In a step to improve cybersecurity, Microsoft has officially removed Data Encryption Standard (DES) from both Windows 11 24H2 and Windows Server 2025.
Enterprises are now required to adopt Advanced Encryption Standard (AES) for Kerberos authentication, marking the full phase-out of DES across these platforms.
AES encryption is vastly more secure than DES due to its key length and algorithm structure. As a result, DES can be easily cracked with modern computational power, leaving systems that rely on it vulnerable to data breaches.
The decision is part of Microsoft’s broader push to enhance security by pushing for stronger encryption standards, especially in light of the increasing threat landscape facing enterprise networks.
Why Microsoft is Phasing Out DES
DES, developed in the 1970s, was once a standard encryption method for many organizations, including Microsoft.
However, its 56-bit key has long been considered weak in today’s cybersecurity environment. As computational power has advanced, DES has become vulnerable to brute-force attacks, making it inadequate to protect sensitive data in modern systems.
With the transition, Microsoft moves away from DES to ensure that its platforms are protected using industry-standard AES, which is more resilient to these types of attacks.
The decision aligns with long-standing recommendations from the National Institute of Standards and Technology (NIST), which has advised against using DES due to its weaknesses.
NIST encourages the use of AES, which supports stronger encryption and is a more reliable defense against contemporary cyber threats. Microsoft’s enforcement of AES encryption across Windows 11 and Server 2025 reinforces its commitment to better safeguarding enterprise systems.
What Does This Mean for Enterprises?
For enterprises still relying on DES for Kerberos authentication, this change is not without significant impact. Businesses must now swiftly transition to AES to avoid authentication failures and to remain compliant with modern security standards.
While Microsoft has been warning users for years, the removal of DES from these operating systems is now final, and organizations can no longer delay the migration. Businesses relying on older systems face a tight timeline for these updates.
- Audit current Kerberos configurations to identify any use of DES.
- Update security policies to ensure AES-based authentication protocols are used.
- Test configurations to ensure smooth migration and prevent disruptions.
IT administrators now have a critical role in ensuring that their systems are upgraded to AES. As part of the transition, organizations must:
Failure to make these adjustments could result in system failures, affecting access to critical services across the enterprise network.
Microsoft’s History of Phasing Out DES
The decision to remove DES has been a long time coming. Microsoft started phasing out DES years ago, first marking it as deprecated in earlier versions of Windows Server.
These early warnings were part of the company’s effort to guide businesses toward a more secure encryption standard.
Earlier versions of Windows Server restricted the use of DES but still allowed it in certain scenarios.
However, with the introduction of Windows 11 24H2 and Windows Server 2025, Microsoft has removed DES support entirely, pushing businesses to adopt AES if they want to maintain secure Kerberos authentication.
What’s at Stake for Enterprises Still Using DES?
The removal of DES encryption represents a serious security concern for businesses that have failed to transition to AES. This change is not simply an update—it’s a necessary step to protect enterprise systems from emerging threats.
Without AES, enterprises will be vulnerable to modern cyberattacks that specifically target older encryption methods like DES.
DES’s vulnerability to brute-force attacks is why Microsoft has accelerated its phase-out, urging businesses to make the transition to AES as soon as possible. For those still operating on DES, the risk of security breaches significantly increases.
IT teams now face the task of reconfiguring their authentication systems. For companies that haven’t yet switched, time is critical, as continuing to rely on DES will compromise the integrity of Kerberos authentication.
Microsoft has made it clear that the use of AES is mandatory, and any organization still on DES will have to implement AES to continue using Kerberos services without disruption.
AES and Kerberos: The Heart of Modern Enterprise Security
Understanding the critical role of Kerberos authentication in enterprise environments is essential. Kerberos is the primary protocol used by many organizations to secure network authentication, ensuring that user credentials and services are protected through symmetric-key cryptography.
However, AES adds a level of security that DES could never achieve, making it the new encryption standard for Kerberos authentication in Windows 11 24H2 and Server 2025.
AES supports 128-bit, 192-bit, and 256-bit keys, which are significantly stronger than the 56-bit key used by DES. This enhanced security makes AES capable of resisting brute-force attacks, which have become a common method of breaching older encryption systems like DES.
The switch to AES-based Kerberos authentication ensures that both user credentials and network communications are protected with robust encryption, preventing unauthorized access to sensitive data.
For enterprises handling highly sensitive information—such as financial records, customer data, and intellectual property—using AES provides an additional layer of security that aligns with best practices in encryption.
The security of Kerberos authentication is paramount. AES is far more resilient to cryptographic attacks than DES, and its widespread adoption ensures that enterprises can maintain the highest levels of data protection, even in the face of increasingly sophisticated cyberattacks.
The Future of Windows Security: Moving Beyond DES
As Microsoft continues to enhance its security features, the switch to AES represents just one part of a broader initiative to secure Windows environments.
The company is increasingly focusing on enforcing stronger authentication protocols, such as multi-factor authentication (MFA), which will further secure users and enterprise systems from unauthorized access.
Windows 12 and future versions will likely continue the trend of enforcing stronger security features, including even more sophisticated encryption and authentication systems.
