NTLM Archives

Winsage

March 2, 2026

NTLM is going away: what Microsoft’s phaseout means for MSPs and IT teams

The migration from NTLM to Kerberos authentication is essential for improving security in Windows systems, but it faces challenges such as legacy systems and hardcoded authentication. Organizations must identify NTLM usage, conduct testing with NTLM disabled, and make necessary adjustments or upgrades to migrate successfully. Ongoing monitoring is crucial post-migration to prevent NTLM from re-entering the network. NTLM is associated with significant security vulnerabilities and has been exploited by various threat groups, making its elimination a priority for organizations despite potential hesitations to invest in the migration process. Transitioning to Kerberos is seen as a strategic security investment.

Winsage

January 30, 2026

Microsoft to disable NTLM by default in future Windows releases

Microsoft will disable the NTLM authentication protocol by default in the next major Windows Server release and associated Windows client versions. NTLM, introduced in 1993, has been vulnerable to various cyberattacks, including NTLM relay and pass-the-hash attacks. The transition plan includes three phases: enhanced auditing tools in Windows 11 24H2 and Windows Server 2025, new features like IAKerb and a Local Key Distribution Center in late 2026, and eventually disabling network NTLM by default in future releases. NTLM will remain in the operating system but will not be used automatically. Microsoft deprecated NTLM authentication in July 2024 and has encouraged developers to transition to Kerberos or Negotiation authentication.

Winsage

November 5, 2025

Microsoft warns Windows 11 25H2, 24H2 October update triggers BitLocker recovery on PCs for businesses

Microsoft has acknowledged a significant issue affecting users of BitLocker on Windows 11 versions 25H2 and 24H2, as well as Windows 10, which may prompt users to enter their BitLocker recovery key during startup, risking data loss if the key is not available. The problem arises after installing Windows Updates released on or after October 14, 2025, and predominantly affects Intel-based PCs with the "Connected Standby" feature. Affected users can check if BitLocker is enabled by navigating to Settings > System > Storage > Disk & Volumes. Microsoft is rolling out a fix, but business users must manually deploy it. Users are advised to back up their BitLocker recovery keys to their Microsoft accounts.

Winsage

November 3, 2025

Microsoft Sounds Windows 11 And Server Update Failure Alarm

Microsoft has confirmed that users of Windows 11 and Windows Server are experiencing authentication failures due to updates released on or after August 29. This issue, detailed in Microsoft Support posting KB5070568, is linked to duplicate Security IDs (SIDs) on devices, affecting Windows 11 versions 24H2 and 25H2, as well as Windows Server 2025. The problem arises from new security protections that enforce checks on SIDs, which are necessary to maintain user account integrity and prevent unauthorized access. Duplicate SIDs typically result from unsupported cloning or duplication of a Windows installation without using the Sysprep tool. The recent update mandates SID uniqueness, blocking authentication handshakes between devices with duplicate SIDs. To resolve this, users must rebuild their devices using supported methods for cloning or duplicating a Windows installation to ensure unique SIDs.

Winsage

October 26, 2025

Microsoft admits File Explorer Preview pane won’t work in Windows 11 25H2 for internet files by default

Microsoft has disabled the preview feature for files downloaded from the internet in the File Explorer Preview pane for Windows 11 versions 25H2 and 24H2, as well as in the latest Windows 10 update, due to security concerns. Users can still preview locally created files, but attempting to preview internet-downloaded files will trigger a warning message. The decision to disable previews for these files is intended to prevent potential security vulnerabilities, specifically a risk of NTLM hash leaks. Files marked with a “Mark of the Web (MotW)” tag, which indicates they were downloaded from various sources, will be blocked from previewing. Users can unblock previews for trusted files by right-clicking the file, selecting Properties, and checking the ‘Unblock’ option. A PowerShell script is also available to unblock all files in a specific directory. This update is part of the Windows October 2025 Patch Tuesday.

Winsage

October 26, 2025

Microsoft Warning—Do Not Open These Files On A Windows PC

Effective October 14, Microsoft will automatically disable the preview feature in File Explorer for files downloaded from the internet that are marked with a "Mark of the Web (MotW)." This measure addresses vulnerabilities related to "NTLM hash leakage," which could allow attackers to exploit the preview feature to capture sensitive credentials. Users must manually unblock these files by accessing the Properties settings. The change will take effect after the next login, and users can also unblock all files from a specific file share address, although this will relax security measures for those files.

Winsage

October 24, 2025

Microsoft Boosts Windows Security by Disabling File Preview for Downloads

Microsoft is implementing a security update for Windows File Explorer starting October 14, 2025, which will automatically disable the preview pane for files downloaded from the internet. This measure aims to address a vulnerability that could expose users' NTLM hashes, which are sensitive credentials used for network authentication. The update utilizes the “Mark of the Web” attribute to prevent previews of untrusted files, displaying a warning message instead. Local documents and files from trusted sources will still display previews normally. Users can override this protection for trusted downloads by unblocking the file in its properties. IT administrators can also add file shares to Local Intranet or Trusted Sites, although this should only be done for verified networks. The update enhances security in enterprise environments while maintaining usability.

Winsage

October 24, 2025

Weird Authentication Failures? Could Be That Microsoft Doesn’t Like Duplicate SIDs Anymore

Microsoft has introduced a feature that requires unique Security Identifiers (SIDs) across systems, effective August 29, 2025, impacting users who previously cloned images with duplicate SIDs for Kerberos or NTLM connections. This change has led to SECENO_CREDENTIALS errors in the Event Viewer and other reported issues. Microsoft recommends using the Sysprep tool for fresh machine setups. A workaround exists through a Group Policy setting that allows duplicate SIDs, but users must contact Microsoft support to access it, as it is not available by default. This update marks the third occurrence of authentication errors associated with Microsoft updates.

Winsage

October 24, 2025

Microsoft Disables File Explorer Preview for Internet Files to Patch NTLM Vulnerability

Following the October 2025 Patch Tuesday updates, many Windows users experienced issues with the File Explorer preview pane, which stopped functioning for several file types. This change, implemented by Microsoft as a security enhancement, affects both Windows 11 and Windows 10 and is linked to a vulnerability associated with NTLM credential hashes. The updates, KB5066835 for Windows 11 and KB5066791 for Windows 10, disable the preview functionality for files marked with the "Mark of the Web" (MotW), indicating they originated from the internet. Instead of a preview, users receive a warning message about potential harm from the file. Microsoft has provided workarounds for users who wish to restore the preview functionality, including manually unblocking files or adjusting security settings for network shares, though these methods come with security risks. This change reflects a broader industry trend toward prioritizing security over user convenience.

Winsage

October 24, 2025

Microsoft disables File Explorer preview for downloads to block attacks

Microsoft has enhanced its File Explorer to improve user security against credential theft attacks by automatically blocking previews for files downloaded from the Internet. This update is active for users who have installed the latest Patch Tuesday security updates on Windows 11 and Windows Server systems. The preview functionality will be disabled by default for files accessed on an Internet Zone file share and those marked with the Mark of the Web (MotW). When users attempt to preview such files, a cautionary message will appear, warning that the file could harm their computer. This measure addresses vulnerabilities that could allow attackers to capture NTLM hashes through HTML tags in malicious files. Starting with security updates released on or after October 14, 2025, the preview feature will be automatically disabled for internet-downloaded files to further mitigate risks. Users can manually remove the block for trusted files by right-clicking the file, selecting Properties, and clicking the "Unblock" button. Additionally, the block can be lifted for all files on an Internet Zone file share by adding the file share’s address to the Trusted sites or Local intranet security zone in the Internet Options control panel.