Microsoft has announced the removal of the Data Encryption Standard (DES) encryption algorithm from Kerberos in Windows 11 version 24H2 and Windows Server 2025.
This change, set to take effect with updates released on or after September 9, 2025, aims to bolster security by eliminating outdated cryptographic protocols vulnerable to modern cyber threats.
The move aligns with Microsoft’s Secure Future Initiative (SFI), which emphasizes adopting stronger encryption standards.
DES, a symmetric-key block cipher that uses a 56-bit key, was first introduced in 1977 and incorporated into Kerberos in the early 1990s.
However, advancements in computational power have rendered DES increasingly susceptible to brute force and known-plaintext attacks.
While DES has been disabled by default on Windows systems since Windows 7 and Windows Server 2008 R2, it has remained available as an optional component for compatibility purposes.
With this update, DES will no longer be supported on Windows 11 version 24H2 and Windows Server 2025.
Transition to Stronger Encryption Standards
The removal of DES will occur in phases. Administrators are urged to detect and disable any remaining use of DES within their networks before applying the September 2025 updates.
Kerberos already supports more robust encryption algorithms, such as Advanced Encryption Standard (AES), which organizations are encouraged to adopt for improved security and compliance with modern standards like the Federal Information Processing Standards (FIPS).
Legacy scenarios relying on DES will cease functioning on updated systems unless IT administrators reconfigure applications and network security settings to use AES or other secure ciphers.
Notably, earlier versions of Windows will not be affected by this change.
Recommendations for Administrators
To prepare for the transition, Microsoft advises organizations to:
- Detect DES Usage: Use tools such as PowerShell scripts or monitor Kerberos Key Distribution Service (KDCSVC) Event IDs (4768 and 4769) in security event logs to identify accounts or applications using DES.
- Disable DES: Update Active Directory configurations to ensure that accounts do not advertise support for DES encryption types. Modify Group Policy settings to allow only AES-based encryption methods.
- Test and Transition: Gradually replace DES with AES while ensuring compatibility across domain trusts and third-party systems. Test new configurations thoroughly before deployment.
Microsoft emphasizes that this change is part of its broader effort to enhance security by design and by default.
Organizations still using older versions of Java or third-party software dependent on DES should consult their vendors for guidance on transitioning to secure alternatives.
By deprecating DES, Microsoft aims to reduce vulnerabilities in Kerberos authentication, making systems less susceptible to attacks.
Administrators are encouraged to upgrade to Windows Server 2025 and Windows 11 version 24H2 for access to modern encryption capabilities and enhanced security features.
For additional resources on detecting and disabling DES usage or transitioning to AES, administrators can refer to Microsoft’s official documentation or community support forums.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.