Kerberos RC4 dies July 14: patch before your logins break
Microsoft's July 14 Patch Tuesday removes the RC4 escape hatch for Kerberos (CVE-2026-20833). Service accounts still on RC4 stop authenticating.
There's a deadline coming that won't send you an email. On July 14, 2026, Microsoft's Patch Tuesday update removes the last off-switch for RC4 encryption in Kerberos — the plumbing that authenticates every user and service account on a Windows domain. If anything in your environment still leans on RC4, the failure mode isn't a warning. It's logins that stop working.
What actually happened
This is the final phase of a year-long deprecation tied to CVE-2026-20833, a flaw that let an attacker request service tickets with weak RC4 encryption and then crack a service account's password offline. Microsoft rolled the fix out in three phases: an audit phase in January 2026 (warning events, nothing blocked), an enforcement-with-rollback phase in April (domain controllers defaulted to AES, but you could still flip RC4 back on via the RC4DefaultDisablementPhase registry key), and now the permanent phase in July.
Per Microsoft's hardening guide, the July update deletes that registry key and removes audit mode entirely. AES-SHA1 becomes the only path — RC4 is gone from the Kerberos KDC except for individual accounts you've explicitly whitelisted by setting the msDS-SupportedEncryptionTypes attribute. Miss one, and that account's authentication breaks the moment the update lands.
Why it matters for your business
You might not run a domain controller. But your line-of-business apps, your file shares, your backup service, that decade-old integration nobody wants to touch — a lot of them authenticate through Active Directory, and legacy service accounts are exactly where RC4 hides. The businesses that get burned by this aren't careless; they just never audited which accounts were still negotiating RC4, because nothing forced them to. Until July 14.
The fix is boring and cheap if you do it now: pull the audit events Microsoft's earlier phases have been logging since January, find every account and app still requesting RC4, and either upgrade it to AES or explicitly flag it. Do it after the update and you're diagnosing a production outage instead of reading a report. Legacy auth is the kind of infrastructure that works right up until a vendor decides it shouldn't — and this vendor already decided.
Key takeaways
- The July 14, 2026 Windows update is the final phase of Kerberos RC4 deprecation (CVE-2026-20833) — it removes the ability to re-enable RC4 by default
- Service accounts, apps, or integrations still negotiating RC4 will fail to authenticate unless explicitly configured with
msDS-SupportedEncryptionTypes - Microsoft has been logging RC4-dependency warning events since the January 2026 audit phase — that data tells you exactly what to fix
- The operator's move: audit now and migrate to AES, or debug an authentication outage after the patch lands
Not sure what in your stack still speaks RC4? We audit the legacy auth, integrations, and service accounts small businesses forget they depend on — then fix the ones that will break before the deadline finds them. See what we do or get a pre-patch audit.
Sources: Microsoft Support — CVE-2026-20833 RC4 KDC changes, Microsoft — How to Manage RC4 Hardening (Definitive Guide).
- #kerberos
- #active-directory
- #windows
- #security
- #patching
Tommy Rush — Founder, Rush Commerce
Operator turned builder. 15+ years running operations — now shipping the systems businesses run on. More
Get The Rush Report weekly — one email, zero fluff.
Keep reading
Ubiquiti UniFi CVSS 10: patch the box that runs your office
Ubiquiti's UniFi Connect flaw CVE-2026-50746 (CVSS 10.0) lets an unauthenticated attacker on your network run commands on the host. Patch to 3.4.20 now.
Read itJoomla page builders hit CVSS 10.0: patch your CMS now
Two Joomla page-builder extensions have unauthenticated CVSS 10.0 file-upload flaws that are already dropping web shells and hidden admin accounts. Your marketing site is attack surface.
Read it