Microsoft deprecates password payload in MPR notifications to enhance security

On Friday, Microsoft added password payloads in MPR notifications to its list of deprecated features. It comes after the tech giant’s recent decision to bid farewell to certificates using RSA keys shorter than 2048 bits. 

Password payload in MPR notifications to deprecate starting in Windows 11 24H2

Microsoft has yet to mention the exact deprecation date, but we assume it will be later this year. Although the news of a deprecated feature may sound bad, this decision is good, as far as users are concerned.

Deprecating NPLogonNotify and NPPasswordChangeNotify APIs will enhance the security further. Talking of the same, the company says those APIs allow the caller to extract users’ passwords which poses a big threat of exposing passwords to malicious users. 

In addition, Microsoft will still allow including password payload by setting the EnableMPRNotification policy to enabled. 

Adding the feature to the deprecated list, Microsoft says: 

Starting in Windows 11, version 24H2, the inclusion of password payload in MPR notifications is set to disabled by default through group policy in NPLogonNotify and NPPasswordChangeNotify APIs. The APIs may be removed in a future release. The primary reason for disabling this feature is to enhance security. When enabled, these APIs allow the caller to retrieve a user’s password, presenting potential risks for password exposure and harvesting by malicious users. To include password payload in MPR notifications, set the EnableMPRNotifications policy to enabled.

Summing up, it is worth noting that Microsoft has announced the deprecation of three features this month only.