2026-04-01 Kerberos Encryption Enforcement (RC4 Deprecation)

Announcement

Microsoft has introduced a Windows security hardening change that updates default Kerberos encryption behavior beginning with the April 2026 Windows cumulative update. This change is designed to improve security by moving away from legacy Kerberos encryption methods such as RC4. Under the new behavior, when Kerberos encryption settings for an Active Directory object are unset (null), Windows will now default to AES-SHA1 instead of legacy defaults that often resulted in RC4 being used. This is a Windows platform change. The Azure Virtual Desktop (AVD) service itself is not being modified.

Potential Impact

Most customers are not expected to be impacted.

This change will only affect customers who have explicitly configured RC4 encryption on Active Directory objects used for Kerberos-based SMB access (for example, FSLogix profile storage).

• By default, Windows uses AES-128 or AES-256, which is fully supported and unaffected.
• Our engineering review confirms that typical customer storage accounts are already configured to use AES-256.
• No action is required if you have not explicitly set RC4 encryption.

You may experience issues only if RC4 has been deliberately enforced. In that case, Kerberos authentication to SMB storage may fail once RC4 is disabled unless the configuration is updated to support AES-SHA1. Because RC4-only configurations are rare, this is expected to be an edge-case scenario. However, we recommend verifying your configuration to avoid unexpected disruption.

Timeline

• April 2026 – Enforcement Phase (manual rollback available)
  Default Kerberos behavior changes so domain controllers use AES-SHA1-only encryption for accounts with null encryption settings. Enforcement mode is enabled by default. Audit mode remains available as a manual rollback option.
• July 2026 – Enforcement Phase (final)
  Audit mode is removed, leaving Enforcement mode as the only supported behavior.

What You Should Do

For most customers, no immediate changes are required. We recommend performing a short verification to confirm that your environment is not using legacy Kerberos encryption (RC4).

1. Identify whether RC4 is currently being used

Use Microsoft's guidance to audit Kerberos authentication activity and determine whether RC4 is still in use anywhere in your environment.

Microsoft provides PowerShell scripts and event-log–based auditing to:

• Detect Kerberos tickets using RC4
• Identify the accounts, services, or systems involved

2. Review encryption settings for affected Active Directory objects

If RC4 usage is detected, review the associated Active Directory objects (such as service or storage accounts used for SMB access) to ensure they support modern encryption.

Specifically:

• Check whether encryption settings are explicitly defined
• Confirm that AES-based encryption (AES-SHA1 / AES-128 / AES-256) is supported and preferred

If no RC4 usage is detected during auditing, no further action is typically required.

3. Update configuration only if RC4 usage is found

If auditing shows that RC4 is still being used:

• Update the relevant Active Directory account or dependent system to support AES-based Kerberos encryption
• Validate successful authentication and access to SMB storage (including FSLogix profile containers)

Microsoft recommends completing remediation for impacted configurations before Enforcement mode becomes mandatory.

Additional Resources

• Troubleshoot Azure Files identity-based authentication and authorization issues (SMB) – Microsoft Learn
• How to manage Kerberos KDC usage of RC4 for service account ticket issuance changes related to CVE-2026-20833
• Action required: Windows Kerberos hardening (RC4) may affect FSLogix profiles on SMB storage