Microsoft prepares RC4 shutdown with Windows update
The January 2026 updates will begin the phaseout of RC4 encryption in the Kerberos protocol for Windows Server. The trigger is a security flaw that allows attackers to request Kerberos service tickets using weak algorithms.
Security flaw forces AES switch
As a result, offline attacks are possible to read passwords from service accounts and gain unauthorized network access. All Windows Server versions from 2008 up to and including Windows Server 2025 are affected. Microsoft therefore announced some time ago that security hardening was coming. The aim is to exclusively use modern AES encryption in Active Directory. In the current phase, which started with the January patch day, the updates initially only activate monitoring functions such as Günter Born now writes in his blog.
Systems that continue to use RC4 will be recorded in the event log without blocking connections. This gives administrators time to identify outdated devices and applications, such as older multifunction printers, NAS systems or legacy software without AES support. Like Microsoft in explained in a support document this “Initial Deployment Phase” serves to prepare for further steps. The group provides the registration key RC4DefaultDisablementPhase for tests. This means that RC4 deactivation can be brought forward as soon as the logs no longer show any warning messages. The schedule envisages a gradual tightening.
Tough schedule until summer 2026
The second phase will begin in April 2026: domain controllers will only accept AES algorithms by default. The `DefaultDomainSupportedEncTypes` attribute is adjusted accordingly unless explicit exceptions are set. Devices or applications that do not support these methods will then no longer be able to establish connections, which can cause login or access problems. The final phase will follow in July 2026. With the updates, the so-called enforcement mode will be activated. Transitional solutions such as monitoring mode or registry exceptions are no longer necessary. Connections with RC4 are then consistently blocked.
Background: The end of an era for RC4
The RC4 stream cipher was developed by Ron Rivest in 1987 and was widely used for a long time. Despite known weaknesses, it remained in use in many legacy systems for compatibility reasons. However, in protocols such as WEP and SSL/TLS, RC4 has been considered insecure for years and is no longer supported. According to Microsoft, the vulnerability CVE-2026-20833 shows that supporting outdated encryption poses a security risk for entire Active Directory environments. Attacks targeting RC4’s weaknesses can expose plaintext information, compromising domain security.
Digital marketing enthusiast and industry professional in Digital technologies, Technology News, Mobile phones, software, gadgets with vast experience in the tech industry, I have a keen interest in technology, News breaking.
