Quick overview:
As part of the ongoing development of its operating systems, Microsoft has announced significant changes in the area of encryption and security. In particular, this concerns the removal of the outdated Data Encryption Standard (DES) and the introduction of improved security features in Windows Server 2025.
Securely encrypted into the future
Encryption is no longer just a technical detail - it is the basis for trust and security in a networked world. In 2025, it will permeate all spheres of digital interaction: from encrypted banking transactions and secure communication in messaging apps to the protection of sensitive patient data in telemedicine or industrial control systems in the IIoT sector.
Digital education platforms are also increasingly relying on end-to-end encryption to reliably protect learning progress, personal data and live interactions - especially for sensitive content or exam data. And even in the entertainment sector, the highest security standards apply where transactions are carried out: In 2025, iGaming providers, such as poker sites, will also rely on modern encryption to protect player data, deposits and withdrawals as well as game histories against manipulation and data misuse.
Encryption is also becoming increasingly relevant in the corporate context: cloud services, zero-trust architectures, automated AI models that process personal data - all of this requires a high level of protection using modern cryptographic processes. Every vulnerability in encryption is a potential gateway for attacks - be it through classic man-in-the-middle tactics, modern AI-supported attack strategies or so-called quantum-ready attacks that are already targeting post-quantum cryptography.
The operating systems and servers themselves play a key role in this. They are the foundation for protecting the entire IT environment. This is why Microsoft's move to free its own platform from DES and integrate security mechanisms such as Credential Guard and hotpatching is particularly important.
Removal of DES and conversion to AES
From September 9, 2025, Microsoft will remove the DES encryption algorithm from Kerberos in Windows 11 version 24H2 and Windows Server 2025. This measure is part of Microsoft's Secure Future Initiative (SFI), which aims to eliminate outdated and insecure encryption protocols.
Effects on Kerberos authentication
Kerberos is a network authentication protocol that is used by default in Windows environments. Although DES has been disabled by default since Windows 7 and Windows Server 2008 R2, it could previously be manually enabled for compatibility purposes. With the upcoming change, DES will be removed completely, which means that all systems that still rely on DES will need to update their authentication mechanisms.
Instructions for checking and converting to AES
1. check the current encryption types:
- Log in to a domain controller.
- Open the Event Viewer and navigate to Windows Logs > Security.
- Filter for the event IDs 4768 (ticket granting ticket requests) and 4769 (service ticket requests).
- Check the "Encryption type" field in the event details. A value of 0x1 or 0x3 indicates the use of DES.
2. deactivation of DES in Active Directory:
- Open the Active Directory Users and Computers console.
- Navigate to the properties of the relevant user account.
3. enforce AES via group policies:
- Open the Group Policy Editor (gpedit.msc).
- Navigate to Computer configuration > Policies > Windows settings > Security settings > Local policies > Security options.
- Enable the policy "Network security: Allow configuration of Kerberos encryption types" and select AES128_HMAC and AES256_HMAC.
These steps ensure that your environment is converted to the stronger AES encryption and thus meets the upcoming security requirements.
Improved security features in Windows Server 2025
Windows Server 2025 introduces several security-related improvements aimed at strengthening system integrity and ensuring the protection of sensitive data.
LDAP encryption with TLS 1.3
Windows Server 2025 supports TLS 1.3 for encrypted LDAP connections (LDAPS), provided that the server and clients are configured accordingly. TLS 1.3 offers higher security through shortened handshakes, modern cipher suites and better data protection.
TLS 1.3 is not migrated automatically - administrators must activate TLS 1.3 in a targeted manner, for example by adjusting certificates and protocol settings. Especially in Active Directory environments with sensitive authentication data the migration to TLS 1.3 is an important step to effectively prevent protocol downgrade attacks and eavesdropping attempts.
Although TLS 1.3 was standardized back in 2018, its introduction is still ongoing in many companies and organizations.
Credential Guard
Credential Guard is now enabled by default and uses virtualization technology to isolate credentials. This makes it more difficult for attackers to access sensitive data such as hashes of user passwords.
SMB security
The Server Message Block (SMB) protocols have been improved by enforcing SMB signing for all outgoing connections. This protects against man-in-the-middle attacks and ensures that data integrity and authenticity are guaranteed.
Hotpatching
With hotpatching, security updates can be applied without the need to restart the system. This minimizes downtime and enables continuous operational readiness, especially in critical environments.
The removal of DES and the introduction of improved security features in Windows Server 2025 mark a significant step towards a secure IT infrastructure. Administrators should act proactively to update their systems accordingly and implement the new security standards. By switching to AES and using the new security features, organizations can better protect their data and meet current security requirements.
Sources:
On Windows Tweaks you will find time-saving tech guides for PC, software & Microsoft. For a stress-free digital everyday life. Already We have been tweaking Windows since 1998 and just don't stop!
