Thank you for reading this post, don't forget to subscribe!

Introduction

NTLM is a legacy Windows authentication protocol, vulnerable to relay, brute force and pass-the-hash attacks.
Microsoft has announced its progressive deprecation in Windows 11 and Windows Server 2025.

To avoid outages, it is essential to:

• Audit the actual use of NTLM in your environment,

• Identify applications, servers and accounts still relying on it,

• Implement a progressive migration plan to Kerberos,

• Validate the switchover without disruption in production.

Prerequisites

• Functional Active Directory (Windows Server 2016+).

• SIEM or at least centralized Event Viewer.

• Domain administrator rights to enable auditing.

• Check that all DCs support Kerberos (the case since 2008+).

Field tip: run this project in controlled phases. Never press “disable NTLM” all at once.

Why migrate from NTLM to Kerberos?

• NTLM is vulnerable to: NTLM Relay, Pass-the-Hash, Rainbow tables.

• Kerberos provides: encrypted tickets, delegation, mutual authentication, compatibility with ADFS, Azure AD and MFA.

• Microsoft announces: NTLM removed by 2026 → mandatory migration.

Auditing NTLM usage

Enable NTLM audit via GPO

GUI

1. Open GPMC (Group Policy Management).

2. Create a GPO “Audit NTLM”.

3. Path: Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options.

4. Setting: Network security: Restrict NTLM: Audit NTLM authentication in this domain → Enabled.

PowerShell

Check Event Logs

On the DC → Event Viewer →
Applications and Services Logs → Microsoft → Windows → NTLM → Operational

• Event ID 4002 : NTLM authentication used.

• Event ID 4003 : NTLM blocked.

PowerShell

Analysis and identification of dependencies

• Legacy applications (IIS, SQL, printers, appliances).

• SMB shares using NTLM fallback.

• Non-domain machines → often NTLM.

• Misconfigured service accounts.

Build a precise map: who uses NTLM, why, and with which server.

Progressive migration plan

Step 1 – Audit Phase (read-only)

• Leave GPO in Audit only mode.

• Consolidate NTLM logs → identify TOP 20 sources.

• Document sensitive applications.

Step 2 – Block NTLM by scope

GUI (GPO)

• Network security: Restrict NTLM: NTLM authentication in this domain → Deny for domain accounts.

PowerShell

First enable it on a pilot OU (e.g. internal IT users).

Step 3 – Migration to Kerberos

• Enable Kerberos only in the policies.

• Check that SPNs (Service Principal Names) are properly configured.

Example:

Step 4 – Post-migration validation

• Ensure that no more Event ID 4002 appears.

• Check Kerberos authentication:

Look at the TGT/TGS cache → tickets are Kerberos, not NTLM.

Best practices for a successful migration

• Always test on a pilot OU before generalization.

• Communicate with application teams (SQL, IIS, SharePoint).

• Document each SPN added.

• Monitor DC logs for at least 1 month after the switchover.

• Plan a rollback: re-enable NTLM if a critical incident occurs (rare, but reassuring).

Monitoring & long-term follow-up

• Integrate the NTLM/Operational log into your SIEM.

• Trigger an alert if NTLM is still seen after the switchover.

• Regularly check with repadmin /showrepl and dcdiag /v that Kerberos works correctly.

Annexes — useful commands

Script download

You can download the complete NTLM → Kerberos Toolkit for free.
It contains all the PowerShell scripts and GPO templates described in this tutorial, ready to use in your Active Directory environment.

Pack content

• Audit-NTLM.ps1

• Analyse-NTLM.ps1

• Create-GPO-Audit-NTLM.ps1

• Create-GPO-Restrict-NTLM.ps1

• Link-GPO.ps1

• README.md