Starting mid-2026, Microsoft will update the default settings for Windows Server's Kerberos Key Distribution Center (KDC), phasing out RC4 encryption. This change is aimed at enhancing security for organizations using Windows Servers 2008 and later.
Why the Change is Needed
RC4 encryption, once popular for its compatibility, is now considered vulnerable to attacks. Microsoft will default to AES-SHA1, a more secure encryption, to help prevent credential theft and network breaches. Organizations should ensure that no systems rely on RC4 to avoid future authentication failures.
Transition Tools and Recommendations
Microsoft offers new tools to help identify systems using RC4. Enhanced Security Event Logs and PowerShell scripts in Windows Server 2019 onward assist IT professionals in detecting RC4 dependencies. The List-AccountKeys.ps1 and Get-KerbEncryptionUsage.ps1 scripts can automate the detection process.
Common issues include accounts without AES-SHA1 support or devices depending solely on RC4. Resetting account passwords or setting proper encryption policies in Active Directory (AD) can resolve these.
Policy and Compliance Steps
Using Windows Admin Center, administrators can audit security baselines to configure compliant encryption policies, which exclude RC4. Supported policies include AES128-SHA96 and AES256-SHA96 encryption types. These settings ensure systems remain fully functional once RC4 is disabled by default.
Adopting AES-SHA1 across supported versions strengthens Windows authentication. Microsoft encourages reviewing their guidance for a smooth transition.
