30-Day Reminder: Final deployment phase for Kerberos RC4 hardening begins with the July 2026 Windows security update

🚨 The Signal: Microsoft is removing Kerberos RC4 audit mode in July 2026, enforcing AES-SHA1-only encryption. Environments still using RC4 for service accounts or devices will experience authentication failures, requiring immediate remediation to prevent outages.

The Impact

Domain administrators and security teams are affected by a critical security update that will break authentication for legacy systems using RC4 Kerberos.

• Domain administrators: Must identify and update all RC4 dependencies.
• Security teams: Need to validate Kerberos configurations meet current standards.
• Service owners: Applications using RC4 will fail to authenticate.
• End-users: May experience service outages due to authentication failures.

The Action

1. Identify all service accounts, applications, and devices configured for RC4 Kerberos encryption.
2. Update identified entities to support AES-SHA1 or stronger Kerberos encryption types.
3. Configure domain controllers to enforce AES-SHA1-only encryption for Kerberos.
4. Test authentication flows for critical services after making changes.
5. Plan for the July 2026 Windows security update deployment, ensuring all RC4 dependencies are removed.

Domain: Entra · Impact: high · Workload: Entra ID · Essential Eight: Patch Operating Systems · ISM: ISM-1407, ISM-1501, ISM-1621, ISM-1622, ISM-1623, ISM-1654, ISM-1655, ISM-1694, ISM-1695, ISM-1696, ISM-1701, ISM-1702, ISM-1877, ISM-1889, ISM-1902