RC4 Deprecation: Phase 2 Is Here — And This Is Where Things Break (April 2026)

What’s Changing?

Microsoft is now enabling enforcement mode by default.
This means the Kerberosis shifting toward stronger, modern encryption whether environments are ready or not.

New Default Behavior:

Kerberos will now use AES-SHA1 (0x18) only as the default encryption.
Any accounts without an explicit msDS-SupportedEncryptionTypes value will:

❌ No longer fall back to RC4
✅ Receive only AES-based tickets

The old “Kerberos will figure it out” behavior is gone.

Why This Matters

For years, RC4 has quietly acted as a safety net. If something didn’t explicitly support AES, Kerberos would often just fall back to RC4 behind the scenes, and everything kept working.

As of April 2026:

That fallback disappears
Any system still relying on RC4 will start showing symptoms

You may see:

• Authentication failures
• Service accounts suddenly breaking
• Unexpected NTLM fallback
• Kerberos errors popping up in logs

If your environment has “mystery legacy systems” (and let’s be honest, most do), they’ll reveal themselves now.

What You Should Do:
If you haven’t fully cleaned up RC4 usage yet, now’s the time.
Identify where RC4 is still in use
Look at:

• Kerberos logs
• Microsoft Defender for Identity signals
• Authentication failure patterns

Ensure systems support AES
This often means:

• OS upgrades

• Updating old applications

• Verifying third‑party service compatibility

• Explicitly set encryption types on service accounts

• No more relying on implicit defaults.

• Make your intention clear in the msDS-SupportedEncryptionTypes attribute.

• Limit RC4 only to truly unavoidable exceptions
  And ideally, isolate those workloads.

Can You Roll Back?
Yes, temporarily.
You can still override behavior via the DefaultDomainSupportedEncTypes registry setting.
But:
This is a band‑aid, not a strategy.

The direction is clear: RC4 is on its way out for good.

The Bottom Line
Microsoft is moving from -> “RC4 is deprecated.”
to
“RC4 is no longer used by default. Period.”
👉 If your environment still relies on RC4, this is the phase where things begin to break — and where you need to take action.