NTLM Archives

Winsage

June 13, 2026

For June, Patch Tuesday means an IT scramble

A systematic approach to testing is essential following the latest updates. The process begins with installing the .NET SDK update, then building and executing representative applications to ensure existing projects compile and run without issues. For SQL Server users, the GDR update must be installed on the appropriate branch, followed by a service restart and standard transaction execution to verify stability. Backup and restore verification is also necessary, including checking the health of Always On availability groups and testing patch installation and removal. The Readiness team recommends prioritizing testing for Remote Desktop this month due to its frequent patches and high-risk classification. The focus should be on printer redirection, followed by general connectivity, RemoteApp functionality, clipboard and device redirection, gateway access, and licensing considerations. The next priority is validating NTLM authentication updates, including domain and standalone logon processes, file-share access, and application sign-in capabilities. Other updates are security-focused with no functional changes, requiring routine regression testing across networking, Hyper-V, storage, and graphics components. Office remains MSI-only, with Click-to-Run installations unaffected by these updates. The updates for .NET and SQL Server complete the landscape for developers and database administrators.

Winsage

June 3, 2026

Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes

Cybersecurity researchers have identified an unpatched vulnerability that could expose NTLMv2 hashes to attackers, linked to the "search:" URI handler. This issue is similar to CVE-2026-33829, which involved a spoofing vulnerability in the Windows Snipping Tool's ms-screensketch: URI handler. The flaw allows attackers to trick users into connecting to their SMB servers, disclosing NTLMv2 hashes for authentication exploitation. The new vulnerability operates using "search:" and "crumb=location:" parameters, resulting in a similar Net-NTLMv2 leak. Microsoft has chosen not to address this issue, stating only vulnerabilities classified as Important or Critical would be fixed. Recommendations to mitigate risks include blocking outbound SMB traffic, enforcing SMB signing, and disabling NTLM authentication where possible.

Winsage

April 30, 2026

CISA, Microsoft warn of active exploitation of Windows Shell vulnerability (CVE-2026-32202)

Attackers are exploiting CVE-2026-32202, a zero-click vulnerability in Windows Shell, allowing authentication of victims' systems without user interaction. This vulnerability stems from an incomplete patch for CVE-2026-21510 and has been used by the APT28 group with weaponized LNK files to bypass Windows security. Although Microsoft addressed these vulnerabilities in February 2026, the risk remains as opening a folder with a malicious LNK file can still connect victims' machines to the attacker's server, initiating an NTLM authentication handshake that exposes the victim’s Net-NTLMv2 hash. This affects various versions of Windows 10, 11, and Windows Server. Microsoft released a patch for CVE-2026-32202 on April 14, 2026, but did not label it as actively exploited until more than two weeks later, leaving security teams unaware of its urgency. Organizations are advised to apply the patch and consider blocking outbound SMB traffic to mitigate risks.

Winsage

April 17, 2026

Microsoft’s April patch puts Windows domain controllers into reboot loops — third known issue from KB5082063 is affecting Windows Server 2016 through 2025

Microsoft has acknowledged that the April 2026 security update for Windows Server, patch KB5082063, has caused significant disruptions for some enterprise domain controllers, leading to continuous reboot cycles in non-Global Catalog domain controllers used in Privileged Access Management (PAM) deployments. This has resulted in the unavailability of Active Directory authentication and directory services on affected servers. Additionally, the installation of KB5082063 may fail on some Windows Server 2025 systems. This issue marks the third consecutive year that April security updates have caused problems for Windows Server domain controllers. In previous years, Microsoft issued emergency fixes for similar issues, including crashes and complications with NTLM authentication. Administrators currently have limited options, including delaying the update, isolating a test domain controller, or engaging with Microsoft Support for tailored mitigation steps.

Winsage

April 9, 2026

BlueHammer: Windows zero-day exploit leaked

A proof-of-concept (PoC) exploit called BlueHammer has been released on GitHub, targeting an unpatched local privilege escalation vulnerability in Windows. The exploit, attributed to users Chaotic Eclipse and Nightmare Eclipse, has been modified by security researchers to work on updated versions of Windows 10, 11, and Windows Server. The exploit manipulates Microsoft Defender to create a Volume Shadow Copy, allowing access to sensitive registry files and enabling the extraction of NTLM password hashes. This facilitates the alteration of a local Administrator's password and subsequent login. The exploit can duplicate the Administrator's security token and create a malicious Windows Service that runs with SYSTEM privileges. While there are no reports of BlueHammer being exploited by malicious actors, researchers warn that such PoC code can be weaponized quickly. Microsoft has committed to investigating reported security issues related to this vulnerability.

Winsage

March 2, 2026

NTLM is going away: what Microsoft’s phaseout means for MSPs and IT teams

The migration from NTLM to Kerberos authentication is essential for improving security in Windows systems, but it faces challenges such as legacy systems and hardcoded authentication. Organizations must identify NTLM usage, conduct testing with NTLM disabled, and make necessary adjustments or upgrades to migrate successfully. Ongoing monitoring is crucial post-migration to prevent NTLM from re-entering the network. NTLM is associated with significant security vulnerabilities and has been exploited by various threat groups, making its elimination a priority for organizations despite potential hesitations to invest in the migration process. Transitioning to Kerberos is seen as a strategic security investment.

Winsage

January 30, 2026

Microsoft to disable NTLM by default in future Windows releases

Microsoft will disable the NTLM authentication protocol by default in the next major Windows Server release and associated Windows client versions. NTLM, introduced in 1993, has been vulnerable to various cyberattacks, including NTLM relay and pass-the-hash attacks. The transition plan includes three phases: enhanced auditing tools in Windows 11 24H2 and Windows Server 2025, new features like IAKerb and a Local Key Distribution Center in late 2026, and eventually disabling network NTLM by default in future releases. NTLM will remain in the operating system but will not be used automatically. Microsoft deprecated NTLM authentication in July 2024 and has encouraged developers to transition to Kerberos or Negotiation authentication.

Winsage

November 5, 2025

Microsoft warns Windows 11 25H2, 24H2 October update triggers BitLocker recovery on PCs for businesses

Microsoft has acknowledged a significant issue affecting users of BitLocker on Windows 11 versions 25H2 and 24H2, as well as Windows 10, which may prompt users to enter their BitLocker recovery key during startup, risking data loss if the key is not available. The problem arises after installing Windows Updates released on or after October 14, 2025, and predominantly affects Intel-based PCs with the "Connected Standby" feature. Affected users can check if BitLocker is enabled by navigating to Settings > System > Storage > Disk & Volumes. Microsoft is rolling out a fix, but business users must manually deploy it. Users are advised to back up their BitLocker recovery keys to their Microsoft accounts.

Winsage

November 3, 2025

Microsoft Sounds Windows 11 And Server Update Failure Alarm

Microsoft has confirmed that users of Windows 11 and Windows Server are experiencing authentication failures due to updates released on or after August 29. This issue, detailed in Microsoft Support posting KB5070568, is linked to duplicate Security IDs (SIDs) on devices, affecting Windows 11 versions 24H2 and 25H2, as well as Windows Server 2025. The problem arises from new security protections that enforce checks on SIDs, which are necessary to maintain user account integrity and prevent unauthorized access. Duplicate SIDs typically result from unsupported cloning or duplication of a Windows installation without using the Sysprep tool. The recent update mandates SID uniqueness, blocking authentication handshakes between devices with duplicate SIDs. To resolve this, users must rebuild their devices using supported methods for cloning or duplicating a Windows installation to ensure unique SIDs.

Winsage

October 26, 2025

Microsoft admits File Explorer Preview pane won’t work in Windows 11 25H2 for internet files by default

Microsoft has disabled the preview feature for files downloaded from the internet in the File Explorer Preview pane for Windows 11 versions 25H2 and 24H2, as well as in the latest Windows 10 update, due to security concerns. Users can still preview locally created files, but attempting to preview internet-downloaded files will trigger a warning message. The decision to disable previews for these files is intended to prevent potential security vulnerabilities, specifically a risk of NTLM hash leaks. Files marked with a “Mark of the Web (MotW)” tag, which indicates they were downloaded from various sources, will be blocked from previewing. Users can unblock previews for trusted files by right-clicking the file, selecting Properties, and checking the ‘Unblock’ option. A PowerShell script is also available to unblock all files in a specific directory. This update is part of the Windows October 2025 Patch Tuesday.