Microsoft NTLM phase-out and disable-by-default plan
Advisory/Mitigation
Summary
Hide ▲
Show ▼
Microsoft is rolling out a three-phase NTLM phase-out for Windows, pushing organizations to audit NTLM usage, migrate to Kerberos, and prepare for NTLM-off configurations.
Related Happenings
GhostTree and GhostBranch NTFS junction loops that evade recursive folder scanning
Technical Analysis
H score23
First: 16.06.2026 17:17
Last: 16.06.2026 17:17
Sources 1
About this happening:
**GhostTree** and **GhostBranch** use recursive **NTFS junction** loops to generate effectively unlimited paths, allowing files in the same folder to evade **EDR** and **Windows D...
GhostTree and GhostBranch NTFS junction loops that evade recursive folder scanning
Technical AnalysisAbout this happening: **GhostTree** and **GhostBranch** use recursive **NTFS junction** loops to generate effectively unlimited paths, allowing files in the same folder to evade **EDR** and **Windows D...
Windows search URI handler NTLMv2 hash disclosure security flaw (CVE-2026-33829)
Vulnerability
H score24
First: 03.06.2026 13:18
Last: 03.06.2026 13:18
Sources 1
About this happening:
**Windows search: URI handler** has an **unpatched NTLMv2 hash disclosure flaw** that can let an attacker capture a user's Net-NTLMv2 hash through a crafted `search:` link. The we...
Windows search URI handler NTLMv2 hash disclosure security flaw (CVE-2026-33829)
VulnerabilityAbout this happening: **Windows search: URI handler** has an **unpatched NTLMv2 hash disclosure flaw** that can let an attacker capture a user's Net-NTLMv2 hash through a crafted `search:` link. The we...
Windows Autopatch enables hotpatch security updates by default for eligible devices
Security Tool/Service
H score15
First: 11.03.2026 11:15
Last: 11.03.2026 11:15
Sources 1
About this happening:
Microsoft is changing **Windows Autopatch** to enable **hotpatch security updates** by default, speeding security-fix rollout for eligible devices and reducing restart-related del...
Windows Autopatch enables hotpatch security updates by default for eligible devices
Security Tool/ServiceAbout this happening: Microsoft is changing **Windows Autopatch** to enable **hotpatch security updates** by default, speeding security-fix rollout for eligible devices and reducing restart-related del...
Microsoft Entra passkeys on Windows add phishing-resistant sign-in in public preview
Security Tool/Service
H score26
First: 10.03.2026 17:27
Last: 10.03.2026 17:27
Sources 1
About this happening:
**Microsoft Entra** is adding **passkey support on Windows devices**, bringing **phishing-resistant passwordless authentication** via **Windows Hello**. The rollout reaches **publ...
Microsoft Entra passkeys on Windows add phishing-resistant sign-in in public preview
Security Tool/ServiceAbout this happening: **Microsoft Entra** is adding **passkey support on Windows devices**, bringing **phishing-resistant passwordless authentication** via **Windows Hello**. The rollout reaches **publ...
Bitwarden adds passkey login for Windows 11 sign-in
Security Tool/Service
H score11
First: 05.03.2026 00:34
Last: 05.03.2026 00:34
Sources 1
About this happening:
**Bitwarden** added **passkey login** for **Windows 11**, expanding passwordless sign-in and reducing phishing exposure for users who store credentials in the vault.
Bitwarden adds passkey login for Windows 11 sign-in
Security Tool/ServiceAbout this happening: **Bitwarden** added **passkey login** for **Windows 11**, expanding passwordless sign-in and reducing phishing exposure for users who store credentials in the vault.
Timeline
-
02.02.2026 17:59 2 articles · 5mo ago
Microsoft announces NTLM phase-out roadmap for Windows
Initial DisclosureMicrosoft announced a three-phase plan to phase out NTLM in Windows and move enterprise authentication toward Kerberos-based options. The roadmap says NTLM was formally deprecated in June 2024, Phase 1 enhanced NTLM auditing is available now to show where and why NTLM is still used, Phase 2 will address migration roadblocks with IAKerb and local KDC while updating core Windows components to prioritize Kerberos in H2 2026, and Phase 3 will disable NTLM by default in the next version of Windows Server and the associated Windows client with explicit re-enablement controlled by policy.
Show sources
- Microsoft Begins NTLM Phase-Out With Three-Stage Plan to Move Windows to Kerberos — thehackernews.com — 02.02.2026 17:59
- Microsoft Begins NTLM Phase-Out With Three-Stage Plan to Move Windows to Kerberos — thehackernews.com — 02.02.2026 17:59