Microsoft wants to remove NTLM from Windows 11. The operating system should then fully switch to Kerberos as the authentication protocol, with new fallback methods in case Kerberos doesn’t work properly. Kerberos will be added so that it also works locally in the future.

Microsoft writes In a blog post He wants to get rid of NT Lan Manager, or NTLM, in the long term. Microsoft says there is currently no specific plan for this. The company initially plans to add more NTLM management options that will allow system administrators to monitor how often NTLM is used. For example, logs become more granular and administrators are given the option to deploy NTLM more specifically to each user or set up specific exception rules.

Not only officials, but Microsoft also wants to get more of these insights. The company says it takes a “data-driven approach” to determine “when it is safe to disable the use of NTLM.” In the future, the protocol should be disabled by default, but according to Microsoft, there remains an option to re-enable it. Microsoft recommends that administrators and developers determine where they still use NTLM. The company says that this may also be built into apps and developers should also pay attention to this. Microsoft will also do this for Windows 11; These components are replaced by a dynamic component that primarily handles Kerberos.

NT Lan Manager is an authentication protocol in Windows, but it has not been used as a standard for years. Kerberos has had this role since 2000, but NTLM has many advantages that Kerberos cannot handle. The main reason is that NTLM is the only protocol supported for local accounts, but NTLM also does not require a local connection to a domain controller. In cases where these connections are the only options, Windows still automatically resorts to NTLM.

Microsoft says there will be alternatives to these processes in Windows 11. One of these alternatives is IAKerb, which stands for Initial and Passive Authentication Using Kerberos. This allows a client without a connection to a domain controller to continue establishing such a connection by performing a Windows handshake. There will also be a local Kerberos key distribution center from which remote authentication can be performed.