Microsoft has announced plans to retire the legacy RC4 algorithm from Windows authentication. The company is preparing changes that will affect Kerberos infrastructure and strengthen the resilience of corporate networks against modern threats, including credential theft.
According to Microsoft Program Manager Matthew Palko, by mid-2026 the default settings of domain controllers for the Kerberos Key Distribution Center in Windows Server 2008 and later versions will be updated. By default, only AES-SHA1 encryption will be permitted, while RC4 will be disabled.
Use of the legacy algorithm will remain possible only through explicit administrative configuration. Microsoft emphasizes that all supported versions of Windows have relied on AES-SHA1 for many years, rendering RC4 effectively unnecessary.
The company cautions that systems and services still dependent on RC4 may encounter authentication failures once the default settings are changed. To mitigate this risk, Microsoft recommends proactively identifying such dependencies. To support this effort, security logs in Windows Server 2019, 2022, and 2025 have been enhanced, and new auditing capabilities have been introduced.
Kerberos events with IDs 4768 and 4769 now include additional fields that reveal which encryption algorithms an account supports and which one is actually used when issuing tickets. These details make it possible to identify devices and accounts that are not ready for the transition to AES-SHA1, as well as sessions where RC4 is still being selected.
Microsoft has also released two PowerShell scripts. One analyzes event logs and reports which encryption keys exist for the detected accounts, while the other assesses real-world algorithm usage across the environment and filters requests in which RC4 was applied. Together, these tools simplify preparation for the upcoming changes and eliminate the need for manual log analysis.
The company has provided guidance for resolving common issues as well. For example, if an account has only RC4 keys, changing its password is sufficient for Active Directory to automatically generate AES keys. If AES-SHA1 support is missing from account attributes, administrators are advised to review and correct the settings via Active Directory management tools or Group Policy. Microsoft notes that only extremely outdated versions of Windows, such as Windows Server 2003, lack AES support entirely and should be retired as soon as possible.
For configuration oversight, Microsoft recommends using the security baselines of Windows Server 2025 and Windows Admin Center, where policies excluding RC4 from permitted Kerberos algorithms are already in place. In the company’s view, abandoning RC4 in favor of stronger ciphers is an essential step in safeguarding modern enterprise environments.