Microsoft confirms NTLM is dead beyond Windows 11 24H2 and Server 2025


Back in October last year, Microsoft expressed its desire to eventually disable NTLM authentication. The company on its official website has updated the list of deprecated Windows features where it has now added NTLM or New Technology Lan Manager. These will include all versions of NTLM including LANMAN, NTLMv1 and NTLMv2.

However, alongside that, the tech giant has also added that it would continue to work on the "next release of Windows Server and the next annual release of Windows" which means NTLM authentication will function on the 2024 update for Windows 11, version 24H2, and on Windows Server 2025. Microsoft is currently ensuring system requirements compatibility for the two operating systems.

The company writes:

All versions of NTLM, including LANMAN, NTLMv1, and NTLMv2, are no longer under active feature development and are deprecated. Use of NTLM will continue to work in the next release of Windows Server and the next annual release of Windows.

Calls to NTLM should be replaced by calls to Negotiate, which will try to authenticate with Kerberos and only fall back to NTLM when necessary.

Earlier Microsoft had explained that the reason behind the move was to enhance the security of authentication as more modern protocols like Kerberos are better in that regard. The company has now recommended the use of Negotiate protocol such that it will only fall back to NTLM when Kerberos is not available.

In many cases, applications should be able to replace NTLM with Negotiate using a one-line change in their AcquireCredentialsHandle request to the SSPI. One known exception is for applications that have made hard assumptions about the maximum number of round trips needed to complete authentication. In most cases, Negotiate will add at least one additional round trip. Some scenarios may require additional configuration.

For those wondering about how old NTLM is, the technology has been around since 1993 when it was added in Windows NT 3.1. Kerberos, although more "modern" has also been around since Windows 2000 Service Pack 4 (SP4).

Sayan Sen · Jun 4, 2024 04:42 EDT