What and Why
Windows updates released in July 2026 will complete the final deployment phase of protections for a Kerberos information disclosure vulnerability (CVE‑2026‑20833). Beginning with this phase, Audit mode is removed, leaving Enforcement mode as the only available option for Kerberos RC4 usage on Windows domain controllers. Environments with remaining RC4 dependencies might experience authentication issues unless those dependencies are remediated or explicitly configured before the July 2026 Windows security update is installed.
Rollout Schedule
- April 2026 - Enforcement Phase with manual rollback: With installation of the April 2026 Windows security update, default Kerberos behavior changes so domain controllers use AES‑SHA1-only encryption for accounts without explicit encryption type settings, and Enforcement mode is enabled by default on Windows domain controllers. Audit mode remains available as a manual rollback option until July 2026.
- July 2026 – Enforcement Phase: With installation of the July 2026 Windows security update, Audit mode is removed, and Enforcement mode becomes the only available behavior for supported Windows domain controllers.
Impact on Your Organization
With installation of the July 2026 Windows security update, Windows domain controllers will no longer support Audit mode rollback behavior for Kerberos RC4 hardening. Environments with service accounts, applications, appliances, or devices that still rely on RC4-based Kerberos tickets may experience authentication failures unless those dependencies have been remediated or explicitly configured to support continued RC4 usage where required.
Devices using non-Windows Kerberos implementations might also require additional interoperability testing to ensure continued authentication functionality after the July 2026 Enforcement phase begins.
Azure Files note: For devices using Azure Files SMB with Active Directory-based authentication, address any RC4 dependencies before installation of the July 2026 Windows security update to reduce the risk of access disruption once Audit mode is removed. Follow the steps in the official documentation to help maintain uninterrupted access to Azure Files and dependent workloads such as Azure Virtual Desktop.
Action Required/Recommendations
Continue monitoring the System event log for Kerberos-related events indicating RC4 dependencies or insecure encryption configurations. If event log data shows RC4 reliance, remediate by moving to AES‑based encryption or explicitly configuring the account’s msds-SupportedEncryptionTypes attribute where RC4 is still required.
Before deploying the July 2026 Windows security update, validate that service accounts, applications, and non-Windows Kerberos implementations can successfully authenticate without requiring RC4-based Kerberos authentication.
Compliance Considerations
Audit events related to this change are only generated when Active Directory is unable to issue AES‑SHA1 service tickets or session keys. The absence of audit events does not guarantee that all non-Windows devices will successfully accept Kerberos authentication after the July 2026 Enforcement phase begins. Validate interoperability through testing before broadly deploying the July 2026 Windows security update.