NTLM Is Ending: How to Secure WMI Monitoring with Kerberos Authentication
Microsoft is removing NTLMv1 - learn how NetCrunch already supports Kerberos authentication and how you can enable it today
Microsoft Is Phasing Out NTLMv1
With the release of Windows 11 24H2 and Windows Server 2025, Microsoft has started the retirement of NTLMv1 authentication.
Starting this from September 2025, attempts to use NTLMv1 are logged (Event ID 4024), and by October 2026, it will be disabled by default. This change directly affects Windows monitoring and WMI-based workflows.
This change is designed to improve security but introduces a major risk: any monitoring or automation still relying on NTLM could suddenly stop working.
Read Microsoft’s announcement here
Why Kerberos Matters for Monitoring
For years, NTLM has been the fallback for Windows authentication in WMI monitoring. With NTLM restricted, monitoring tools must use Kerberos - a protocol that is both more secure and fully supported in modern Active Directory environments.
The challenge for many IT teams is that not all monitoring tools support Kerberos natively, leaving engineers scrambling for workarounds.
NetCrunch Already Supports Kerberos
The good news: NetCrunch supports Kerberos authentication for WMI monitoring today.
Enabling it is straightforward:
-
If you enter credentials as DOMAIN\user, NetCrunch will use NTLM while you get ready for the transition.
-
If you enter credentials as a UPN (User Principal Name) — user@domain.com — NetCrunch will automatically switch to Kerberos authentication.
That’s it. No registry edits, no hidden toggles, no special configuration. Just use UPN format and Kerberos is automatically enabled.
See our detailed blog post on enabling Kerberos in NetCrunch
What You Should Do Now
If your current monitoring solution does not support Kerberos, you should plan a replacement strategy now. Waiting until enforcement begins risks both visibility and security across your Windows infrastructure.
- Audit your environment - check logs for NTLM usage.
- Update monitoring accounts - switch WMI credentials in NetCrunch to the UPN format.
- Test and validate - confirm Kerberos is working in your monitoring setup before NTLM is blocked by Microsoft updates.
Final Thoughts
Microsoft’s decision to phase out NTLM makes Kerberos the only secure and sustainable choice for Windows monitoring.
If your monitoring software does not support Kerberos, treat it as a strategic priority to replace it immediately. Modern Windows environments cannot depend on deprecated, insecure protocols.
With NetCrunch, you don’t have to wait or worry - Kerberos support is built-in and ready to use today. Future-proof your Windows monitoring and administration today.
- [26.09.2019] Advanced SSL Certificate monitoring
Nowadays secure connections are common, sites/servers without certificates are flagged as 'unsafe' and people tend to avoid such places on the web. This article will demonstrate how you can easily monitor not only if certificates are about to expire or expired but several other properties included in it.
- [12.04.2018]Generate NetCrunch SSL certificate with Microsoft Certificate Authority server
Learn how to use certificates generated by Microsoft Certificate Authority to secure Web Access connection to the NetCrunch server.
- [08.02.2024] Securing WMI Monitoring with UPN User Format and Kerberos Authentication
Effective WMI monitoring requires a secure authentication approach to protect against vulnerabilities and ensure long-term compatibility. Learn why you need to plan for transitioning from the outdated NTLM protocol to the more secure Kerberos authentication
