Share via

NTLM Sunset Questions - Need More Info Please

Tarvin, Brandie 116 Reputation points
2026-04-16T17:29:11.3833333+00:00

I heard that Microsoft will be deprecating and finally killing NTLM connections. Research tells me as of Server 2025, there are inactive artifacts for Local KDC and everything I've read seems to indicate a 2 year time frame to implement this. Please correct me if I'm wrong on that.

My question revolves around whether this will go back to older versions of Windows server or not. Will Local KDC be available for older versions of Windows Server? Or will NTLM just stop working one day?

It would be helpful if consumers could have more information on timelines, what products will or will not be involved, etc. so we could all start working on verification and transition plans. Is there a source of information, a webpage perhaps, where Microsoft has and will continue to post updates on this journey?

Windows for business | Windows Server | User experience | Other

Answer accepted by question author

  1. VPHAN 30,935 Reputation points Independent Advisor
    2026-04-16T18:10:01.84+00:00

    Hi Tarvin, Brandie,

    Microsoft has officially announced the deprecation of NTLM, which signifies an end to active development rather than an immediate removal from the ecosystem. Your legacy applications and older servers will not lose NTLM functionality unexpectedly, as Microsoft's deprecation process is designed to span multiple years to ensure enterprise stability. NTLM will remain fully operational in your current environment until your organization explicitly decides to disable it through local or domain policy changes.

    The new Local Key Distribution Center and IAKerb features are being introduced specifically in Windows 11 and Windows Server 2025 to enable Kerberos authentication for local accounts. Because these features require fundamental changes to the underlying security architecture, they will not be backported to older operating systems like Windows Server 2019 or 2022. Your older servers will continue relying on standard Kerberos for domain accounts and NTLM as the fallback protocol. To safely prepare for the eventual transition, you should map out legacy dependencies by enabling NTLM auditing. You can do this by navigating through Group Policy to Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options, and configuring the policy named Network security: Restrict NTLM: Audit Incoming NTLM Traffic. Reviewing the resulting Event ID 8004 in your Windows Event Viewer will help you identify exactly which applications and devices still rely on the older protocol.

    For official timelines and ongoing guidance, you should bookmark and monitor the Microsoft Learn article titled The evolution of Windows authentication. This dedicated hub is where the Microsoft engineering team will continue to post enforcement dates, changes to insider builds, and transition resources for administrators mapping out their infrastructure upgrades.

    Hope this answer brought you some useful information. If it did, please hit “accept answer”. Should you have any questions, feel free to leave a comment.

    VP

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. VPHAN 30,935 Reputation points Independent Advisor
    2026-04-18T06:57:57.21+00:00

    Hi Tarvin, Brandie,

    How is your issue going? Has it been resolved yet? If it has, please consider accepting the answer as it helps others sharing the same problem benefit too. Thank you :)

    VP

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.