Enforcement phase for Kerberos RC4 protections begins with the July 2026 Windows security update

🚨 The Signal: Microsoft will enforce AES encryption for Kerberos in July 2026, deprecating RC4. This removes a critical vulnerability, enhancing authentication security but potentially breaking legacy systems relying on RC4.

The Impact

Domain controllers are affected, risking authentication failures for legacy applications and services.

  • Domain controllers: Will enforce AES, disabling RC4 Kerberos.
  • Legacy applications: May fail to authenticate if using RC4.
  • Legacy services: Authentication issues expected without AES support.
  • Legacy devices: Could lose access if relying on RC4 Kerberos.

The Action

  1. Identify all applications, services, and devices using RC4 for Kerberos authentication.
  2. Update identified systems to support AES encryption for Kerberos.
  3. Test authentication flows in a pre-production environment after updating.
  4. Plan for the July 2026 Windows security update deployment on domain controllers.

Domain: Entra · Impact: high · Workload: Entra ID · Essential Eight: Patch Operating Systems · ISM: ISM-1407, ISM-1501, ISM-1621, ISM-1622, ISM-1623, ISM-1654, ISM-1655, ISM-1694, ISM-1695, ISM-1696, ISM-1701, ISM-1702, ISM-1877, ISM-1889, ISM-1902