check before: 2026-04-01
Product:
Windows
Platform:
Online, Windows Desktop, World tenant
Status:
Change type:
Admin impact
Links:
Details:
Updated March 20, 2026: Added additional guidance for devices using Azure Files SMB with Active Directory-based authentication and Azure Virtual Desktop.
Windows updates released April 2026 and later introduce the second deployment phase of protections for a Kerberos information disclosure vulnerability (CVE-2026-20833). In this phase, domain controllers change default Kerberos ticket behavior for accounts that do not have an explicit Kerberos encryption configuration, shifting to AES-SHA1-only by default. Environments with remaining RC4 dependencies may experience authentication issues unless those dependencies are remediated or explicitly configured.
When this will happen:
April 2026 - Enforcement Phase with manual rollback: Default Kerberos behavior changes so domain controllers use AES-SHA1-only encryption for accounts without explicit encryption type settings, and Enforcement mode is enabled by default on Windows domain controllers. Audit mode remains available as a manual rollback option until July 2026.
July 2026 - Enforcement Phase: Audit mode is removed, leaving Enforcement mode as the only option.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2026-03-18
updated:
2026-04-17
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Authentication Failures
Environments with remaining RC4 dependencies may experience authentication issues due to the shift to AES-SHA1-only encryption for accounts without explicit settings.
- roles: System Administrator, Network Engineer
- references: https://learn.microsoft.com/windows-server/security/kerberos/detect-remediate-rc4-kerberos, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20833
Access Disruption
Devices using Azure Files SMB with Active Directory-based authentication may face access disruptions if RC4 dependencies are not addressed before the Enforcement phase.
- roles: Cloud Administrator, IT Support
- references: https://aka.ms/rc4azurefiles, https://learn.microsoft.com/troubleshoot/windows-server/windows-security/kerberos-protocol-registry-kdc-configuration-keys
" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/troubleshoot/windows-server/windows-security/kerberos-protocol-registry-kdc-configuration-keys
Increased Support Tickets
Users may report issues related to authentication and access, leading to an increase in support tickets and user dissatisfaction.
- roles: Help Desk Technician, IT Support
- references: https://support.microsoft.com/topic/1ebcda33-720a-4da8-93c1-b0496e1910dc, https://learn.microsoft.com/windows-server/security/kerberos/detect-remediate-rc4-kerberos
" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/windows-server/security/kerberos/detect-remediate-rc4-kerberos
Interoperability Issues
Non-Windows devices may not successfully accept Kerberos authentication after the Enforcement phase begins, leading to potential compatibility issues.
- roles: System Administrator, Network Engineer
- references: https://learn.microsoft.com/troubleshoot/windows-server/windows-security/kerberos-protocol-registry-kdc-configuration-keys, https://support.microsoft.com/topic/1ebcda33-720a-4da8-93c1-b0496e1910dc#ID0EDDBL
" target="_blank" rel="nofollow noopener noreferrer">https://support.microsoft.com/topic/1ebcda33-720a-4da8-93c1-b0496e1910dc#ID0EDDBL
Configuration Management Challenges
The need to validate and potentially reconfigure accounts for msds-SupportedEncryptionTypes may lead to increased workload and complexity in configuration management.
- roles: System Administrator, Security Analyst
- references: https://learn.microsoft.com/windows-server/security/kerberos/detect-remediate-rc4-kerberos, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20833
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
XXXXXXX ... free basic plan only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2026-03-21 | MC prepare | Monitor the System event log for Kerberos-related events indicating RC4 dependencies or insecure encryption configurations. If event log data shows RC4 reliance, remediate by moving to stronger encryption or explicitly configuring the account's msds-SupportedEncryptionTypes attribute where RC4 is still required. Complete these actions before July 2026, when Audit mode is removed and Enforcement mode becomes the only available option.
Note: Audit events related to this change are only generated when Active Directory is unable to issue AES‑SHA1 service tickets or session keys. The absence of audit events does not guarantee that all non-Windows devices will successfully accept Kerberos authentication after the April 2026 Enforcement phase begins. Validate non-Windows interoperability through testing before broadly enabling this behavior. Additional information: Read the full hardening guidance: How to manage Kerberos KDC usage of RC4 for service account ticket issuance changes related to CVE-2026-20833. Learn about RC4 usage in Windows and its risks: Detect and remediate RC4 usage in Kerberos. Learn more about the related vulnerability: CVE-2026-20833. https://learn.microsoft.com/troubleshoot/windows-server/windows-security/kerberos-protocol-registry-kdc-configuration-keys https://learn.microsoft.com/windows-server/security/kerberos/detect-remediate-rc4-kerberos https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20833 https://support.microsoft.com/topic/1ebcda33-720a-4da8-93c1-b0496e1910dc https://support.microsoft.com/topic/1ebcda33-720a-4da8-93c1-b0496e1910dc#ID0EDDBL https://support.microsoft.com/topic/1ebcda33-720a-4da8-93c1-b0496e1910dc#ID0EDDBN | Monitor the System event log for Kerberos-related events indicating RC4 dependencies or insecure encryption configurations. If event log data shows RC4 reliance, remediate by moving to stronger encryption or explicitly configuring the account's msds-SupportedEncryptionTypes attribute where RC4 is still required. Complete these actions before July 2026, when Audit mode is removed and Enforcement mode becomes the only available option.
Note: Audit events related to this change are only generated when Active Directory is unable to issue AES‑SHA1 service tickets or session keys. The absence of audit events does not guarantee that all non-Windows devices will successfully accept Kerberos authentication after the April 2026 Enforcement phase begins. Validate non-Windows interoperability through testing before broadly enabling this behavior. Additional information: Read the full hardening guidance: How to manage Kerberos KDC usage of RC4 for service account ticket issuance changes related to CVE-2026-20833. Learn about RC4 usage in Windows and its risks: Detect and remediate RC4 usage in Kerberos. Learn more about the related vulnerability: CVE-2026-20833. https://aka.ms/rc4azurefiles https://learn.microsoft.com/troubleshoot/windows-server/windows-security/kerberos-protocol-registry-kdc-configuration-keys https://learn.microsoft.com/windows-server/security/kerberos/detect-remediate-rc4-kerberos https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20833 https://support.microsoft.com/topic/1ebcda33-720a-4da8-93c1-b0496e1910dc https://support.microsoft.com/topic/1ebcda33-720a-4da8-93c1-b0496e1910dc#ID0EDDBL https://support.microsoft.com/topic/1ebcda33-720a-4da8-93c1-b0496e1910dc#ID0EDDBN |
| 2026-03-21 | MC Last Updated | 03/17/2026 20:57:26 | 2026-03-20T20:58:32Z |
| 2026-03-21 | MC Messages | Windows updates released April 2026 and later introduce the second deployment phase of protections for a Kerberos information disclosure vulnerability (CVE‑2026‑20833). In this phase, domain controllers change default Kerberos ticket behavior for accounts that do not have an explicit Kerberos encryption configuration, shifting to AES‑SHA1-only by default. Environments with remaining RC4 dependencies may experience authentication issues unless those dependencies are remediated or explicitly configured.
When this will happen: April 2026 - Enforcement Phase with manual rollback: Default Kerberos behavior changes so domain controllers use AES‑SHA1-only encryption for accounts without explicit encryption type settings, and Enforcement mode is enabled by default on Windows domain controllers. Audit mode remains available as a manual rollback option until July 2026. July 2026 - Enforcement Phase: Audit mode is removed, leaving Enforcement mode as the only option. | Updated March 20, 2026: Added additional guidance for devices using Azure Files SMB with Active Directory-based authentication and Azure Virtual Desktop.
Windows updates released April 2026 and later introduce the second deployment phase of protections for a Kerberos information disclosure vulnerability (CVE‑2026‑20833). In this phase, domain controllers change default Kerberos ticket behavior for accounts that do not have an explicit Kerberos encryption configuration, shifting to AES‑SHA1-only by default. Environments with remaining RC4 dependencies may experience authentication issues unless those dependencies are remediated or explicitly configured. When this will happen: April 2026 - Enforcement Phase with manual rollback: Default Kerberos behavior changes so domain controllers use AES‑SHA1-only encryption for accounts without explicit encryption type settings, and Enforcement mode is enabled by default on Windows domain controllers. Audit mode remains available as a manual rollback option until July 2026. July 2026 - Enforcement Phase: Audit mode is removed, leaving Enforcement mode as the only option. |
| 2026-03-21 | MC End Time | 03/17/2027 20:57:25 | 2027-03-20T20:58:29Z |
| 2026-03-21 | MC Start Time | 03/17/2026 20:57:25 | 2026-03-20T20:58:29Z |
| 2026-03-21 | MC How Affect | Beginning with the April 2026 Windows security update, domain controllers will default to issuing AES‑SHA1-encrypted tickets for accounts that do not explicitly define supported encryption types. Environments with service accounts, applications, or devices that still require RC4-based Kerberos tickets may see authentication or connection failures unless those dependencies are addressed. Kerberos-related events in the System event log can help identify and address misconfigurations or remaining dependencies that are likely to become incompatible as enforcement progresses. | Beginning with the April 2026 Windows security update, domain controllers will default to issuing AES‑SHA1-encrypted tickets for accounts that do not explicitly define supported encryption types. Environments with service accounts, applications, or devices that still require RC4-based Kerberos tickets may see authentication or connection failures unless those dependencies are addressed. Kerberos-related events in the System event log can help identify and address misconfigurations or remaining dependencies that are likely to become incompatible as enforcement progresses.
Note: For devices using Azure Files SMB with Active Directory-based authentication, address any RC4 dependencies before the Enforcement phase begins to reduce the risk of access disruption as Audit mode is removed in July 2026. Follow the steps in the official documentation to help maintain uninterrupted access to Azure Files and Azure Virtual Desktop. |
| 2026-03-21 | MC Title | 30-Day Reminder: Second deployment phase for Kerberos RC4 hardening begins with the April 2026 Windows security update | (Updated) Second deployment phase for Kerberos RC4 hardening begins with the April 2026 Windows security update |
| 2026-03-21 | MC Category | Plan For Change | Prevent Or Fix Issue |
Last updated 2 days ago ago
