What changes now

Windows security updates released in or after July 2026 start the final phase of Kerberos RC4 hardening for CVE-2026-20833. The previous audit and rollback path through RC4DefaultDisablementPhase is removed. For Domain Controllers, Enforcement becomes the mandatory behavior.

In practice, accounts, services, or clients that still expect RC4-based Kerberos service tickets can see authentication failures after the DC rollout. This is not limited to old Windows systems. Remaining dependencies often sit with service accounts with SPNs, middleware, appliances, Java/Linux Kerberos stacks, or historically configured encryption-type exceptions.

Likely breakpoints

  • Service accounts with SPNs and missing or old msDS-SupportedEncryptionTypes values.
  • Services whose password material was never rotated after AES was enabled.
  • Non-Windows systems where Kerberos was only tested with RC4.
  • Domains with manually configured DefaultDomainSupportedEncTypes.
  • Applications where owners, SPNs, and technical accounts are no longer clearly mapped.

The absence of audit events is not enough evidence on its own. Some incompatibilities only appear during the real ticket flow, especially with third-party software and appliances.

What belongs in the rollout change

  1. Stage the DC rollout: start with a pilot site or clearly scoped Domain Controllers, then expand.
  2. Review KDC events: check the DC System log for Kdcsvc events 201 through 209, especially Event 205.
  3. Prioritize SPN accounts: handle service accounts with SPNs, privileged technical accounts, and long-unchanged passwords first.
  4. Test AES in practice: attribute values alone do not prove that application authentication works.
  5. Rotate passwords deliberately: after encryption-type changes, especially for old service accounts.
  6. Keep exceptions narrow: if RC4 is still required, scope it to named accounts with an owner, expiry date, and accepted risk.

If the patch is already deployed

When incidents occur, RC4 should not be broadly re-enabled as the default. A better path is targeted tracing through DC events, affected clients, target SPNs, and the related service account. From there, decide whether the service can be moved to AES, password material must be regenerated, or a temporary exception must be documented.

The immediate check: review Kerberos/KDC events on all updated Domain Controllers, map affected SPNs to an owner, and do not leave RC4 exceptions without an expiry date.