Microsoft is moving towards disabling NTLM by default**
**
I started auditing what was using NTLM in our environment, and I see Netwrix is frequent offender.
Do gMSA accounts use NTLM as well? I had hoped to move all of our auth to gMSA but we were waiting for Exchange hybrid monitoring to be supported.
Are there plans to get away from NTLM as a whole?
Great question. Interested to see what someone from Netwrix can add.
Thank you for bringing this up!
gMSA accounts themselves support Kerberos and do not inherently require NTLM. In properly configured environments, Kerberos-only authentication can be used. However, the actual protocol depends on configuration details such as SPNs, delegation, and the capabilities of the target system. If Kerberos is not available, authentication may fall back to NTLM.
Regarding Exchange on-premises, there are known limitations related to its RBAC model and PowerShell-based access that may impact gMSA scenarios. This area requires additional validation.
We are aware of Microsoft’s direction toward disabling NTLM by default and are reviewing authentication flows across our components to reduce dependency on NTLM where possible and ensure alignment with hardened security configurations.