Active Directory domain controllers. NTLM is now considered insecure and contains many serious security vulnerabilities.
Back in October last year, Microsoft officially announced that the company was planning to expand its use of Kerberos, with the ultimate goal of completely eliminating the use of NTLM on Windows, specifically starting on Windows 11 and beyond.
The company has posted on its official website an updated list of deprecated Windows features, which now includes NTLM (New Technology Lan Manager). The announcement covers all versions of NTLM including LANMAN, NTLMv1, and NTLMv2.
By June this year, Microsoft confirmed that it plans to discontinue NTLM support after Windows 11 24H2 and Windows Server 2025 and thus the feature will no longer be available in future versions of Windows client and server.
Today, Microsoft began removing NTLM on Windows 11 24H2 and Windows Server 2025, announcing that NTLMv1 has been removed from the aforementioned Windows versions.
Microsoft previously explained that the reason behind this move was to improve the security of authentication, as more modern protocols like Kerberos would provide better protection. The company now recommends using the Negotiate protocol to ensure that NTLM is only used when Kerberos is not available.
Microsoft has updated the notice on its end of support feature page to read as follows:
All versions of NTLM, including LANMAN, NTLMv1, and NTLMv2, are no longer in active feature development and have been deprecated. Use of NTLM will continue to be maintained in the next release of Windows Server and the next annual release of Windows. Calls to NTLM should be replaced with calls to Negotiate, which will attempt to authenticate using Kerberos and only fallback to NTLM when necessary.
[Update - November 2024]: NTLMv1 has been removed starting with Windows 11 version 24H2 and Windows Server 20205.
NTLM is commonly used by businesses and organizations for Windows authentication, as it "does not require a local network connection to a Domain Controller". It is also "the only protocol supported when using a local account" and "works even if you don't know what the target server is".
These benefits have led to some applications and services hardcoding NTLM instead of switching to more modern authentication protocols such as Kerberos. Kerberos provides a better level of security and is more scalable than NTLM. That is why Kerberos is now the preferred default protocol in Windows environments.
The problem is that while businesses can disable NTLM for authentication, those hard-wired applications and services can still have problems. This is why Microsoft has added a number of new authentication features to Kerberos. These changes are being rolled out so that Kerberos will eventually become the sole Windows authentication protocol.
In addition to NTLMv1, another security feature has also been removed on Windows 11 24H2. Microsoft has confirmed that Windows Information Protection (WIP) or enterprise data protection (EDP) is being removed from the Windows environment. This feature was intended to protect against accidental data leaks.
Discover how to use Windows 11 Quick Assist for seamless remote support. Learn step-by-step setup, troubleshooting, and tips to help friends or family with tech issues instantly.
Struggling with dual monitor lag on Windows 11? Discover proven troubleshooting fixes to eliminate stuttering, delays, and performance issues for seamless multi-monitor setups. Step-by-step guide inside.
Struggling with the frustrating Windows 11 "Startup Settings" blank error? Discover proven, step-by-step fixes to restore your boot options quickly and get your PC running smoothly again. No tech expertise needed!
Discover how to activate Windows 11 Enterprise using KMS effortlessly. This comprehensive guide covers everything from requirements to troubleshooting, ensuring seamless activation for your business needs.
Struggling with the dreaded KMODE EXCEPTION NOT HANDLED error on Windows 11? Discover proven, step-by-step fixes to resolve this blue screen nightmare quickly and get your PC running smoothly again. No tech expertise needed!
Struggling with Windows 11 "Motherboard" Driver Error? Discover proven troubleshooting steps to fix it fast and get your PC running smoothly again. Easy, step-by-step guide for beginners.
Struggling with ping spikes on Windows 11 over Wi-Fi? Discover proven fixes to stabilize your connection, reduce lag, and enjoy smooth gaming or streaming. Step-by-step solutions for instant results.
Accidentally deleted precious photos? Discover proven methods to recover deleted photos in Windows 11 effortlessly. Step-by-step guides, tools, and tips to restore your images safely.
Discover how to use Windows 11 Terminal instead of CMD for a modern, efficient command-line interface. Learn installation, setup, and tips to boost your productivity with tabs, themes, and more.
Discover safe, legitimate ways to activate Windows 11 Pro without a product key. Learn step-by-step methods using built-in tools and official Microsoft options to get your OS up and running smoothly. No risks, no hassle – just pure productivity.
