Microsoft will deprecate RC4 encryption in Kerberos on Windows Servers by mid-2026, shifting to AES-SHA1 for improved security. This change affects Windows Server 2008 and later versions, where RC4 will be disabled by default.
Preparation for Transition
Organizations should assess current RC4 usage to mitigate potential service interruptions. To aid in this transition, Microsoft updated the Security Event Log on Kerberos Key Distribution Centers (KDCs) and introduced new PowerShell scripts for auditing.
- PowerShell Scripts: List-AccountKeys.ps1 checks event logs for Available Keys, while Get-KerbEncryptionUsage.ps1 identifies Kerberos encryption usage.
- New Log Fields: Kerberos events now include msds-SupportedEncryptionTypes, Available Keys, and Session Encryption Type to help pinpoint areas relying on RC4.
- Recommended Actions: Reset passwords for accounts with only RC4 keys to generate modern keys; adjust msds-SupportedEncryptionTypes to include AES-SHA1.
Supporting Enterprise Updates
Microsoft advises using Windows Admin Center and Windows Server security baselines from 2025 to audit and enforce policies that omit RC4 in Kerberos. Policy values excluding RC4 include options such as 2147483624 for AES128-SHA96 and future configurations.
These baselines, combined with the new detection tools, will assist organizations in identifying RC4 dependencies and ensuring secure authentication settings. For devices older than Windows Server 2003 or those from other vendors, migrating to supported versions or seeking assistance from Microsoft is recommended.
