3175x175(CURRENT).thumb.jpg.b05acc060982b36f5891ba728e6d953c.jpg)
Microsoft has revealed new Windows authentication capabilities designed to reduce NTLM reliance as broader security changes move closer.
For the past few years, Microsoft has been phasing out NTLM in Windows in favor of Kerberos-based alternatives. Starting with the next versions of client and server editions of Windows, Microsoft will also be disabling the legacy authentication protocol by default. In the latest security baseline package for Windows Server 2025, the company is already allowing customers to audit incoming configurations. Now, it has announced a wave of changes to further reduce dependencies on NTLM.
With an upcoming Insider release of Windows 11 client and server, certain scenarios which previously required NTLM will be able to fall back on Initial and Pass-Through Authentication using Kerberos (IAKerb) and Local Key Distribution Center (LocalKDC).
For those unaware, IAKerb enables Kerberos to work when a client does not have direct access to a domain controller (DC). While traditional Kerberos authentication requires direct connectivity, IAKerb enables the target service to act as a proxy for the Kerberos-based exchange. It is useful in various enterprise scenarios where the visibility of DCs is restricted, or where client services can reach target services but not relevant DCs.
Meanwhile, LocalKDC enables Kerberos-based authentication for local account scenarios, rather than relying on NTLM. This makes it especially useful on standalone devices, workgroup environments, and more.
Together, IAKerb and LocalKDC will reduce NTLM dependency in both remote enterprise and local environment scenarios. Developers will also be able to rely on modern authentication flows that are consistent and secure. Microsoft understands that while most customers are pivoting away from NTLM due to security concerns, other continue to use the legacy protocol for niche use-cases. It hopes that IAKerb and LocalKDC will help close some of those gaps and enable organizations to ditch NTLM.
With the next Canary Channel release in the Windows Insider Program, Microsoft will be previewing these capabilities. IAKerb will be enabled by default while LocalKDC will be disabled, but users will have the ability to toggle this behavior through Windows Registry keys, as explained here.
As the company gradually moves towards general availability, it will begin surfacing these options in management tools and Group Policy too. For now, Microsoft has heavily encouraged customers still using NTLM to begin testing and validating these security functionalities as soon as they become available in the next preview.
Hope you enjoyed this news post. Feedback welcome.
Posted Thursday 4 June 2026 at 8:26 am AEST (my time).
News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of May) 2,092
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.