Removal of DES in Kerberos for Windows Server and Client

To enhance security and protect against cyber threats, the Data Encryption Standard (DES) encryption algorithm will be intentionally removed from Kerberos after Windows Server 2025 and Windows 11, version 24H2 computers install Windows Updates released on or after September 9, 2025. While DES encryption in Kerberos is an optional component that isn’t installed by default, it’s important to detect and disable your DES use now to avoid potential disruption later this year. Currently, Kerberos supports stronger encryption ciphers such as AES that should be used instead of DES. Deprecating outdated, less-secure technologies is in-line with Microsoft's Secure Future Initiative (SFI) commitments. 

DES removal 

As methods to bypass and break cryptographic ciphers continue to evolve, it is important for administrators to decommission older encryption ciphers. This transition to disable DES in Kerberos on Windows devices will occurs in phases. 

Compatibility Mode: DES in Kerberos is disabled by default on all Client and Server versions of Windows released on and after Windows 7 and Windows Server 2008 R2. If DES is required in Kerberos, administrators can manually configure the DES cipher on supported operating systems with the exception of Windows 11 24H2 and Windows Server 2025 devices that have installed updates released on and after September 9, 2025.  

DES in Kerberos Disabled Mode: Once DES in Kerberos is removed, it will no longer be supported as an encryption cipher in any function of Kerberos in Windows Server 2025 and later and Windows 11, version 24H2 and later. Legacy scenarios using DES on those two operating system versions will stop working until Kerberos-related application and network security configuration changes are made by IT administrators, so a safer cipher can be used.  

DES will not be removed from earlier Windows versions. 

By adopting stronger encryption methods, such as the Advanced Encryption Standard (AES) algorithm, you can significantly improve your organization’s security posture and enable compliance with modern encryption standards such as the Federal Information Processing Standards (FIPS). 

A brief history of DES  

The DES symmetric-key encryption algorithm is a block cipher algorithm that encrypts and decrypts messages using a 56-bit key. It was established in 1977 as the first standard encryption algorithm for business use in the United States. DES was added to Kerberos in RFC1510 (1993) and was present in the first Windows Kerberos implementation in Windows 2000, but it was only used for third-party compatibility. Windows machines defaulted to using RC4 in all Windows-to-Windows transactions. As of Windows 7 and Windows Server 2008 R2, DES was disabled by default but remained available as an optional component when manually enabled by an administrator. It was deprecated in the Kerberos standard by RFC6649 in calendar year 2012. 

Over the years, an increase in computational power has led to DES becoming increasingly vulnerable to brute force attacks and known-plaintext attacks. In summary, DES encryption has known vulnerabilities when used within the Kerberos protocol. 

Note: Windows has never natively used DES for Kerberos. The only major use of DES for Kerberos in Windows that Microsoft is aware of is for older versions of Java. While DES is never used by default for authentication between Windows machines, it might still be used by third-party clients and servers. 

Recommendations and next steps 

Does your organization use versions of Windows Server and Windows client earlier than Windows Server 2025 and Windows 11, version 24H2? If so, we advise you detect any DES in Kerberos use within your network, identify apps that are using DES, and reconfigure them to use a stronger cipher. Ultimately, you’ll need to disable DES before taking the September 2025 Windows security update. Microsoft also recommends identifying apps and callers negotiating DES and upgrading to a more secure encryption cipher. 

How to detect DES usage 

Important: Before proceeding with detection, install the Windows Server 2025 updates released in or after January 2025 prior to September 9, 2025, to ensure that the script functions as expected. 

To detect DES usage, please use the tools and guide to detect DES usage found here. If DES usage is detected or if you are unsure if accounts use DES in Kerberos, then you should continue to detect the events described below. Identify DES usage via Kerberos Key Distribution Service (KDCSVC) Event IDs 4768 and 4769 in the security event log on a DC. KSDSVC Event ID 4768 is logged every time a Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT).  KDCSVC Event ID 4769 is generated every time a Kerberos service ticket is requested. These events are shown below.  

KDCSVC Event ID 4768 

KDCSVC Event ID 4769 

These Event IDs should be visible in the security event logs and do not require additional configuration. 

The PowerShell scripts linked above scan the security event log for KDCSVC Event IDs 4768 and 4769 for use of specified ticket, session, and account key types. Make sure that remote event logging is enabled to allow the PowerShell scripts to aggregate data across multiple Kerberos DCs. Review further guidance on how to enable Kerberos event logging.  

You can further narrow down the query by specifying a time frame to search for the events. This may be necessary if the event logs are excessively large. Use the PowerShell scripts from GitHub to detect the use of specific ciphers by particular accounts, either on the local machine or across all Kerberos DCs. 

How to disable DES in Kerberos 

If your environment is currently using software with DES encryption, the next step is to disable DES. Use the following steps to verify that there are no DES-enabled accounts: 

1. Use your event log audit trail to generate a comprehensive inventory of accounts advertising support for DES encryption types. Examine these computers and devices. It’s unlikely that they are running Windows.  

2. Navigate to Active Directory > Users and Computers policy. Under account options, make sure the “Use only Kerberos DES encryption types for this account” box is unchecked. The following setting corresponds to USE_DES_KEY_ONLY 0x200000 bit in the UserAccountControl field in Active Directory 
 

Screenshot of account options in Active Directory Users and Computers policy.

3. If the computers are running Windows, examine them for the presence of non-Microsoft software and applications. This third-party software may be the source of DES usage. Tools such as Network Monitor, Process Monitor, and process auditing can help identify which process is using DES.  

4. Once identified, navigate to the Group Policy “Network security: Configure encryption types allowed for Kerberos” located at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options. 
 

Screenshot of the dialog box for “Network security: Configure encryption types allowed for Kerberos,” focused on the Local Security Settings tab.

 

Ensure the boxes next to DES_CBC_MD5 and DES_CBC_CRC are unchecked. Then update the encryption method for the service account to AES by checking the boxes next to AES128_HMAC_SHA1, AES256_HMAC_SHA1 and Future Encryption Types.  

Important: If the account was created in a DC running Windows Server 2003 or older, change the account’s password to ensure that the account is AES-capable. Microsoft advises you to test any new settings that disable DES before applying them in your environments, use safe deployment practices, and prepare a rollback plan. Gradually replace DES with AES, ensuring all domain trusts are updated to support AES. Consider keeping AES and DES enabled during the transition phase if necessary. 

Note: For computers running non-Windows operating systems or appliance devices, review the local Kerberos client configurations or contact the respective vendors for guidance.  

Stay secure 

Removing nonsecure cryptographic algorithms will help you improve your security posture and make your organization less susceptible to Kerberos attacks. We recommend upgrading to Windows Server 2025 and to Windows 11, version 24H2 if you haven’t already. This will help your organization use more secure encryption methods such as AES and ensure that vulnerable ciphers such as DES are disabled. To prepare for removal of DES in Kerberos through the Windows security update in September 2025, please identify any DES usage within your network and disable it through Group Policy.   

At Microsoft, we truly believe that security is a team sport. By partnering with original equipment manufacturers (OEMs), app developers, and other partners in the ecosystem, and by helping you better protect your organization, we are continuing to help make Windows more secure by design and more secure by default. The Windows Security Book is available to help you learn more about what makes it easy to stay secure with Windows 11. 

To learn more about Microsoft Security solutions, visit our website. Bookmark the Microsoft Security blog to keep up with our expert coverage on security matters, and follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.