Favorite your Message Center and Roadmap items. Access them anytime via your Profile. Export and share with your team or your LLM.

Enforcement phase for Kerberos RC4 protections begins with the July 2026 Windows security update

Message ID
MC1427604
View in Message Center
Service
Windows
Category
Plan for Change
Tags
Major Change Admin impact
Rollout
July 2026

Details

What and why
Windows updates released in July 2026 introduce the enforcement phase of protections designed to address a Kerberos information disclosure vulnerability (CVE‑2026‑20833). This phase completes the transition away from RC4-based Kerberos tickets by removing Audit mode and leaving Enforcement mode as the only supported behavior for Kerberos RC4 usage on Windows domain controllers.

With the July 2026 security update installed, domain controllers enforce updated behavior for service account ticket issuance. RC4-based Kerberos tickets are restricted under this enforcement model, and AES-based encryption is expected for supported configurations. This change helps reduce reliance on legacy encryption methods and aligns Kerberos authentication with current security standards.

Rollout schedule
This change is effective beginning with the July 2026 security update.

Impact on your organization
Organizational environments that still depend on RC4-based Kerberos service tickets might experience authentication failures when requesting service tickets after installing the July 2026 security update.

Applications, services, or devices that rely on legacy encryption configurations or explicitly defined RC4 usage are most likely to be affected. Environments previously operating in Audit mode no longer have the ability to revert to that mode once enforcement is in place.

Workloads that previously completed Kerberos authentication without updated encryption configurations might no longer function as expected.

Action required/recommendations

Audit mode and the RC4DefaultDisablementPhase rollback setting are removed beginning with the July 2026 security update. If RC4 must be retained for specific services, explicit configuration is still possible, but it leaves those scenarios vulnerable to CVE‑2026‑20833 and should be used only as a temporary measure.

Compliance considerations
No compliance considerations are identified. Review as appropriate for your organization.

Change History

Show
No change history available

Never Miss a Microsoft 365 Update

Join thousands of IT professionals who rely on DeltaPulse for real-time Microsoft 365 change intelligence, automated notifications, and community insights.