For the past few years, Microsoft has been phasing out NTLM in Windows in favor of Kerberos-based alternatives. Starting with the next versions of client and server editions of Windows, Microsoft will also be disabling the legacy authentication protocol by default. In the latest security baseline package for Windows Server 2025, the company is already allowing customers to audit incoming configurations. Now, it has announced a wave of changes to further reduce dependencies on NTLM.
With an upcoming Insider release of Windows 11 client and server, certain scenarios which previously required NTLM will be able to fall back on Initial and Pass-Through Authentication using Kerberos (IAKerb) and Local Key Distribution Center (LocalKDC).
↫ Usama Jawad at Neowin
I’m sure this is very important to “IT Pros”.
The “IT Pros” use Active Directory running on Domain Controllers which have been using Kerberos for decades. The primary use case for NTLM has been local accounts. Windows Kerberos required communication with a Domain Controller (server) on the network. These changes relax that requirement, making it possible to also use Kerberos for local accounts and other scenarios where a Domain Controller was not possible.