Microsoft Phases Out DES Encryption in Upcoming Windows Releases
This week, Microsoft announced significant updates to its official pages outlining the features that are being phased out in Windows Client and Windows Server. Among the notable changes is the removal of the Data Encryption Standard (DES) cipher from both Windows 11 version 24H2 and Windows Server 2025. Microsoft is making this move as part of its ongoing effort to enhance security within the Windows ecosystem, citing the outdated nature of the DES algorithm as a primary reason.
In a recent statement, Microsoft explained:
DES, the symmetric-key block encryption cipher, is considered nonsecure against modern cryptographic attacks and has been replaced by more robust encryption algorithms. DES was disabled by default starting with Windows 7 and Windows Server 2008 R2. It will be completely removed from Windows 11 version 24H2 and later, as well as Windows Server 2025 and beyond.
Understanding DES and Its Limitations
For those unfamiliar with DES, it’s a symmetric cipher that was developed in the 1970s, utilizing a 56-bit key to encrypt 64-bit data blocks. While Triple DES has been recommended by the NIST (National Institute of Standards and Technology) for use until 2030, it is essential to transition to stronger encryption standards.
Transition Recommendations for IT Administrators
To aid IT teams and system administrators in this transition, Microsoft has rolled out updates in the Windows message center, cautioning about the end of DES support within Kerberos for both Windows 11 version 24H2 and Windows Server 2025. The recommendation is to shift to the Advanced Encryption Standard (AES), which supports key lengths of 128, 192, or 256 bits, as it offers superior security.
IT admins: Prepare for the removal of Data Encryption Standard (DES) in Kerberos for Windows Server 2025 and Windows 11 version 24H2. While it’s an optional component that isn’t installed by default, it’s crucial to identify and disable DES usage to prevent operational disruptions following the September 2025 security update. Consider implementing the Advanced Encryption Standard (AES) algorithm as a more secure encryption option.
AES Deployment on Windows 11 Home PCs
In a further push towards stronger encryption, Microsoft has enabled the default encryption of Home PCs running Windows 11 version 24H2 with an AES-based BitLocker system. This initiative emphasizes how system components, such as TPM (Trusted Platform Module), are integral to maintaining security standards.
Phased Removal of DES in Kerberos
Microsoft’s strategy for the elimination of DES in Kerberos will occur in two distinct phases: Compatibility Mode and Disabled Mode.
This transition will unfold as follows:
Compatibility Mode: DES within Kerberos has been disabled by default on all versions of Windows released from Windows 7 and Windows Server 2008 R2 onwards. If situations arise requiring DES in Kerberos, administrators can still manually enable the DES cipher on supported systems—excluding Windows 11 version 24H2 and Windows Server 2025 for updates applied on or after September 9, 2025.
Disabled Mode: Following the complete removal of DES, it will no longer function as an encryption cipher within Kerberos for either Windows Server 2025 or Windows 11 version 24H2. Any legacy systems still relying on DES will encounter operational issues until appropriate adjustments are made by IT administrators to adopt a safer cipher.
Importantly, DES will remain available on earlier versions of Windows.
For a more detailed overview, you can explore Microsoft’s official insights on this topic here.
Related Articles:
Microsoft Discontinues Password Manager in Authenticator to Promote Edge Browser
15:01
Microsoft Planner August Transition: Key Features Being Retired
14:18
Why Windows 11 Copilot+ PCs Outperform Windows 10 Machines According to Microsoft
8:23
Leave a Reply ▼