Prepare for removal of DES in Kerberos for Windows Server and client

Originally posted by Microsoft Mar 1, 2025 Uncategorized 0 Comments

Prepare for removal of Data Encryption Standard (DES) in Kerberos for Windows Server 2025 and Windows 11, version 24H2. While it’s an optional component that isn’t installed by default, it’s important to detect and disable your DES use to avoid potential disruption before taking the September 2025 security update. Consider adopting the Advanced Encryption Standard (AES) algorithm as a stronger encryption method.  
 

When will this happen: 
  • September 2025: DES in Kerberos will be removed from Windows Server 2025 and Windows 11, version 24H2. 
  • Alternative solutions are available to you today. 
 
How this will affect your organization: 
Once DES in Kerberos is removed, it will no longer be supported as an encryption cipher in any function of Kerberos in Windows Sever 2025 and later or in Windows 11, version 24H2. Legacy scenarios using DES on these two versions will stop working until you make configuration changes to Kerberos-related application and network security. DES will not be removed from earlier Windows versions. 
 
What you need to do to prepare: 
First, detect any use of DES in Kerberos within your network, identify apps that are using DES, and reconfigure them to use a stronger cipher. Ultimately, you’ll need to disable DES before taking the September 2025 Windows security update. Finally, identify apps and callers negotiating DES and upgrade to a more secure encryption cipher, such as Advanced Encryption Standard (AES) algorithm. 
 
Additional information: 
Learn more and follow recommended guidance to detect and disable DES usage in Removal of DES in Kerberos for Windows Server and client.

Message ID: MC1020176

Comments are closed.

Joao Ferreira

I've been working with Microsoft Technologies over the last ten years, mainly focused on creating collaboration and productivity solutions that drive the adoption of Microsoft Modern Workplace.

%d bloggers like this: