Enforcement phase for Kerberos RC4 protections begins with the July 2026 Windows security update
🚨 The Signal: Microsoft will enforce AES encryption for Kerberos in July 2026, deprecating RC4. This removes a critical vulnerability, enhancing authentication security but potentially breaking legacy systems relying on RC4.
The Impact
Domain controllers are affected, risking authentication failures for legacy applications and services.
- Domain controllers: Will enforce AES, disabling RC4 Kerberos.
- Legacy applications: May fail to authenticate if using RC4.
- Legacy services: Authentication issues expected without AES support.
- Legacy devices: Could lose access if relying on RC4 Kerberos.
The Action
- Identify all applications, services, and devices using RC4 for Kerberos authentication.
- Update identified systems to support AES encryption for Kerberos.
- Test authentication flows in a pre-production environment after updating.
- Plan for the July 2026 Windows security update deployment on domain controllers.
Domain: Entra · Impact: high · Workload: Entra ID · Essential Eight: Patch Operating Systems · ISM: ISM-1407, ISM-1501, ISM-1621, ISM-1622, ISM-1623, ISM-1654, ISM-1655, ISM-1694, ISM-1695, ISM-1696, ISM-1701, ISM-1702, ISM-1877, ISM-1889, ISM-1902