Microsoft is progressively eliminating RC4 encryption in Kerberos to bolster security in Windows systems. This initiative began with a software update on 2026-01-13 and includes changes to encryption defaults and audit tools.
Key Updates and Timeline
RC4, deemed cryptographically weak, is being phased out from Kerberos, posing potential security risks. By 2026-04, Microsoft will default to AES-SHA1 encryption for accounts without explicit settings, ceasing automatic fallback to RC4. This move signals enhanced protection but could lead to authentication failures in environments reliant on RC4.
The final change will occur in 2026-07 when Microsoft removes Audit mode. Enforcement mode will be the only operational state, permanently eliminating RC4. Organizations using Windows Server 2012 and later are advised to monitor and address any RC4 dependencies in preparation.
Preparation and Recommendations
Microsoft recommends updating all domain controllers with patches from 2026-01-13 onwards. Administrators should monitor system event logs, focusing particularly on the nine new Kerberos audit events. System events related to KDCSVC can highlight obstacles when enabling RC4 protection. Once these events and any warnings are resolved, Enforcement mode should be activated.
This strategic shift underscores the importance of adopting secure, modern encryption methods to defend against credential exposure risks inherent in outdated algorithms.
