Windows Server RC-4 Depreciation

RC-4 Depreciation KB ID 0001937

Problem

Microsoft has begun a major security hardening programme for Active Directory domain controllers to address CVE‑2026‑20833, a Kerberos vulnerability that enables Kerberoasting attacks by exploiting weak RC4 encryption.

If you run Windows Server domain controllers, you must prepare for the phased deprecation of RC4 throughout 2026. Enforcement becomes mandatory in July 2026, and environments still relying on RC4 will start breaking well before then.

Kerberoasting is a long‑established attack technique where an authenticated adversary requests Kerberos service tickets, extracts the encrypted service account hashes, and cracks them offline.The issue with CVE‑2026‑20833 is simple: RC4 is weak, predictable, and far easier to brute‑force than modern AES‑based encryption.

If a service account has no explicit encryption types defined, Windows may still issue RC4‑encrypted tickets,  and that’s exactly what attackers want.

Solution: RC-4 Depreciation

RC-4 Depreciation What Microsoft is Doing

Microsoft is changing the default Kerberos behaviour on domain controllers:

• The DefaultDomainSupportedEncTypes (DDSET) default becomes 0x18, meaning AES‑SHA1 only.
• Domain controllers will no longer issue RC4 tickets unless you explicitly configure an account or KDC to allow it.
• If your DCs have a manually defined DDSET that includes insecure types, you’ll see KDCSVC Event ID 205 logged.

This is a significant shift: RC4 is effectively being retired, and AES becomes the baseline for all Kerberos operations.

The RC4 deprecation applies to:

• Windows Server 2008 / 2008 R2 (Premium Assurance)
• Windows Server 2012 / 2012 R2 (ESU)
• Windows Server 2016
• Windows Server 2019
• Windows Server 2022
• Windows Server 2025

All of these already support AES‑SHA1. If you still have Windows Server 2003, it cannot use AES — retire or isolate it immediately.

RC-4 Depreciation Timeline

Microsoft is rolling this out in three phases:

January 2026: Initial Deployment (Audit Mode)

• Security updates released 13 January 2026.
• Domain controllers begin logging audit events for RC4 usage.
• New registry value introduced: RC4DefaultDisablementPhase.
• You can proactively switch to stricter behaviour by setting the value to 2.

April 2026:  Second Deployment (Enforcement Enabled by Default)

• Enforcement mode becomes the default on all domain controllers.
• DDSET defaults to AES‑only for accounts without explicit encryption settings.
• RC4‑dependent clients and services will start failing authentication.
• You can still revert to Audit mode temporarily, but not disable auditing.

July 2026: Full Enforcement (No Audit Mode)

• Audit mode is removed entirely.
• RC4DefaultDisablementPhase is retired.
• RC4 is disabled unless explicitly configured per‑account.
• Environments still relying on RC4 will break.

RC-4 Depreciation Step 1: Deploy the January 2026 Updates

Install the January 2026 security updates on all domain controllers. Note: This does not fix the vulnerability by itself, it simply enables visibility.

Once installed, DCs will log audit events whenever a client or service requests RC4-encrypted Kerberos tickets.

Updates are available via:

• Windows Update
• WSUS
• Microsoft Update Catalogue

Note: Prioritise Domain Controllers so you can begin identifying RC4 dependencies before April.

RC-4 Depreciation Step 2: Monitor Kerberos Audit Events

After updating, check the System event log for the following Kerberos audit events:

If you see these events, you have RC4 dependencies somewhere in your environment.

RC-4 Depreciation Step 3: Configure RC4DefaultDisablementPhase (Temp)

Registry path:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters 

Value: RC4DefaultDisablementPhase (DWORD)

If your audit logs are clean, set the value to 2 and reboot the DC to enable Enforcement early. Note: This registry key is removed in July 2026.

RC-4 Depreciation Step 4: Remediate RC4 Dependencies

You must identify and fix any accounts or devices still relying on RC4.

Check Kerberos Event IDs 4768 & 4769

These reveal which encryption types are used for ticket granting tickets and service tickets.

Inspect msds‑SupportedEncryptionTypes

Ensure accounts include:

• AES128‑SHA1
• AES256‑SHA1

If an account only has RC4 keys, then reset its password,  and its AES keys will be generated automatically.

Review DefaultDomainSupportedEncTypes

Ensure your domain‑wide defaults align with AES‑only requirements.

Third‑party devices

• Document any systems that cannot use AES.
• Plan upgrades or vendor engagement.

• If absolutely necessary, RC4 can be explicitly enabled per‑account — but this should be a last resort.

RC-4 DepreciationStep 5 — Enable Enforcement Mode

To fully mitigate CVE‑2026‑20833, Enforcement mode must be active on all domain controllers.You can enable it manually now by setting:

RC4DefaultDisablementPhase = 2

Once enabled:

• RC4 ticket requests for the default configured accounts will be blocked.
• Event ID 205 will continue to warn about insecure DDSET configurations.

From April 2026, Enforcement mode becomes the default.
From July 2026, it will become the only mode.

To Summarise: RC-4 Depreciation

Microsoft is finally retiring RC4 from Kerberos, and the transition is unavoidable.
If you don’t prepare, April and July 2026 will cause authentication failures across legacy systems, service accounts, and third‑party integrations.

Your action plan:

1. Install the January 2026 updates on all DCs.
2. Monitor audit events for RC4 usage.
3. Fix accounts and services still relying on RC4.
4. Move to Enforcement mode as soon as your audit logs are clean.
5. Ensure your environment is fully AES‑only before July 2026.

Related Articles, References, Credits, or External Links

Visit PeteNetLive on YouTube! (Please Subscribe)