Microsoft starts with identification of insecure RC4 encryption

The Windows security updates that Microsoft distributed on the January Patchday close a security vulnerability in Kerberos authentication. The patch also heralds the first phase for the final removal of insecure encryption with Rivest Cipher 4 (RC4).

In the Windows Release Health Message Center, Microsoft explains that the software fix for a security vulnerability in Kerberos initiates the hardening of Kerberos with RC4. The vulnerability itself is a potential information leak not explained in detail due to the use of RC4 (CVE-2026-20833, CVSS 5.5, risk “medium”). “In this phase, new monitoring and optional configuration settings are introduced that help reduce the dependency on older encryption types such as RC4 and prepare domain controllers for a future transition that begins with the update in April 2026 and provides for the default use of AES-SHA1 encrypted tickets.”

The update alone does not close the vulnerability. For this, admins must enable the “enforcement mode” in their environment, Microsoft explains. Service accounts and applications that currently still rely on RC4-based Kerberos should receive particular attention.

In a dedicated support article, Microsoft discusses the timeline and phases for the RC4-in-Kerberos phase-out. The first phase starts with the January updates, and Microsoft recommends that organizations equip all Active Directory Domain Controllers (AD-DCs) with it. With this, Microsoft aims to promote visibility and early detection through Kerberos audit events and temporary control via registry entries. This way, admins are intended to identify misconfigurations and remaining dependencies before the second phase begins in April 2026.

Enforcement mode begins in April

There, Microsoft will activate “enforcement mode” by default on all Windows domain controllers. “This update changes the default value of 'DefaultDomainSupportedEncTypes' for KDC operations to use AES-SHA1 for accounts for which no explicit Active Directory attribute 'msds-SupportedEncryptionTypes' is defined,” Microsoft explains in the detailed support article. “In this phase, the default value for 'DefaultDomainSupportedEncTypes' will be changed to 'AES-SHA1 only' with the value 0x18.”

The third phase follows with the security updates in July. Then Microsoft will remove the DWORD “RC4DefaultDisablementPhase” from the registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters.” Admins have been able to use this since the January update. The value “0” means no change, no audit takes place. “1,” on the other hand, logs warning events for default RC4 usage, which Microsoft is now entering for this purpose in the first phase. The value “2” is finally intended for Phase 2, in which Kerberos assumes that RC4 is not active by default, which is the default value for Phase 2. The support post lists nine possible event IDs that help admins with domain analysis. They are available from Windows Server 2012 as domain controllers.

In mid-December, Microsoft announced that it also wants to get rid of RC4 in Kerberos. Attackers exploit the weak encryption to gain extended access to Active Directories, for example, through “Kerberoasting” attacks. The IETF “virtually banned RC4 in TLS” in 2015. Microsoft has also recommended not using RC4 since 2013.

(dmk)