In case you haven’t heard, RC4 is not secure and has been deprecated. In this article, I will discuss what changed with the January 2026 Windows Update and why it is important to start auditing and remediate RC4 usage is your environment.
Starting with the January 13, 2026, Windows security updates, Microsoft began the first official phase of hardening Kerberos authentication by reducing reliance on RC4 encryption. The RC4 change will mainly impact service accounts and accounts that have the attribute msDS-SupportedEncryptionTypes left blank
Why Microsoft Is Targeting RC4
RC4 is considered insecure due to cryptographic flaws that produce biased, non-random output, allowing attackers to recover encrypted data.
Despite this, RC4 remains enabled by default in many Active Directory environments for backward compatibility.
Microsoft tied the January changes to a Kerberos information disclosure vulnerability tracked as CVE-2026-20833, using this security update as the entry point to begin the RC4 deprecation process.
Update Timeline: From Audit to Full Enforcement
Microsoft is rolling out the Kerberos RC4 hardening in well‑defined phases throughout 2026, giving organizations time to identify dependencies and remediate them before enforcement becomes mandatory. Understanding this timeline is critical to avoid outages.
Phase 1 – Initial Deployment (January 2026)
Starting on January 13, 2026, Windows security updates introduce the initial deployment phase.
This stage is focused on monitoring, not enforcement.
Key points of this phase:
- New Kerberos audit events are logged on Domain Controllers (we will analyze them later in this article)
- A temporary registry control setting (RC4DefaultDisablementPhase) has been introduced, allowing organizations to optionally enable stricter behavior ahead of time
- No default behavior changes are applied
Phase 2 – Enforcement Enabled by Default (April 2026)
Beginning with the April 2026 Windows security update, Microsoft moves to the second deployment phase, where behavior changes start to matter operationally.
During this phase:
- Enforcement mode is enabled by default on all supported Windows Domain Controllers, the default value for DefaultDomainSupportedEncTypes is set to allow AES-SHA1 only: 0x18
- This changes the Kerberos KDC default behavior for accounts without an explicit msDS-SupportedEncryptionTypes configuration to allow RC4. RC4 is no longer negotiated implicitly for accounts with a blank msDS-SupportedEncryptionTypes, they will only receive AES encrypted tickets
While it is still technically possible to revert to audit behavior temporarily (by changing the value of the registry key mentioned above), it will be important to arrive in this phase with the remediation already completed.
Phase 3 – Full Enforcement (July 2026)
The final phase begins with the July 2026 security updates and represents the end of the transition period.
At this point:
- Audit‑only mode is removed
- The temporary RC4DefaultDisablementPhase registry value is no longer read
- the default value for DefaultDomainSupportedEncTypes is set to AES-SHA1 only (0x18)
- With this configuration, Kerberos will issue RC4 tickets only if explicitly configured per account using the attribute “msDS-SupportedEncryptionTypes ”
Organizations that didn’t address RC4 usage earlier will experience persistent service outages for legacy systems and applications not compatible with AES encryption.ot address RC4 usage earlier will experience persistent service outages.
How to prepare for the changes
If you want to know how to prepare for the changes and why the preparation is important please read my full article on the Microsoft Tech Community Blog
