Microsoft Removing DES Encryption from Windows 11 24H2 and Windows Server 2025

Microsoft has announced the removal of the Data Encryption Standard (DES) encryption algorithm from Kerberos in Windows 11 version 24H2 and Windows Server 2025.

This change, set to take effect with updates released on or after September 9, 2025, aims to bolster security by eliminating outdated cryptographic protocols vulnerable to modern cyber threats.

The move aligns with Microsoft’s Secure Future Initiative (SFI), which emphasizes adopting stronger encryption standards.

DES, a symmetric-key block cipher that uses a 56-bit key, was first introduced in 1977 and incorporated into Kerberos in the early 1990s.

However, advancements in computational power have rendered DES increasingly susceptible to brute force and known-plaintext attacks.

While DES has been disabled by default on Windows systems since Windows 7 and Windows Server 2008 R2, it has remained available as an optional component for compatibility purposes.

With this update, DES will no longer be supported on Windows 11 version 24H2 and Windows Server 2025.

Transition to Stronger Encryption Standards

The removal of DES will occur in phases. Administrators are urged to detect and disable any remaining use of DES within their networks before applying the September 2025 updates.

Kerberos already supports more robust encryption algorithms, such as Advanced Encryption Standard (AES), which organizations are encouraged to adopt for improved security and compliance with modern standards like the Federal Information Processing Standards (FIPS).

Legacy scenarios relying on DES will cease functioning on updated systems unless IT administrators reconfigure applications and network security settings to use AES or other secure ciphers.

Notably, earlier versions of Windows will not be affected by this change.

Recommendations for Administrators

To prepare for the transition, Microsoft advises organizations to:

1. Detect DES Usage: Use tools such as PowerShell scripts or monitor Kerberos Key Distribution Service (KDCSVC) Event IDs (4768 and 4769) in security event logs to identify accounts or applications using DES.
2. Disable DES: Update Active Directory configurations to ensure that accounts do not advertise support for DES encryption types. Modify Group Policy settings to allow only AES-based encryption methods.
3. Test and Transition: Gradually replace DES with AES while ensuring compatibility across domain trusts and third-party systems. Test new configurations thoroughly before deployment.

Microsoft emphasizes that this change is part of its broader effort to enhance security by design and by default.

Organizations still using older versions of Java or third-party software dependent on DES should consult their vendors for guidance on transitioning to secure alternatives.

By deprecating DES, Microsoft aims to reduce vulnerabilities in Kerberos authentication, making systems less susceptible to attacks.

Administrators are encouraged to upgrade to Windows Server 2025 and Windows 11 version 24H2 for access to modern encryption capabilities and enhanced security features.

For additional resources on detecting and disabling DES usage or transitioning to AES, administrators can refer to Microsoft’s official documentation or community support forums.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!