What and why
Windows updates released in July 2026 introduce the enforcement phase of protections designed to address a Kerberos information disclosure vulnerability (CVE‑2026‑20833). This phase completes the transition away from RC4-based Kerberos tickets by removing Audit mode and leaving Enforcement mode as the only supported behavior for Kerberos RC4 usage on Windows domain controllers.
With the July 2026 security update installed, domain controllers enforce updated behavior for service account ticket issuance. RC4-based Kerberos tickets are restricted under this enforcement model, and AES-based encryption is expected for supported configurations. This change helps reduce reliance on legacy encryption methods and aligns Kerberos authentication with current security standards.
Rollout schedule
This change is effective beginning with the July 2026 security update.
Impact on your organization
Organizational environments that still depend on RC4-based Kerberos service tickets might experience authentication failures when requesting service tickets after installing the July 2026 security update.
Applications, services, or devices that rely on legacy encryption configurations or explicitly defined RC4 usage are most likely to be affected. Environments previously operating in Audit mode no longer have the ability to revert to that mode once enforcement is in place.
Workloads that previously completed Kerberos authentication without updated encryption configurations might no longer function as expected.
Action required/recommendations
- Confirm that all service accounts and dependent applications support AES-based Kerberos encryption.
- Review and remediate any remaining RC4 dependencies identified during prior audit phases.
- Monitor the System event log for Kerberos-related events to identify authentication failures or misconfigured accounts.
- Validate interoperability with non-Windows Kerberos implementations and services.
- Review How to manage Kerberos KDC usage of RC4 for service account ticket issuance changes related to CVE‑2026‑20833.
Audit mode and the RC4DefaultDisablementPhase rollback setting are removed beginning with the July 2026 security update. If RC4 must be retained for specific services, explicit configuration is still possible, but it leaves those scenarios vulnerable to CVE‑2026‑20833 and should be used only as a temporary measure.
Compliance considerations
No compliance considerations are identified. Review as appropriate for your organization.