Skip to main content

Microsoft RC4 Deprecation: What to Check Before July 2026 Updates - Detect and remediate RC4 usage in Kerberos

  • July 17, 2026
  • 1 comment
  • 42 views

Link State
Forum|alt.badge.img+12

 

With the July 2026 security updates, Microsoft will permanently disable the legacy RC4 encryption algorithm in Kerberos authentication, requiring the use of modern encryption standards such as AES128 and AES256.

I do not anticipate any significant impact on systems that are properly maintained, but I strongly recommend carrying out a proactive assessment to identify any systems that still use the RC4 algorithm.

Potential Risks

Legacy applications, older servers, hardware appliances, or service accounts configured only for RC4 authentication may fail to authenticate after Domain Controllers are updated.

How to Verify Your Environment

Microsoft provides tools to detect accounts and services still using RC4:

Microsoft Learn: Detect and remediate Kerberos RC4 usage

Detect and Remediate RC4 Usage in Kerberos | Microsoft Learn

How to manage Kerberos KDC usage of RC4 for service account ticket issuance changes related to CVE-2026-20833 | Microsoft Support

 

Audit RC4 usage

Detail about RC4 usage is stored in the Security Event Logs on Kerberos Key Distribution Centers (KDCs) for Windows Server 2019 and later. RC4 usage in Event Logs was also added to Windows Server 2016 in the January 2025 cumulative update. The following event IDs identify RC4 usage and accounts that are only able to use RC4:

  • Event ID 4768, which is for the requested Kerberos authentication ticket (TGT).
  • Event ID 4769, which is for the requested Kerberos service ticket.

 

 

Microsoft published these scripts as open source and they're available in Microsoft's Kerberos-Crypto GitHub repository. Alternatively, you can also identify RC4 usage using a security information and event management (SIEM) solution, like Microsoft Sentinel, or built-in Windows forwarding as described in our blog post

Kerberos-Crypto/scripts at main · microsoft/Kerberos-Crypto

Usage exemple

PS > .\List-AccountKeys.ps1 | Select-Object Name, Type, Keys -Unique | Format-Table

 

Administrator user RC4 - This may happen if:

  • the account password has not been changed for a long time;
  • AES keys have never been generated for that account;
  • the account is a legacy account and originates from older versions of the domain.
  • All the computers and servers listed support AES128 and AES256.
  • The Administrator account appears to support only RC4 and should be checked.
  • No widespread issues have been identified with the machine accounts.

Name     Type     Keys
----        ----     ----
***    ***     -                                    --> PROBLEM
***         ***     RC4                               --> PROBLEM
***             ***     AES128-SHA96; AES256-SHA96; RC4    --> OK

PS > .\Get-KerbEncryptionUsage.ps1 -Encryption RC4 | Select-Object Source, Target, Ticket -Unique | Format-Table -AutoSize

Source: Administrator
Target: krbtgt (the domain’s Kerberos service)
Ticket: AES256-SHA96

- The ticket issued is AES256, not RC4.
 

  • The Administrator account has a stored RC4 key.
  • However, when it requests a Kerberos ticket, AES256 encryption is used.
  • There are no RC4 ticket requests in the output shown.

Source   Target   Ticket
------     ------      ------
***            ****        RC4  --> PROBLEM

Any returned entry indicates a system or service still relying on RC4 and should be investigated before updating Domain Controllers.

 

Recommendation

Before deploying the July 2026 updates:

  • Identify accounts that do not support AES.
  • Detect systems still using RC4 Kerberos tickets.
  • Update or replace legacy applications and devices.
  • Regenerate service account keys where necessary.
  • Validate the environment before updating Domain Controllers.

Taking these steps will help prevent authentication issues and ensure compliance with Microsoft's latest security requirements

1 comment

Chris.Childerhose
Forum|alt.badge.img+22

Interesting change coming from MS on security but for the better.  Hopefully, our systems are maintained, but I will alert our security team to this one.  Thanks for sharing it.