Microsoft has announced the removal of the Data Encryption Standard (DES) encryption algorithm from Kerberos in Windows 11, version 24H2, and Windows Server 2025.
This change, slated to take effect after the September 9, 2025 update, is part of Microsoft’s ongoing efforts to bolster cybersecurity and align with modern encryption standards.
DES, a legacy symmetric-key encryption algorithm, has been deemed increasingly vulnerable to brute-force and known-plaintext attacks due to advancements in computational power.
Transitioning Away from Legacy Encryption
DES has been disabled by default since Windows 7 and Windows Server 2008 R2, but it remained available as an optional component for compatibility purposes.
Starting with the upcoming updates for Windows 11 24H2 and Windows Server 2025, DES will no longer be supported in any Kerberos-related functions.
Administrators relying on DES for legacy systems or third-party applications must transition to stronger encryption algorithms like Advanced Encryption Standard (AES) to ensure uninterrupted functionality.
Kerberos, a widely used authentication protocol, will continue supporting AES encryption methods such as AES128_HMAC_SHA1 and AES256_HMAC_SHA1.
These algorithms provide enhanced security and comply with Federal Information Processing Standards (FIPS).
Microsoft’s Secure Future Initiative (SFI) underscores its commitment to phasing out outdated technologies in favor of robust security measures.
Historical Context and Vulnerabilities
Introduced in 1977 as the first standard encryption algorithm for business use in the U.S., DES was integrated into Kerberos in RFC1510 (1993) and later implemented in Windows 2000 for third-party compatibility.
However, DES was deprecated from the Kerberos standard by RFC6649 in 2012 due to its vulnerabilities.
Over time, its susceptibility to cryptographic attacks rendered it obsolete for secure communications.
While DES was never used natively for authentication between Windows systems, it has been employed in third-party applications, including older Java implementations.
Microsoft urges organizations using legacy systems to identify any dependencies on DES and reconfigure their environments to adopt AES encryption before the September update deadline.
To prepare for this transition, administrators should:
- Detect DES usage within their networks using tools like PowerShell scripts that scan Kerberos Key Distribution Service (KDCSVC) event logs for relevant Event IDs (4768 and 4769).
- Disable DES encryption types through Active Directory settings and Group Policy configurations.
- Update service accounts and domain trusts to support AES encryption while ensuring compatibility during the transition phase.
Microsoft emphasizes testing new configurations before deployment and maintaining a rollback plan to mitigate potential disruptions.
For non-Windows systems or appliance devices using DES, administrators should consult respective vendors for guidance on updating Kerberos client settings.
The removal of DES aligns with Microsoft’s vision of creating a more secure ecosystem by design and by default.
Organizations are encouraged to upgrade to Windows Server 2025 and Windows 11 24H2 to leverage modern security features like AES encryption.
By eliminating vulnerable algorithms such as DES, Microsoft aims to reduce susceptibility to Kerberos-based attacks while promoting compliance with contemporary security standards.
For further details on detecting DES usage or transitioning to AES encryption, administrators can refer to Microsoft’s official documentation and tools provided on GitHub.
Stay updated on cybersecurity developments by following Microsoft Security blogs and social channels.
 encryption algorithm from Kerberos in Windows 11.){kind=link}