
July 14 is the hard deadline. Microsoft’s three-phase Kerberos RC4 deprecation reaches its final stage with this month’s Patch Tuesday — and unlike the previous two phases, there is no rollback. No more audit mode. No registry key to flip. Any Windows environment still relying on RC4 encryption for Kerberos authentication will start seeing silent authentication failures on Monday. The audit window opened in January. The enforcement window opened in April. The exit closes July 14.
Three Phases, One Direction
Microsoft has been telegraphing this for over a year. The RC4 deprecation rollout under CVE-2026-20833 followed a deliberate three-step schedule:
- January 2026 (Audit Mode): Domain controllers started logging KDCSVC events 201–209 in the System log, flagging every RC4-dependent authentication request.
- April 2026 (Enforcement): RC4 disabled by default. Accounts without explicit
msDS-SupportedEncryptionTypessettings started failing unless domain defaults still permitted it. - July 14, 2026 (Final): Audit mode removed. The
RC4DefaultDisablementPhaseregistry key is ignored by updated domain controllers. RC4 is gone as an implicit fallback.
One nuance: RC4 still functions if an account explicitly declares it in msDS-SupportedEncryptionTypes. The silent “if nothing is configured, use RC4” behavior that has quietly kept aging environments alive is what disappears on July 14.
Why RC4 Needed to Die
RC4 is a stream cipher designed in 1987. The specific threat is Kerberoasting: an authenticated attacker requests a service ticket for any account with a Service Principal Name (SPN), and the KDC hands back a ticket encrypted with RC4. The attacker takes that ticket offline, and with modern GPU-based tooling running north of 100 billion guesses per second, cracks it. No network interaction after the initial request. No alerts. Just credentials.
AES-encrypted tickets do not crack like that. The migration closes an entire attack class — not just a theoretical one. Kerberoasting has been a standard entry in every red team playbook for years.
What Breaks on July 14
The dangerous scenario is not the accounts explicitly configured for RC4 — those are at least visible. The dangerous scenario is accounts with a blank msDS-SupportedEncryptionTypes attribute (null or decimal 0). Those accounts have been silently receiving RC4 tickets for years via domain defaults. After July 14, they fail.
- Service accounts with
msDS-SupportedEncryptionTypes= null, 0x0, 0x4 (RC4 only), or 0x7 (DES + RC4) - SMB share access to servers whose computer accounts lack AES keys
- WMI and PowerShell remoting (
New-PSSession) returning error0x80090342 - Java applications with
default_tkt_enctypes = rc4-hmacinkrb5.ini - Service accounts whose passwords were never reset after Windows Server 2008 DFL
How to Detect Exposure Now
Microsoft published two PowerShell scripts in the official Kerberos-Crypto GitHub repository — List-AccountKeys.ps1 and Get-KerbEncryptionUsage.ps1 — that query the Security Event Log on domain controllers. Run this on a DC:
.\Get-KerbEncryptionUsage.ps1 -Encryption RC4
Any results mean active RC4 usage. Check Security Event IDs 4768 (TGT requests) and 4769 (service ticket requests) — Ticket Encryption Type 0x17 = RC4. KDCSVC events 201–209 in the System log are your pre-enforcement warnings. For a broader sweep, the open-source RC4-ADAssessment toolkit covers domain controllers, trusts, KRBTGT, and service accounts in a single pass.
The Fix — And the Gotcha Most Guides Miss
The remediation has two required steps. Most documentation covers the first and skips the second.
Step 1: Set the encryption type attribute
Set-ADUser 'your-service-account' -Replace @{'msDS-SupportedEncryptionTypes'=0x18}
Value 0x18 (decimal 24) enables AES128 and AES256 while excluding RC4 and DES.
Step 2: Reset the password (mandatory)
Setting the attribute alone is not enough. AES keys are generated when a password is set against a domain at functional level 2008 or higher. An account whose password has never been reset in the modern era does not have AES key material in the AD database — regardless of what msDS-SupportedEncryptionTypes says. Reset the password after setting the attribute.
For Java applications, update krb5.ini:
# Replace rc4-hmac references:
default_tkt_enctypes = aes256-cts aes128-cts
default_tgs_enctypes = aes256-cts aes128-cts
permitted_enctypes = aes256-cts aes128-cts
For domain-wide enforcement on domain controllers via the KDC registry key:
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\services\KDC' `
-Name DefaultDomainSupportedEncTypes -Value 0x18
Act Before Monday
If you have been running in enforcement mode since April without failures, you may already be clean. Confirm by checking KDCSVC events 203 and 204 (blocked RC4 attempts) in your System log — absence is a good sign. If you have not checked since January, run the Microsoft scripts now.
The Microsoft Learn guide on detecting and remediating RC4 Kerberos usage has the full remediation playbook including GPO-based enforcement steps and the complete KDCSVC event reference table.
RC4 had a long run. Thirty-nine years is generous for any cipher. It is time.













