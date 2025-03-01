This week, Microsoft updated the webpages that track the features that are removed on Windows client and Windows Server. The company has confirmed that DES or Data Encryption Standard cipher is being removed from Windows 11 24H2 and Windows Server 2025. The tech giant reasons that the DES encryption algorithm is too old to be secure and thus it makes sense and is a part of the broader strategy to improve Windows security.

Microsoft writes:

DES, the symmetric-key block encryption cipher, is considered nonsecure against modern cryptographic attacks, and replaced by more robust encryption algorithms. DES was disabled by default starting with Windows 7 and Windows Server 2008 R2. It's removed from Windows 11, version 24H2 and later, and Windows Server 2025 and later.

For those who may not be familiar with it, DES is a symmetric cipher that was developed back in the 1970s. It uses a 56-bit key to encrypt and decrypt 64-bit data blocks. Triple DES is the recommended form of DES these days through 2030 by the NIST (National Institute of Standards and Technology).

Microsoft has also updated the Windows message center to inform IT admins and system administrators about the upcoming removal of DES in Kerberos on Windows 11 24H2 and Windows Server 2025. It recommends moving to AES or Advanced Encryption Standard which uses longer key lengths of 128, 192, or 256 bits. It says:

IT admins: Prepare for removal of Data Encryption Standard (DES) in Kerberos for Windows Server 2025 and Windows 11, version 24H2. While it’s an optional component that isn’t installed by default, it’s important to detect and disable your DES use to avoid potential disruption before taking the September 2025 security update. Consider adopting the Advanced Encryption Standard (AES) algorithm as a stronger encryption method.

Microsoft also now allows the default-encryption of Windows 11 24H2 Home PCs with AES-based BitLocker as it recently explained how system requirements like TPM play a key part in that.

The company has also described how the disablement of DES in Kerberos will be done in two phases, Compatibility Mode and Disabled Mode:

This transition to disable DES in Kerberos on Windows devices will occurs in phases. Compatibility Mode: DES in Kerberos is disabled by default on all Client and Server versions of Windows released on and after Windows 7 and Windows Server 2008 R2. If DES is required in Kerberos, administrators can manually configure the DES cipher on supported operating systems with the exception of Windows 11 24H2 and Windows Server 2025 devices that have installed updates released on and after September 9, 2025. DES in Kerberos Disabled Mode: Once DES in Kerberos is removed, it will no longer be supported as an encryption cipher in any function of Kerberos in Windows Server 2025 and later and Windows 11, version 24H2 and later. Legacy scenarios using DES on those two operating system versions will stop working until Kerberos-related application and network security configuration changes are made by IT administrators, so a safer cipher can be used. DES will not be removed from earlier Windows versions.

You can find a lot more details about it here on the Microsoft Tech Community blog post.