Windows updates released April 2026 and later introduce the second deployment phase of protections for a Kerberos information disclosure vulnerability (CVE‑2026‑20833). In this phase, domain controllers change default Kerberos ticket behavior for accounts that do not have an explicit Kerberos encryption configuration, shifting to AES‑SHA1-only by default. Environments with remaining RC4 dependencies may experience authentication issues unless those dependencies are remediated or explicitly configured.
When this will happen:
- April 2026 - Enforcement Phase with manual rollback: Default Kerberos behavior changes so domain controllers use AES‑SHA1-only encryption for accounts without explicit encryption type settings, and Enforcement mode is enabled by default on Windows domain controllers. Audit mode remains available as a manual rollback option until July 2026.
- July 2026 - Enforcement Phase: Audit mode is removed, leaving Enforcement mode as the only option.
How this will affect your organization:
Beginning with the April 2026 Windows security update, domain controllers will default to issuing AES‑SHA1-encrypted tickets for accounts that do not explicitly define supported encryption types. Environments with service accounts, applications, or devices that still require RC4-based Kerberos tickets may see authentication or connection failures unless those dependencies are addressed. Kerberos-related events in the System event log can help identify and address misconfigurations or remaining dependencies that are likely to become incompatible as enforcement progresses.
What you need to do to prepare:
Monitor the System event log for Kerberos-related events indicating RC4 dependencies or insecure encryption configurations. If event log data shows RC4 reliance, remediate by moving to stronger encryption or explicitly configuring the account’s msds-SupportedEncryptionTypes attribute where RC4 is still required. Complete these actions before July 2026, when Audit mode is removed and Enforcement mode becomes the only available option.
Note: Audit events related to this change are only generated when Active Directory is unable to issue AES‑SHA1 service tickets or session keys. The absence of audit events does not guarantee that all non-Windows devices will successfully accept Kerberos authentication after the April 2026 Enforcement phase begins. Validate non-Windows interoperability through testing before broadly enabling this behavior.
Additional information:
- Read the full hardening guidance: How to manage Kerberos KDC usage of RC4 for service account ticket issuance changes related to CVE-2026-20833.
- Learn about RC4 usage in Windows and its risks: Detect and remediate RC4 usage in Kerberos.
- Learn more about the related vulnerability: CVE-2026-20833.