
The Windows 11 July 14 update (KB5095093) drops tomorrow with 13 changes. Most of them are polish. Two of them are not. Point-in-time Restore goes generally available for machines with 200 GB or more of storage, and Kerberos RC4 hardening hits permanent enforcement — no rollback path this time. If your service accounts still rely on RC4 key material, authentication failures start Wednesday morning and there is no domain-wide fix.
Kerberos RC4: The Rollback Key Is Gone
Microsoft began phasing out RC4 in Kerberos in January 2026. April tightened the defaults but left one escape valve: the RC4DefaultDisablementPhase registry key, which let administrators revert their domain controllers to audit mode if something broke. The July 14 update removes that key permanently.
Once removed, it cannot be restored through any domain-wide setting. Service accounts that only have RC4 key material in msDS-SupportedEncryptionTypes will fail Kerberos authentication. The recovery path after July 14 is per-account reconfiguration — time-consuming, account-by-account work that Microsoft explicitly discourages as a remediation strategy. The most common victims are SQL Server service accounts, IIS application pool identities, and scheduled task credentials that were never migrated to AES.
If you have any of those, run this before tomorrow:
Get-WinEvent -LogName Security -FilterXPath "*[EventData[Data[@Name='TicketEncryptionType']='0x17']]" |
Select-Object TimeCreated, Message | Format-List
Event ID 4769 with Ticket Encryption Type 0x17 is RC4. Anything generating those events needs its service account updated to support AES128 and AES256 before the update lands. Microsoft’s CVE-2026-20833 management guide has the step-by-step. ByteIota also published a detailed Kerberos RC4 audit walkthrough last week.
Point-in-time Restore Is Now Generally Available
Point-in-time Restore has been in Insider builds since late 2025. July 14 makes it default-on for every machine with an OS volume of 200 GB or more. This is not the old System Restore — it covers the full system state: OS, applications, settings, and local files, with no user data scoped out.
Restore points are captured automatically every 24 hours using Volume Shadow Copy Service (VSS). The feature retains up to 72 hours of restore points. Storage is capped at 2% of your disk size, with a 2 GB floor and a 50 GB ceiling — no space is pre-reserved. If free disk space drops below 20 GB, VSS starts evicting older restore points. Below 200 GB, the feature is off by default but can be manually enabled. Microsoft’s Point-in-time Restore documentation covers Group Policy controls for IT admins who want to set restore frequency and storage caps centrally.
For developers, this matters most when testing changes that affect system state — driver installs, registry modifications, kernel-level tools. The 72-hour window is narrower than Time Machine on macOS, but the automation is stronger: no setup required, no manual checkpoints needed. Microsoft confirmed general availability in a Windows IT Pro Blog post accompanying the update.
Developer Quality-of-Life Improvements
Beyond the two headline features, KB5095093 packs several improvements that matter for developer workflows specifically.
Windows Update Calendar Pause
The fixed 7/14/21-day pause blocks are replaced with a calendar control. You can now pick an exact pause end date, up to 35 days out. Once a pause expires, you can set another one — effectively indefinite deferral if you need it. This is meaningful for dev VMs, CI runners, and test environments where forced reboots break pipelines at the worst possible time.
File Explorer and ISO Mounting
File Explorer’s Home tab has been structurally refactored for a faster launch without background preloading tricks. ISO disk image mounting is also more responsive. Neither change is dramatic, but both matter if you regularly work with Windows ISOs, virtual machine images, or nested Hyper-V setups.
Netlogon and Bluetooth
Netlogon secure channel connections now work correctly for domain controllers provisioned before 2025 — relevant for legacy lab environments or multi-site Active Directory setups. On Bluetooth, system mute now stays synchronized with headphone hardware mute buttons, AirPods pair faster, and Beats Studio Pro microphone behavior is more reliable.
What to Do Before July 14
The update is mandatory and installs automatically on Tuesday. Before it does:
- Audit RC4 Kerberos usage using Event ID 4769 — any Ticket Encryption Type 0x17 must be remediated before the update lands
- Update service account
msDS-SupportedEncryptionTypesto include AES128 and AES256 on all affected accounts - Verify your OS volume is 200 GB or larger if you want Point-in-time Restore enabled automatically
- Review Windows Update pause settings on dev VMs and CI infrastructure
Full change details are in Microsoft’s KB5095093 release notes. The Patch Tuesday security bulletin releasing the same day is expected to patch 100–140 CVEs — ByteIota will cover that once the bulletin drops on Tuesday.













