Microsoft has announced important updates regarding Windows authentication, focusing on modernizing its security protocols by reducing reliance on the outdated NTLM (NT LAN Manager). For years, Microsoft has been transitioning away from NTLM, promoting Kerberos-based alternatives as a more secure option. With the forthcoming versions of both client and server editions of Windows, the company will also disable NTLM by default—a significant move in their ongoing efforts to enhance security.
In the latest update to the security baseline package for Windows Server 2025, organizations will have the ability to audit incoming configurations and prepare for these changes. A key feature being introduced is the fallback from NTLM to Initial and Pass-Through Authentication using Kerberos (IAKerb) and a Local Key Distribution Center (LocalKDC) in specific scenarios.
IAKerb is particularly beneficial in enterprise settings where the client cannot directly access a domain controller (DC). It allows a service to act as a proxy for Kerberos authentication, which is useful when access to DCs is restricted. LocalKDC enables a Kerberos-based authentication process for local accounts, eliminating the need for NTLM, especially in standalone devices and workgroup environments.
By implementing IAKerb and LocalKDC, Microsoft aims to minimize the dependency on NTLM for both remote and local environments. As organizations continue to phase out NTLM due to its security vulnerabilities, Microsoft believes these advancements will address some of the lingering use cases and offer a path for full adoption of modern authentication.
The upcoming Insider release of Windows 11 will showcase these features, with IAKerb enabled by default and LocalKDC available for toggling via Windows Registry keys. As Microsoft prepares for general availability, they will start incorporating these options into management tools and Group Policy, urging current NTLM users to begin testing these new security functionalities as they roll out.