Microsoft has unveiled its intention to bolster security protocols by phasing out the Data Encryption Standard (DES) encryption algorithm from Kerberos authentication in forthcoming Windows releases. This significant update will impact Windows Server 2025 and Windows 11 version 24H2 systems following the installation of Windows Updates scheduled for or after September 9, 2025.
This initiative is a crucial component of Microsoft’s Secure Future Initiative (SFI), which is dedicated to the eradication of outdated and vulnerable encryption technologies from its ecosystem. Established in 1977, DES was the first standard encryption algorithm adopted for business use in the United States. However, over the years, it has become increasingly susceptible to security breaches.
DES was integrated into Kerberos as outlined in RFC1510 in 1993 and made its debut in Windows with the introduction of Windows 2000. Notably, Windows systems have never relied solely on DES for Kerberos, opting instead for RC4 for transactions between Windows systems. Starting with Windows 7 and Windows Server 2008 R2, DES was disabled by default, although it remained available as an optional feature for administrators who chose to enable it manually.
Researchers at Microsoft have indicated that the transition to disable DES in Kerberos will be implemented in phases. Currently, Windows operates in a “Compatibility Mode,” where DES is disabled by default but can still be configured manually if necessary. Post-September 2025, affected systems will shift to “DES in Kerberos Disabled Mode,” rendering DES unsupported as an encryption cipher in any Kerberos function.
Importantly, DES will not be removed from earlier versions of Windows, providing organizations with a window to transition their systems effectively. Microsoft strongly advises organizations to identify and address any existing use of DES encryption before the September 2025 security update. This includes detecting DES usage, pinpointing applications that rely on it, and reconfiguring them to utilize more robust ciphers such as the Advanced Encryption Standard (AES).
Detection and Remediation
To facilitate the identification of DES usage, administrators can employ PowerShell scripts to scan security event logs for Kerberos Key Distribution Service (KDCSVC) Event IDs 4768 and 4769. These events are recorded whenever a Key Distribution Center issues a Kerberos Ticket Granting Ticket or when a Kerberos service ticket is requested.
Once DES usage is identified, administrators should disable it through Active Directory and Group Policy settings. In the Active Directory Users and Computers policy, it is essential to ensure that the “Use only Kerberos DES encryption types for this account” option is unchecked for all accounts.
Furthermore, within Group Policy, administrators should navigate to “Network security: Configure encryption types allowed for Kerberos,” located at Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options.
For accounts established on older domain controllers running Windows Server 2003 or earlier, Microsoft recommends changing the account’s password to ensure compatibility with AES. Organizations are encouraged to gradually transition from DES to AES encryption, confirming that all domain trusts support AES and implementing appropriate testing and rollback procedures throughout the transition process.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free