In July 2026, Microsoft will release an update for Windows Server that removes the last escape hatch for domain administrators still relying on RC4 encryption for Kerberos authentication. The registry key RC4DefaultDisablementPhase, which temporarily allowed rolling back enforcement to audit mode, will stop working. If you haven’t inventoried and remediated your RC4-dependent service accounts by then, expect authentication failures.

The Hard Deadline: July 2026 Patches Remove the Rollback

For months, Microsoft has been phasing out the RC4 encryption type for Kerberos ticket-granting. The upcoming July 2026 cumulative update (documented as KB5073381) eliminates the final safety valve. Once installed, domain controllers will no longer honor the RC4DefaultDisablementPhase registry value. That means reverting to audit mode—where RC4 tickets are logged but not blocked—won’t be possible. If a service account can’t use AES, authentication will simply break.

The enforcement timeline began with optional auditing in January 2026, shifting to a default AES-only behavior for accounts without explicit encryption settings on April 14, 2026. The July update makes that behavior irreversible on traditional Active Directory Domain Services (AD DS). For Microsoft Entra Domain Services, a parallel advance dependency test runs by region starting July 6, 2026, with permanent RC4 disablement the following week.

What Actually Changed: A Staged Kerberos Hardening Timeline

Microsoft’s Kerberos RC4 deprecation is tied to CVE-2026-20833. The rollout happened in three distinct phases:

  • January 13, 2026: Windows Server 2012 and later domain controllers got KB updates that introduced new diagnostic events. The KDC begins logging events 201–209 in the System log whenever an RC4 ticket is requested or a client lacks AES support. Security events 4768 and 4769 also capture ticket encryption details. At this stage, RC4 is still allowed; the logs are purely for inventory.
  • April 14, 2026: A behavioral shift occurs. For service accounts that don’t have an explicit msDS-SupportedEncryptionTypes attribute, the domain controller now enforces AES-SHA1 (value 0x18) by default. That means any account silently inheriting the domain’s default could suddenly lose RC4 functionality. The RC4DefaultDisablementPhase registry key still lets you flip back to audit mode.
  • July 14, 2026 (target): The cumulative update removes support for RC4DefaultDisablementPhase entirely. Domain controllers ignore this subkey. RC4 is blocked for service ticket issuance unless an account has an explicit exception or you’ve already migrated to AES. There is no backdoor after this patch.

Microsoft Entra Domain Services follows a different rhythm. A controlled dependency test runs regionally (Americas July 6, Europe July 7, Asia-Pacific July 8), temporarily disabling RC4 to expose weaknesses. During that window, domain admins can self-remediate by setting rc4DefaultDisablementPhase to 1 and defaultDomainSupportedEncTypes to 60 via portal controls. Permanent enforcement begins the week of July 13, after which those recovery steps are expected to disappear.

What This Means for Your Environment

For on-premises AD DS administrators, the July update hands you a hard compliance checkpoint. If you haven’t audited service account ticket encryption, haven’t tested AES compatibility, or haven’t assigned explicit encryption types, the risk of a post-patch authentication outage is high. The problem isn’t limited to accounts you’ve deliberately configured for RC4; many service accounts may be happily using AES now but still have no msDS-SupportedEncryptionTypes value. Post-April, those accounts already operate under the new default, but a missing attribute makes them invisible to directory scans. You must validate real-world ticket acquisition, not just AD metadata.

For Entra Domain Services users, the advance dependency test is your canary in the coal mine. If workloads break during the test, you have a short window to reconfigure encryption settings via the portal. Once permanent enforcement starts, the recovery steps may vanish. This managed environment gives you less control than on-prem AD DS, so your remediation workflow must be test-driven and fast.

For end users and business apps, the impact will be felt as mysteriously failed logins to internal services, broken scheduled tasks, or unresponsive non-Windows clients. Service desk tickets will spike unless the infrastructure team has already done the heavy lifting.

Why “Find All RC4 Accounts” Is the Wrong Tactic

A common instinct is to query Active Directory for any account with msDS-SupportedEncryptionTypes set to include RC4. That query misses the largest risk pool: accounts that have no encryption attribute at all. When the attribute is absent, the domain controller uses the DefaultDomainSupportedEncTypes policy. Since April 14, that default is AES-SHA1 only. An account with no attribute therefore behaves as if it’s AES-only, but its true capability depends on the applications and clients using it. If those clients still rely on RC4, authentication will fail—even though the account looks clean in LDAP queries.

Furthermore, non-Windows Kerberos clients (Linux, Java, appliances) might not generate the same KDCSVC event noise. A quiet log doesn’t mean they’re safe. Only end-to-end testing can confirm whether a Java-based web app or a network appliance actually handles AES tickets.

How to Build an Inventory That Won’t Leave You Blind

A defensible inventory isn’t a spreadsheet of AD attributes; it’s a live map of authentication traffic correlated with service ownership and test results. Here’s a step-by-step plan that the WindowsForum community and Microsoft’s guidance coalesce around:

  1. Ensure all domain controllers are patched. Every DC running Windows Server 2012 or later must have the January 2026 update (or later) to generate the necessary events.
  2. Collect KDCSVC events 201–209 from the System log on each domain controller. These events fire when the KDC handles RC4-related requests and reveal client IPs, service principal names (SPNs), and encryption mismatches.
  3. Collect Security events 4768 and 4769 for a matching observation period. These provide the ticket-encryption type and the msDS-SupportedEncryptionTypes value (if present) at the moment of authentication.
  4. Correlate each event to a service account and its full SPN set. A single account may have multiple SPNs; all must be evaluated.
  5. Identify the client and application behind each request. Use hostnames, IP addresses, and any available asset management data. This step is what turns a log entry into an actionable dependency.
  6. Record the encryption attribute state: whether msDS-SupportedEncryptionTypes is set, and if so, to what value. If unset, flag it as “inheriting default.”
  7. Assign every dependency a technical owner and a business owner. Don’t let any ticket go without a responsible team.
  8. Test AES compatibility for each dependency. For Windows services, this might mean updating a service account’s encryption support and verifying ticket acquisition. For keytab-based services (Linux, appliances), you must prove that the service can request and use an AES ticket; simply not seeing events isn’t proof.
  9. Document exceptions. If you must keep RC4 alive for a legacy system, note the reason, the owner, the exact account/SPN, and when it will be re-tested or retired. An exception is a migration ticket, not a permanent pass.
  10. For Entra Domain Services, execute the dependency test recovery if needed, but use the results to populate the same inventory. Remember that the test’s rollback will vanish after July 13.

Events 4768 and 4769 also let you see whether the same client repeats requests, which might inflate the event count without increasing the number of actual services to fix. Consolidate by service identity, not by event volume.

Remediation Paths: Migrating from RC4 to AES

The remediation strategy depends on the type of identity:

  • Managed Service Accounts (gMSA/sMSA): Verify the account’s encryption state, ensure the application consuming the ticket supports AES, and test ticket acquisition. These accounts can be updated centrally.
  • Conventional service accounts: Document all SPNs and hosts using the credential before changing anything. A password reset or encryption change without application coordination can cause immediate outages.
  • Keytab-based and non-Windows services: Perform end-to-end testing with the actual client. Microsoft warns that the absence of audit events does not prove interoperability, so trust only a successful AES ticket exchange. For appliances and vendor products, check the vendor’s AES support statement and test on a non-production instance.
  • Domain-level exceptions: If, after thorough testing, you must keep RC4 for a few legacy apps, set an explicit msDS-SupportedEncryptionTypes that includes both AES and RC4 (value 0x1C) on only those accounts. This approach is far safer than leaving the attribute empty, as it removes the ambiguity of inherited defaults.

For Entra Domain Services users, the self-service recovery provides a quick fix during the test: set rc4DefaultDisablementPhase to 1 and defaultDomainSupportedEncTypes to 60. But that’s a temporary bandage; use the time to migrate or explicitly mark accounts with AES support.

Outlook: July Is a Forced Migration, Not Just a Security Patch

When the July 2026 updates land, the registry-based rollback disappears. Domain controllers will no longer entertain the idea of reverting to RC4 auditing. The only control left is a well-maintained service-account inventory with clear ownership and tested remediation. Organizations that treat this as a routine patching event risk a wave of authentication failures. Those that start now, using the events already available, will turn a compliance fire drill into a manageable IT hygiene project.

The next six months aren’t about turning off RC4; they’re about proving you know exactly where RC4 still lives. That proof lives in event logs, not in Active Directory snapshots. And after July, the people who find out about missed dependencies will be the ones answering help-desk calls at 2 a.m.