Kerberos RC4 enforcement April 2026 — what to do before patching

Microsoft's April 2026 security update activates phase 2 of the Kerberos RC4 hardening (CVE-2026-20833). From this patch forward, domain controllers will default to AES-only ticket encryption.

Service accounts, applications, and legacy systems still relying on RC4 will fail authentication. No warning — just broken logins.

What is actually changing?

Since January 2026, Microsoft has been logging warning events on domain controllers whenever RC4 is used. That was phase 1 — audit only. April flips the switch. RC4 is no longer accepted as an implicit fallback by the KDC.

If you have service accounts with a blank msDS-SupportedEncryptionTypes attribute, they will fail to authenticate after the April patch is applied.

July 2026 removes the rollback option entirely. This is the last window to fix it properly.

Who is affected?

Any organization running hybrid Active Directory with Entra Connect. Specifically:

• Service accounts not explicitly configured for AES256
• Entra Connect Sync authentication flows
• FSLogix profile containers on SMB storage
• Legacy applications that only support RC4

Running M365 Business Premium with hybrid AD and Entra Connect? This affects you directly.

What to do right now

1. Review all domain controllers for Kerberos RC4 warning events (System event log)
2. Identify service accounts with blank or RC4-only msDS-SupportedEncryptionTypes
3. Update all service accounts to AES256 before applying the April patch
4. Test Entra Connect Sync and FSLogix in a staging environment first
5. Plan ahead — the July update removes all rollback options

How HaggeBurger can help

We offer a Kerberos Health Check — a half-day assessment where we identify all RC4 dependencies in your environment and produce a remediation plan before Patch Tuesday on April 14. Contact us to schedule.

Reference: Microsoft Tech Community — Kerberos RC4 Hardening