Kerberos RC4 hardening goes live in April — check your service accounts

Microsoft has activated phase 2 of Kerberos RC4 hardening (CVE-2026-20833) with the April 2026 Windows security updates. Domain controllers now default to AES-SHA1-only for all service accounts that lack explicit encryption type configuration.

This means older service accounts — the ones created years ago for printers, backup solutions, or line-of-business apps — will stop authenticating after patching. We have already seen this in testing across several customer environments.

What happened

Microsoft is rolling out the hardening in three phases. Phase 1 (January 2026) added audit logging. Phase 2 (April 2026) switches the default to AES-SHA1 and enables enforcement. Phase 3 (July 2026) removes the ability to roll back to audit mode.

The underlying vulnerability, CVE-2026-20833, allows an attacker to request Kerberos tickets with weak RC4 encryption and then crack the service account password offline. This technique is called Kerberoasting and it remains one of the most common Active Directory attack paths.

Why it matters for SMBs on M365 Business Premium

Many smaller organizations still run service accounts that were set up 5-10 years ago without anyone documenting which encryption types they use. Printers with Kerberos authentication, older ERP systems, and FSLogix profiles on SMB storage are typical candidates that will break.

This is not a vulnerability you can ignore — it is a breaking change Microsoft is forcing through.

What you should do

1. Audit all service accounts in AD and check msDS-SupportedEncryptionTypes. Accounts showing 0x0 or missing the attribute entirely need explicit configuration.

2. Enable KDC audit logs (Event ID 4771) and search for RC4 ticket requests. Every hit is a service that will stop working.

3. Test patching in a staging environment before production rollout.

4. Set explicit AES encryption for all service accounts that require it.

Rollback to audit mode remains available as a safety net until July 2026, but it should be a last resort — not the strategy.

How HaggeBurger can help

We offer a Kerberos RC4 readiness check (2-3 hours) where we scan your service accounts, identify RC4 dependencies, and provide a remediation checklist before you patch. Get in touch and we will schedule it before Patch Tuesday.