I've been researching the potential impacts of disabling NTLM across all of our workstations, as it's part of our 2026 roadmap. We have about 1,000 workstations, and it seems that only 10 might be affected due to some legacy processes that the business will address. My recent analysis indicates that NTLM is only being utilized on those 10 machines. To be honest, I expected the transition to be more challenging, so I feel like I'm missing something important. Have you disabled NTLM in your environment, and what pitfalls or issues should I be aware of?
5 Answers
You'll also want to watch out for older applications, especially those using Solidworks, as they only dropped NTLMv1 in their newer versions. It's worth doing a thorough check on any application you plan to keep running.
One thing to note is that the Remote Desktop Gateway relies on NTLM. The older Remote Desktop clients can work around this using Kerberos proxy, but the newer store-based clients might run into issues because of this dependency on NTLM.
That’s interesting! I guess it mainly depends on what remote desktop setup you have, right?
It sounds like you're in a pretty streamlined environment, but in larger setups, NTLM can still be a pain point. If you're only using Entra and have no on-premises setup, that's a big plus. Just double-check to ensure no legacy apps are relying on it.
Thanks for that insight! I guess I need to be diligent about checking for any applications that might have slipped through.
We faced a few challenges too. On the workstation side, we hardly saw issues except for vulnerability scans. However, on the server side, we had some server setups that wouldn't work correctly without NTLM, especially with file shares and active-active setups. Make sure your SQL Server and IIS configs are correct for Kerberos; it can get complicated.
Wow, that sounds complex! Do you have any tips for configuring those SPNs correctly?
If you have any failover clusters or VM Consoles, those need NTLM for cluster-aware updates. You might hit some bumps there if you’re not careful.
Good point! I’ll go through our apps and make a list to ensure we’re good to go.