Skip to Content

MC1427604: Enforcement phase for Kerberos RC4 protections begins with the July 2026 Windows security update

Summary

  • Windows July 2026 security update begins enforcing Kerberos RC4 protections and removes Audit mode for RC4-based Kerberos ticket usage on domain controllers.
  • Environments that still rely on RC4 Kerberos service tickets may see authentication failures after the update, especially applications, services, or devices using legacy encryption settings.
  • AES-based Kerberos encryption is now expected for supported configurations; explicit RC4 use should only be treated as a temporary exception.
  • Administrators should review service accounts, remediate any remaining RC4 dependencies, and monitor Kerberos-related events for failures.
  • Microsoft points admins to guidance for managing KDC RC4 usage related to CVE-2026-20833.

Primary Service: Windows
Admin Impact: High
User Impact: Low
Release Start: 01 Jul 2026
Release End: 01 Jul 2026
Services: Windows
Category: Plan for change
Tags: Admin Action

History

7/14/2026 Item Added to Message Center

Microsoft Message

What and why

Windows updates released in July 2026 introduce the enforcement phase of protections designed to address a Kerberos information disclosure vulnerability (CVE‑2026‑20833). This phase completes the transition away from RC4-based Kerberos tickets by removing Audit mode and leaving Enforcement mode as the only supported behavior for Kerberos RC4 usage on Windows domain controllers.

With the July 2026 security update installed, domain controllers enforce updated behavior for service account ticket issuance. RC4-based Kerberos tickets are restricted under this enforcement model, and AES-based encryption is expected for supported configurations. This change helps reduce reliance on legacy encryption methods and aligns Kerberos authentication with current security standards.

Rollout schedule

This change is effective beginning with the July 2026 security update.

Impact on your organization

Organizational environments that still depend on RC4-based Kerberos service tickets might experience authentication failures when requesting service tickets after installing the July 2026 security update.

Applications, services, or devices that rely on legacy encryption configurations or explicitly defined RC4 usage are most likely to be affected. Environments previously operating in Audit mode no longer have the ability to revert to that mode once enforcement is in place.

Workloads that previously completed Kerberos authentication without updated encryption configurations might no longer function as expected.

Action required/recommendations

  • Confirm that all service accounts and dependent applications support AES-based Kerberos encryption.
  • Review and remediate any remaining RC4 dependencies identified during prior audit phases.
  • Monitor the System event log for Kerberos-related events to identify authentication failures or misconfigured accounts.
  • Validate interoperability with non-Windows Kerberos implementations and services.
  • Review How to manage Kerberos KDC usage of RC4 for service account ticket issuance changes related to CVE‑2026‑20833.

Audit mode and the RC4DefaultDisablementPhase rollback setting are removed beginning with the July 2026 security update. If RC4 must be retained for specific services, explicit configuration is still possible, but it leaves those scenarios vulnerable to CVE‑2026‑20833 and should be used only as a temporary measure.

Compliance considerations

No compliance considerations are identified. Review as appropriate for your organization.