check before: 2026-04-01
Product:
Windows
Platform:
Online, Windows Desktop, World tenant
Status:
Change type:
Admin impact
Links:
Details:
Windows updates released April 2026 and later begin the second deployment phase of protections for a Kerberos information disclosure vulnerability (CVE-2026-20833). In this phase, domain controllers change default Kerberos ticket behavior for accounts that do not have an explicit Kerberos encryption configuration, shifting to AES-SHA1-only by default. Environments with remaining RC4 dependencies may experience authentication issues unless those dependencies are remediated or explicitly configured.
When this will happen:
April 2026 - Enforcement Phase with manual rollback: With installation of the April 2026 Windows security update, default Kerberos behavior changes so domain controllers use AES-SHA1-only encryption for accounts without explicit encryption type settings, and Enforcement mode is enabled by default on Windows domain controllers. Audit mode remains available as a manual rollback option until July 2026.
July 2026 - Enforcement Phase: Audit mode is removed, leaving Enforcement mode as the only option.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2026-04-15
updated:
2026-04-17
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Authentication Issues
Environments with remaining RC4 dependencies may experience authentication failures due to the shift to AES-SHA1-only encryption for accounts without explicit settings.
- roles: System Administrator, Network Engineer
- references: https://learn.microsoft.com/windows-server/security/kerberos/detect-remediate-rc4-kerberos, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20833
Access Disruption
Devices using Azure Files SMB with Active Directory-based authentication may face access disruptions if RC4 dependencies are not addressed before the Enforcement phase.
- roles: Cloud Administrator, IT Support
- references: https://aka.ms/rc4azurefiles, https://learn.microsoft.com/troubleshoot/windows-server/windows-security/kerberos-protocol-registry-kdc-configuration-keys
" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/troubleshoot/windows-server/windows-security/kerberos-protocol-registry-kdc-configuration-keys
Incompatibility with Non-Windows Devices
Non-Windows devices may not successfully accept Kerberos authentication after the April 2026 Enforcement phase, leading to potential interoperability issues.
- roles: System Administrator, Application Developer
- references: https://learn.microsoft.com/windows-server/security/kerberos/detect-remediate-rc4-kerberos, https://support.microsoft.com/topic/1ebcda33-720a-4da8-93c1-b0496e1910dc
Increased Monitoring Requirements
Organizations will need to increase monitoring of the System event log for Kerberos-related events to identify RC4 dependencies and misconfigurations.
- roles: Security Analyst, System Administrator
- references: https://learn.microsoft.com/windows-server/security/kerberos/detect-remediate-rc4-kerberos, https://support.microsoft.com/topic/1ebcda33-720a-4da8-93c1-b0496e1910dc#ID0EDDBL
Need for Remediation Planning
Organizations must plan for remediation of RC4 dependencies before the July 2026 deadline, or risk being unable to authenticate users and services.
- roles: IT Manager, Project Manager
- references: https://learn.microsoft.com/troubleshoot/windows-server/windows-security/kerberos-protocol-registry-kdc-configuration-keys, https://support.microsoft.com/topic/1ebcda33-720a-4da8-93c1-b0496e1910dc#ID0EDDBN
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
XXXXXXX ... free basic plan only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
Last updated 2 months ago ago
