Microsoft is phasing out the NTLM protocol in Windows 11 to improve security. NTLM is a legacy authentication protocol that has been known to have security vulnerabilities. It is being replaced by IAKerb, a new authentication protocol that is more secure and easier to use.
IAKerb is integrated into the Security Account Manager of the local machine, enabling remote authentication using Kerberos. It facilitates the transmission of Kerberos messages between machines without the need for additional support for enterprise services like DNS, netlogon, or DCLocator. Additionally, IAKerb does not require the opening of new ports on the remote machine to accept Kerberos messages.
While NTLM will remain accessible as a fallback option to maintain compatibility, administrators will have more control over monitoring and restricting NTLM within their network. Microsoft’s ultimate goal is to reduce the use of NTLM and eventually disable it in Windows 11.
Impact on Windows 11 users:
Windows 11 users will need to be aware of the phasing out of NTLM and make the necessary changes to their systems. Administrators can start by disabling NTLM or protecting their servers from NTLM relay attacks using Active Directory Certificate Services (AD CS).
Users should also be prepared for the possibility that some applications may not yet support IAKerb. If you encounter any issues, you may need to contact the application developer for support.
Overall, the phasing out of NTLM is a positive step for security. IAKerb is a more secure and easier-to-use authentication protocol, and its adoption will help to protect Windows 11 users from cyberattacks.
