MC1218691 – Initial deployment phase for Kerberos RC4 hardening begins with the January 2026 Windows security update

Product:

Windows

Platform:

Online, World tenant

Status:

Change type:

Admin impact

Links:

Details:

Windows updates released on and after January 13, 2026, introduce the first phase of protections addressing a Kerberos information disclosure vulnerability (CVE‑2026‑20833). These updates introduce new auditing and optional registry controls that devices can use to begin reducing reliance on RC4 encryption. They also help prepare domain controllers for a future shift to AES‑SHA1 as the default Kerberos encryption method for accounts without explicit encryption settings. The initial deployment phase focuses on identifying misconfigurations or dependencies before the second deployment phase begins in April 2026.


When this will happen:
The initial deployment phase starts January 13, 2026, and introduces new Kerberos audit events that help identify any remaining RC4 dependencies across your environment. This phase also adds the temporary RC4DefaultDisablementPhase registry value, which organizations can use to optionally enable the upcoming behavior changes early; however, this key will no longer be read after Audit mode is removed in July 2026. Together, these updates provide early diagnostics to help assess readiness before the second deployment phase in April 2026, when the default domain controller behavior for Kerberos encryption will change to use AES‑SHA1 only for accounts without explicit encryption settings. Starting in April 2026, Enforcement mode will be enabled on all Windows domain controllers by default, and in July 2026 Audit mode will be removed, leaving Enforcement mode as the only option.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2026-01-17

updated:
2026-01-17

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Authentication Issues
If organizations do not address RC4 dependencies before the enforcement mode is enabled, users may experience authentication failures when trying to access services that rely on Kerberos authentication.
   - roles: System Administrators, End Users
   - references: https://learn.microsoft.com/windows-server/security/kerberos/detect-remediate-rc4-kerberos, https://support.microsoft.com/topic/how-to-manage-kerberos-kdc-usage-of-rc4-for-service-account-ticket-issuance-changes-related-to-cve-2026-20833-1ebcda33-720a-4da8-93c1-b0496e1910dc#bkmk_registry_settings

Increased Audit Overhead
The introduction of new Kerberos audit events may lead to increased logging and monitoring requirements, potentially overwhelming system administrators if not properly managed.
   - roles: System Administrators, Security Analysts
   - references: https://learn.microsoft.com/windows-server/security/kerberos/detect-remediate-rc4-kerberos, https://support.microsoft.com/topic/1ebcda33-720a-4da8-93c1-b0496e1910dc

Service Disruptions
Services that depend on RC4 encryption may become unavailable or malfunction if the necessary configurations are not updated before the enforcement phase begins.
   - roles: Service Owners, End Users
   - references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20833, https://support.microsoft.com/topic/how-to-manage-kerberos-kdc-usage-of-rc4-for-service-account-ticket-issuance-changes-related-to-cve-2026-20833-1ebcda33-720a-4da8-93c1-b0496e1910dc#bkmk_registry_settings

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

Enhanced Security Auditing
The introduction of new Kerberos audit events (KDCSVC IDs 201-209) allows organizations to proactively identify and remediate any remaining dependencies on RC4 encryption. This enhances overall security posture by ensuring that all systems are compliant with the latest encryption standards before the enforcement phase begins.
   - next-steps: Start monitoring the System event logs for the new Kerberos audit events after deploying the January 2026 updates. Address any configurations highlighted in the audit logs to ensure readiness for the transition to AES-SHA1.
   - roles: IT Security Manager, System Administrator, Network Administrator
   - references: https://learn.microsoft.com/windows-server/security/kerberos/detect-remediate-rc4-kerberos, https://support.microsoft.com/topic/how-to-manage-kerberos-kdc-usage-of-rc4-for-service-account-ticket-issuance-changes-related-to-cve-2026-20833-1ebcda33-720a-4da8-93c1-b0496e1910dc#bkmk_registry_settings

Proactive Configuration Management
By utilizing the temporary RC4DefaultDisablementPhase registry value, organizations can enable early behavior changes to assess the impact of the upcoming AES-SHA1 enforcement. This allows for a smoother transition and reduces the risk of authentication issues.
   - next-steps: Evaluate the current environment to determine if the temporary registry value can be safely enabled. Test configurations in a controlled environment to identify any potential issues before moving to production.
   - roles: IT Operations Manager, System Administrator, Network Engineer
   - references: https://support.microsoft.com/topic/1ebcda33-720a-4da8-93c1-b0496e1910dc" target="_blank" rel="nofollow noopener noreferrer">https://support.microsoft.com/topic/1ebcda33-720a-4da8-93c1-b0496e1910dc, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20833

User Experience Improvement
Transitioning to AES-SHA1 encryption will enhance the security of user authentication processes, thereby improving the overall user experience by reducing the likelihood of security breaches that could disrupt access to services.
   - next-steps: Communicate the upcoming changes to users and provide training on any new authentication processes. Monitor user feedback during the transition to address any concerns promptly.
   - roles: User Experience Manager, IT Support Specialist, Help Desk Staff
   - references: https://learn.microsoft.com/windows-server/security/kerberos/detect-remediate-rc4-kerberos, https://support.microsoft.com/topic/1ebcda33-720a-4da8-93c1-b0496e1910dc" target="_blank" rel="nofollow noopener noreferrer">https://support.microsoft.com/topic/1ebcda33-720a-4da8-93c1-b0496e1910dc

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

Imagine your IT system is like a big, secure office building. Inside this building, you have different rooms (or systems) that need keys to access. These keys are like the encryption methods used to protect data and verify identities in your network. Currently, one of the keys you’re using is called RC4. It's an older key that’s been around for a while, but it's not as secure as it used to be.

Now, think of RC4 as an old lock on a door that has become easy to pick. Because of this, Microsoft is starting a process to replace these old locks with newer, more secure ones called AES-SHA1. This change is part of a security update starting in January 2026. The first step is to check which doors (or systems) still have the old locks. This is done by introducing a way to audit or check for these old locks without changing anything just yet. It’s like walking through the building and making a list of all the doors that need new locks.

During this phase, your IT team will receive notifications (audit events) about which systems are still using the old RC4 locks. This is crucial because, starting in April 2026, the building will start automatically replacing these old locks with the new AES-SHA1 locks unless you’ve specified otherwise. By July 2026, the option to keep using the old locks will be removed entirely.

For your organization, this means you need to ensure that all systems are ready for the new locks. If your systems are already using the new locks or don’t rely on the old ones, the transition should be smooth. However, if there are systems still using RC4, they might face access issues once the change is enforced.

To prepare, you should install the necessary updates and monitor for any alerts about RC4 usage. If you find any, it’s important to address these before the enforcement phase begins. This proactive approach ensures that when the time comes, your building’s security is up to date, and operations continue without disruption.