MC1279830 – Second deployment phase for Kerberos RC4 hardening begins with the April 2026 Windows security update

Admin impact, Stay Informed, Windows

check before: 2026-04-01

Product:

Windows

Platform:

Online, Windows Desktop, World tenant

Status:

Change type:

Admin impact

Links:

Details:

Windows updates released April 2026 and later begin the second deployment phase of protections for a Kerberos information disclosure vulnerability (CVE‑2026‑20833). In this phase, domain controllers change default Kerberos ticket behavior for accounts that do not have an explicit Kerberos encryption configuration, shifting to AES‑SHA1-only by default. Environments with remaining RC4 dependencies may experience authentication issues unless those dependencies are remediated or explicitly configured.

When this will happen:
April 2026 - Enforcement Phase with manual rollback: With installation of the April 2026 Windows security update, default Kerberos behavior changes so domain controllers use AES‑SHA1-only encryption for accounts without explicit encryption type settings, and Enforcement mode is enabled by default on Windows domain controllers. Audit mode remains available as a manual rollback option until July 2026.
July 2026 - Enforcement Phase: Audit mode is removed, leaving Enforcement mode as the only option.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2026-04-15

updated:
2026-04-15

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Authentication Failures
Environments with remaining RC4 dependencies may experience authentication issues, leading to service disruptions.
   - roles: System Administrator, Network Engineer
   - references: https://learn.microsoft.com/windows-server/security/kerberos/detect-remediate-rc4-kerberos, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20833

Access Disruption
Access to Azure Files and Azure Virtual Desktop may be disrupted if RC4 dependencies are not addressed before the Enforcement phase.
   - roles: Cloud Administrator, IT Support
   - references: https://aka.ms/rc4azurefiles, https://learn.microsoft.com/troubleshoot/windows-server/windows-security/kerberos-protocol-registry-kdc-configuration-keys " target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/troubleshoot/windows-server/windows-security/kerberos-protocol-registry-kdc-configuration-keys

Increased Support Tickets
Users may report issues related to authentication and access, leading to an increase in support tickets and user dissatisfaction.
   - roles: Help Desk Technician, IT Support
   - references: https://support.microsoft.com/topic/1ebcda33-720a-4da8-93c1-b0496e1910dc, https://learn.microsoft.com/windows-server/security/kerberos/detect-remediate-rc4-kerberos " target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/windows-server/security/kerberos/detect-remediate-rc4-kerberos

Interoperability Issues
Non-Windows devices may fail to accept Kerberos authentication, causing compatibility issues across the network.
   - roles: System Administrator, Network Engineer
   - references: https://learn.microsoft.com/troubleshoot/windows-server/windows-security/kerberos-protocol-registry-kdc-configuration-keys, https://support.microsoft.com/topic/1ebcda33-720a-4da8-93c1-b0496e1910dc#ID0EDDBL " target="_blank" rel="nofollow noopener noreferrer">https://support.microsoft.com/topic/1ebcda33-720a-4da8-93c1-b0496e1910dc#ID0EDDBL

Configuration Management Challenges
The need for explicit configuration of encryption types may lead to misconfigurations and increased administrative overhead.
   - roles: System Administrator, Security Analyst
   - references: https://learn.microsoft.com/windows-server/security/kerberos/detect-remediate-rc4-kerberos, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20833

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

XXXXXXX ... free basic plan only

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

XXXXXXX ... free basic plan only

** AI generated content. This information must be reviewed before use.

a free basic plan is required to see more details. Sign up here

A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.

Get a Plan

You must be logged in to post a comment.

Share to MS Teams

MC1279830 – Second deployment phase for Kerberos RC4 hardening begins with the April 2026 Windows security update

check before: 2026-04-01

Leave a Reply

cloudscout.one

Schierding.one GmbH

become an evergreen hero

Hey there! We've got some great news - our Basic Plus plan has everything you need to succeed, and it's completely free! So, don't hesitate - take advantage of this amazing opportunity today!

Welcome Back, We Missed You!