>So who is actually being negligent here?
Microsoft.
It seems from the advisories on how to disable NTLM, even now by default AD domain controllers accept LM, NTLM and NTLMv2 requests. If MS had really been pleading with people to not use NTLM, they would have removed it from the default install of Windows Server, AD, Exchange, Remote Desktop....[ We can assume it is there and being used, since MS have released no advisories saying words to the effect: a clean default install (as used by many) of Server 20nn with AD, Exchange, Remote Desktop does not use or install NTLM.]
What is interesting, by declaring they aren't going to fix it, MS have effectively declared all current versions of Windows Server inecure by design and left their users swinging in the wind. Also I note they haven't said Windows cloud/MS365 et al are not affected...
Biting the hand that feeds IT
