Microsoft abandons ancient DES encryption and hopes Windows users will switch to AES

This week, Microsoft updated its webpage tracking features removed from Windows clients and Windows Server. The company has confirmed that Windows 1124H2 and Windows Server 2025 will remove the DES or Data Encryption Standard cipher. The tech giant's reasoning is that the DES encryption algorithm is too old and insecure, so removing it is justified and part of a wider strategy to improve Windows security.

Microsoft said:

The symmetric key block cipher algorithm DES is considered insecure against modern cryptographic attacks and has been replaced by stronger encryption algorithms. Starting with Windows 7 and Windows Server 2008R2, DES is disabled by default. In Windows 11, 24H2 and later, and Windows Server 2025 and later, DES has been removed.

DES is a symmetric cipher that was developed back in the 1970s. It uses a 56-bit key to encrypt and decrypt 64-bit data blocks. By 2030, NIST (National Institute of Standards and Technology) recommends the use of triple DES.

Microsoft also updated the Windows Message Center to notify IT administrators and system administrators that DES in Kerberos will be eliminated in Windows 1124H2 and Windows Server 2025. It recommends migrating to AES or Advanced Encryption Standard, which uses longer key lengths of 128, 192 or 256 bits. It says:

IT Admins: Prepare to remove Data Encryption Standard (DES) from Kerberos in Windows Server 2025 and Windows 11 version 24H2. While this is an optional component that is not installed by default, the use of DES must be detected and disabled before using the September 2025 security update to avoid potential disruption. Consider the Advanced Encryption Standard (AES) algorithm as a stronger encryption method.

Microsoft is also now allowing default encryption for Windows 11 24H2 Home PCs using AES-based BitLocker, as the company recently explained how system requirements like TPM play a key role in this.

The company also introduced that disabling DES in Kerberos will occur in two phases, namely compatibility mode and disable mode:

The transition to disabling DES in Kerberos on Windows devices will occur in phases.
Compatibility Mode: DES in Kerberos is disabled by default in Windows 7 and Windows Server 2008R2 and all Windows client and server versions released after. If DES needs to be used with Kerberos, administrators can manually configure the DES cipher on supported operating systems, except for Windows 1124H2 and Windows Server 2025 devices with updates released on or after September 9, 2025.
DES in Kerberos disabled mode: Once DES in Kerberos is removed, it will no longer be supported as an encrypted cipher for any feature of Kerberos in Windows Server 2025 and later and Windows 1124H2 and later. The legacy scenario using DES on both operating system versions will stop working until IT administrators make changes to Kerberos-related application and network security configurations to use more secure passwords.
Earlier versions of Windows will not remove DES.

You can find more relevant details in the Microsoft TechCommunity blog post:

https://techcommunity.microsoft.com/blog/WindowsServerNewsandBestPractices/removal-of-des-in-kerberos-for-windows-server-and-client/4386903