If you manage Azure Virtual Desktop environments for your clients using Azure Files shares joined to Active Directory Domain Services (AD DS), there's an important security change you need to act on before July 2026 — or risk a breaking outage.
What's Happening
Microsoft is enforcing a Kerberos encryption hardening change tied to CVE-2026-20833 that phases out RC4, a legacy encryption algorithm that is now considered cryptographically weak. Starting with the April 2026 Windows cumulative update, domain controllers will default to issuing AES-256 Kerberos tickets. After July 2026, the ability to manually roll back this behavior is removed entirely.
For a full technical breakdown, see Microsoft's official advisory: Action required: Kerberos RC4 hardening may affect Azure Files Active Directory Domain Services.
Who Is Affected
⚠️ This only applies to Azure Files shares that are joined to Active Directory Domain Services (AD DS). Azure Files shares using Entra ID (formerly Azure AD) authentication are not affected by this change.
You may be impacted if:
- You use Azure Files with AD DS (on-premises Active Directory) for identity-based SMB access, and
- The Kerberos encryption settings for the associated AD computer objects are set to RC4-only, or the
msDS-SupportedEncryptionTypesattribute is unset (null)
Shares created before 2023 or manually configured with RC4 are the most likely candidates. To check, run this PowerShell command on a domain-joined machine with AD read access:
Get-ADObject `
-LDAPFilter "(&(servicePrincipalName=*.file.core.windows.net)(!(msDS-SupportedEncryptionTypes=*)))" `
-Properties servicePrincipalName, msDS-SupportedEncryptionTypes | Select-Object Name, ObjectClass, servicePrincipalName, msDS-SupportedEncryptionTypesAny results returned here are shares that need to be migrated.
The Timeline: Don't Wait
April – July 2026
DCs default to AES-256; RC4 may silently fail for unmitigated shares
After July 2026
Manual rollback removed — unmitigated shares will break
This is not a soft deadline. Once July passes, there is no safety net. MSPs who manage multiple clients should audit and remediate across all tenants now.
Nerdio Manager for MSP v7.1 Makes This Easy
We've got you covered. Nerdio Manager for MSP v7.1 (June 2026 release) will introduce a dedicated "Set AES-256 Encryption" action directly within the Azure Files share management interface. No PowerShell. No manual AD object editing. Just a few clicks.
To migrate a share, navigate to your Azure Files share in Nerdio Manager, click the Manage dropdown, and select Set AES-256 encryption.
The process takes approximately 30 minutes to complete and can be performed during production hours without impacting end users — no maintenance window required, no user disruption.
Summary: What You Should Do Now
- Identify any AD DS-joined Azure Files shares using the PowerShell snippet above
- Open Nerdio Manager for MSP v7.1 and navigate to the affected share
- Click Manage → Set AES-256 Encryption
- Validate SMB access after the process completes (~30 min)
- Repeat across all client environments before July 2026
Comments (0 comments)