MC1218691: Initial deployment phase for Kerberos RC4 hardening begins with the January 2026 Windows security update

Windows updates released on and after January 13, 2026, introduce the first phase of protections addressing a Kerberos information disclosure vulnerability (CVE‑2026‑20833). These updates introduce new auditing and optional registry controls that devices can use to begin reducing reliance on RC4 encryption. They also help prepare domain controllers for a future shift to AES‑SHA1 as the default Kerberos encryption method for accounts without explicit encryption settings. The initial deployment phase focuses on identifying misconfigurations or dependencies before the second deployment phase begins in April 2026.When this will happen:The initial deployment phase starts January 13, 2026, and introduces new Kerberos audit events that help identify any remaining RC4 dependencies across your environment. This phase also adds the temporary RC4DefaultDisablementPhase registry value, which organizations can use to optionally enable the upcoming behavior changes early; however, this key will no longer be read after Audit mode is removed in July 2026. Together, these updates provide early diagnostics to help assess readiness before the second deployment phase in April 2026, when the default domain controller behavior for Kerberos encryption will change to use AES‑SHA1 only for accounts without explicit encryption settings. Starting in April 2026, Enforcement mode will be enabled on all Windows domain controllers by default, and in July 2026 Audit mode will be removed, leaving Enforcement mode as the only option.How this will affect your organization:Domain controllers will begin logging new Kerberos audit events, KDCSVC (ID 201–209), that highlight where devices or service accounts still rely on RC4 encryption. Certain RC4‑dependent configurations will appear in the new Kerberos audit events, highlighting scenarios that will become incompatible once enforcement begins. These events provide early visibility into configurations that may fail as Enforcement mode is enabled by default starting in April 2026 and Audit mode is removed in July 2026.As the deployment phases progress, beginning with the April 2026 Windows security update, Kerberos operations will shift to using AES‑SHA1 by default for accounts without explicit encryption settings. Environments that do not address RC4 dependencies may experience authentication issues as Enforcement mode is enabled by default starting in April 2026 and Audit mode is removed in July 2026. Organizations with secure configurations or without RC4 usage should see minimal impact aside from routine audit visibility during the transition period.What you need to do to prepare:Begin by installing Windows updates released on or after January 13, 2026, on all Active Directory domain controllers. After updating, monitor the System event logs for the new Kerberos audit events that indicate whether any devices or service accounts still rely on RC4-based encryption. If no events appear, you can proactively move your domain controllers to Enforcement mode by using the Registry settings. If events do appear, you will need to address or explicitly configure any remaining RC4 dependencies before enforcement takes effect.Additional information: 

• Read the full hardening guidance: How to manage Kerberos KDC usage of RC4 for service account ticket issuance changes related to CVE-2026-20833.
• Learn about RC4 usage in Windows and its risks: Detect and remediate RC4 usage in Kerberos.
• Learn more about the related vulnerability: CVE-2026-20833.