Original publish date: January 13, 2026
KB ID:Â 5073381
Windows Secure Boot certificate expirationÂ
Important: Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. This might affect the ability of certain personal and business devices to boot securely if not updated in time. To avoid disruption, we recommend reviewing the guidance and taking action to update certificates in advance. For details and preparation steps, see Windows Secure Boot certificate expiration and CA updates.
In this article
Summary
Windows updates released on and after January 13, 2026, contain protections for a vulnerability with the Kerberos authentication protocol. The Windows updates address an information disclosure vulnerability that might allow an attacker to obtain service tickets with weak or legacy encryption types such as RC4 and perform offline attacks to recover a service account password.
To help secure and harden your environment, install the Windows update released on or after January 13, 2026, to all Windows servers listed in the "Applies to" section running as a domain controller. To learn more about the vulnerabilities, see CVE-2026-20833.Â
To mitigate this vulnerability, the default value of DefaultDomainSupportedEncTypes (DDSET) is being changed so that all domain controllers only support Advanced Encryption Standard (AES-SHA1​​​​​​​)-encrypted tickets for accounts without an explicit Kerberos encryption type configuration. For more information, see Supported Encryption Types Bit Flags.
On domain controllers with a defined DefaultDomainSupportedEncTypes registry value, behavior will not be functionally impacted by these changes. However, an Audit event KDCSVC Event ID: 205 may be logged in the System event log if the existing DefaultDomainSupportedEncTypes configuration is insecure.
Take action
To help protect your environment and prevent outages, we recommend that you do the following steps:Â
-
UPDATE Microsoft Active Directory domain controllers starting with Windows updates released on or after January 13, 2026.
-
MONITOR the System event log for any of the 9 Audit events logged on Windows Server 2012 and newer domain controllers that identify risks with enablement of RC4 protections.
-
MITIGATE KDCSVC events logged in the System event log that prevent the manual or programmatic enablement of RC4 protections.
-
ENABLE Enforcement mode to address the vulnerabilities addressed in CVE-2026-20833 in your environment when warning, blocking, or policy events are no longer logged.
IMPORTANT Installing updates released on or after January 13, 2026, will NOT address the vulnerabilities described in CVE-2026-20833 for Active Directory domain controllers by default. To fully mitigate the vulnerability, you must move to Enforced mode (described in Step 3) as soon as possible on all domain controllers.Â
Starting April 2026, Enforcement mode will be enabled on all Windows domain controllers and will block vulnerable connections from non-compliant devices.  At that time, you will not be able to disable the auditing but may move back to the Audit mode setting. Audit mode will be removed in July 2026, as outlined in the Timing of updates section, and Enforcement mode will be enabled on all Windows domain controllers and will block vulnerable connections from non-compliant devices.
If you need to leverage RC4 after April 2026, we recommend to explicitly enable RC4 within the msds-SupportedEncryptionTypes bitmask on services that will need to accept RC4 usage.Â
Timing of updates
January 13, 2026 - Initial Deployment PhaseÂ
The initial deployment phase starts with the updates released on and after January 13, 2026, and continues with later Windows updates until Enforcement phase. This phase is to warn customers of new security enforcements that will be introduced in the second deployment phase. This update:Â
-
Provides audit events to warn customers who might be negatively affected by the upcoming security hardening.
-
Introduces the registry value RC4DefaultDisablementPhase to proactively enable the change by setting the value to 2 on domain controllers when KDCSVC Audit events indicate that it is safe to do so.
April 2026 - Second Deployment PhaseÂ
This update changes the default DefaultDomainSupportedEncTypes value for KDC operations to leverage AES-SHA1 for accounts that do not have an explicit msds-SupportedEncryptionTypes active directory attribute defined.Â
This phase changes the default value for DefaultDomainSupportedEncTypes to AES-SHA1 only: 0x18.Â
July 2026 - Enforcement PhaseÂ
The Windows updates released in or after July 2026 will remove support for the registry subkey RC4DefaultDisablementPhase.Â
Deployment guidelines
To deploy the Windows updates released on or after January 13, 2026, follow these steps:Â
-
UPDATE your domain controllers with a Windows update released on or after January 13, 2026.
-
MONITOR events logged during the initial deployment phase to help secure your environment.
-
MOVE your domain controllers to Enforcement mode by using the Registry settings section.
Step 1: UPDATE Â
Deploy the Windows update released on or after January 13, 2026 to all applicable Windows Active Directory running as a domain controller after deploying the update.
-
Audit events will appear in System event logs if your domain controller is receiving Kerberos service ticket requests that require RC4 cipher to be used but the service account has default encryption configuration.
-
Audit events will be logged in the System event log if your domain controller has an explicit DefaultDomainSupportedEncTypes configuration to allow RC4 encryption.
Step 2: MONITOR 
Once domain controllers are updated, if you don’t see any audit events, switch to Enforcement mode by changing the RC4DefaultDisablementPhase value to 2.  Â
If there are audit events generated, you will need to either, remove RC4 dependencies, or explicitly configure the accounts Kerberos supported encryption types. Then, you will be able to move to Enforcement mode.
To learn how to detect RC4 usage in your domain, audit device and user accounts that still depend on RC4, and take steps to remediate usage in favor of stronger encryption types or manage RC4 dependencies, see Detect and remediate RC4 usage in Kerberos.
Step 3: ENABLE Â
Enable Enforcement mode to address the CVE-2026-20833 vulnerabilities in your environment.Â
-
If a KDC is requested to provide an RC4 service ticket for an account with default configurations an error event will be logged.
-
You will still see an Event ID: 205 logged for any insecure configuration of DefaultDomainSupportedEncTypes.
Registry settings
After the Windows updates released on or after January 13, 2026, are installed, the following registry key is available for the Kerberos protocol.
This registry key is used to gate the deployment of the Kerberos changes. This registry key is temporary and will no longer be read after the enforcement date.
|
Registry key |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters |
|
Data type |
REG_DWORD |
|
Value name |
RC4DefaultDisablementPhase |
|
Value data |
0 – No audit, no change 1 - Warning events will be logged on default RC4 usage. (Phase 1 default) 2 – Kerberos will start assuming RC4 is not enabled by default.  (Phase 2 default) |
|
Restart required? |
Yes |
Audit events
After the Windows updates released on or after January 13, 2026, are installed, the following Audit event types are added to Windows Server 2012 and later running as a domain controller.
|
Event Log |
System |
|
Event Type |
Warning |
|
Event Source |
Kdcsvc |
|
Event ID |
201 |
|
Event Text |
The Key Distribution Center detected <Cipher Name> usage that will be unsupported in enforcement phase because service msds-SupportedEncryptionTypes is not defined and the client only supports insecure encryption types. Account Information     Account Name: <Account Name>     Supplied Realm Name: <Supplied Realm Name>     msds-SupportedEncryptionTypes: <Supported Encryption Types>     Available Keys: <Available Keys> Service Information:     Service Name: <Service Name>     Service ID: <Service SID>     msds-SupportedEncryptionTypes: <Service Supported Encryption Types>     Available Keys: <Service Available Keys> Domain Controller Information:     msds-SupportedEncryptionTypes: <Domain Controller Supported Encryption Types>     DefaultDomainSupportedEncTypes: <DefaultDomainSupportedEncTypes Value>     Available Keys: <Domain Controller Available Keys> ​​​​​​​Network Information:     Client Address: <Client IP Address>     Client Port: <Client Port>     Advertized Etypes: <Advertized Kerberos Encryption Types> See https://go.microsoft.com/fwlink/?linkid=2344614 to learn more. |
|
Comments |
Event ID: 201 will be logged if:
|
|
Event Log |
System |
|
Event Type |
Warning |
|
Event Source |
Kdcsvc |
|
Event ID |
202 |
|
Event Text |
The Key Distribution Center detected <Cipher Name> usage that will be unsupported in enforcement phase because the service msds-SupportedEncryptionTypes is not defined and the service account only has insecure keys.  Account Information     Account Name: <Account Name>     Supplied Realm Name: <Supplied Realm Name>     msds-SupportedEncryptionTypes: <Supported Encryption Types>     Available Keys: <Available Keys> Service Information:     Service Name: <Service Name>     Service ID: <Service SID>     msds-SupportedEncryptionTypes: <Service Supported Encryption Types>     Available Keys: <Service Available Keys> Domain Controller Information:     msds-SupportedEncryptionTypes: <Domain Controller Supported Encryption Types>     DefaultDomainSupportedEncTypes: <DefaultDomainSupportedEncTypes Value>     Available Keys: <Domain Controller Available Keys> Network Information:     Client Address: <Client IP Address>     Client Port: <Client Port>     Advertized Etypes: <Advertized Kerberos Encryption Types> See https://go.microsoft.com/fwlink/?linkid=2344614 to learn more. |
|
Comments |
Warning event 202 will be logged if:
|
|
Event Log |
System |
|
Event Type |
Warning |
|
Event Source |
Kdcsvc |
|
Event ID |
203 |
|
Event Text |
The Key Distribution Center blocked cipher usage because service msds-SupportedEncryptionTypes is not defined and the client only supports insecure encryption types. Account Information     Account Name: <Account Name>     Supplied Realm Name: <Supplied Realm Name>     msds-SupportedEncryptionTypes: <Supported Encryption Types>     Available Keys: <Available Keys> Service Information:     Service Name: <Service Name>     Service ID: <Service SID>     msds-SupportedEncryptionTypes: <Service Supported Encryption Types>     Available Keys: <Service Available Keys> Domain Controller Information:     msds-SupportedEncryptionTypes: <Domain Controller Supported Encryption Types>     DefaultDomainSupportedEncTypes: <DefaultDomainSupportedEncTypes Value>     Available Keys: <Domain Controller Available Keys> Network Information:     Client Address: <Client IP Address>     Client Port: <Client Port>     Advertized Etypes: <Advertized Kerberos Encryption Types> See https://go.microsoft.com/fwlink/?linkid=2344614 to learn more. |
|
Comments |
Error event 203 will be logged if:
|
|
Event Log |
System |
|
Event Type |
Warning |
|
Event Source |
Kdcsvc |
|
Event ID |
204 |
|
Event Text |
The Key Distribution Center blocked cipher usage because the service msds-SupportedEncryptionTypes is not defined and the service account only has insecure keys.  Account Information     Account Name: <Account Name>     Supplied Realm Name: <Supplied Realm Name>     msds-SupportedEncryptionTypes: <Supported Encryption Types>     Available Keys: <Available Keys> Service Information:     Service Name: <Service Name>     Service ID: <Service SID>     msds-SupportedEncryptionTypes: <Service Supported Encryption Types>     Available Keys: <Service Available Keys> Domain Controller Information:     msds-SupportedEncryptionTypes: <Domain Controller Supported Encryption Types>     DefaultDomainSupportedEncTypes: <DefaultDomainSupportedEncTypes Value>     Available Keys: <Domain Controller Available Keys> Network Information:     Client Address: <Client IP Address>     Client Port: <Client Port>     Advertized Etypes: <Advertized Kerberos Encryption Types> See https://go.microsoft.com/fwlink/?linkid=2344614 to learn more. |
|
Comments |
Error event 204 will be logged if:
|
|
Event Log |
System |
|
Event Type |
Warning |
|
Event Source |
Kdcsvc |
|
Event ID |
205 |
|
Event Text |
The Key Distribution Center detected explicit cipher enablement in the Default Domain Supported Encryption Types policy configuration. Cipher(s): <Enabled Insecure Ciphers> DefaultDomainSupportedEncTypes: <Configured DefaultDomainSupportedEncTypes Value> See https://go.microsoft.com/fwlink/?linkid=2344614 to learn more. |
|
Comments |
Warning event 205 will be logged if:
|
|
Event Log |
System |
|
Event Type |
Warning |
|
Event Source |
Kdcsvc |
|
Event ID |
206 |
|
Event Text |
The Key Distribution Center detected <Cipher Name> usage that will be unsupported in enforcement phase because service msds-SupportedEncryptionTypes is configured to only support AES-SHA1 but the client doesn’t advertize AES-SHA1 Account Information     Account Name: <Account Name>     Supplied Realm Name: <Supplied Realm Name>     msds-SupportedEncryptionTypes: <Supported Encryption Types>     Available Keys: <Available Keys> Service Information:     Service Name: <Service Name>     Service ID: <Service SID>     msds-SupportedEncryptionTypes: <Service Supported Encryption Types>     Available Keys: <Service Available Keys> Domain Controller Information:     msds-SupportedEncryptionTypes: <Domain Controller Supported Encryption Types>     DefaultDomainSupportedEncTypes: <DefaultDomainSupportedEncTypes Value>     Available Keys: <Domain Controller Available Keys> Network Information:     Client Address: <Client IP Address>     Client Port: <Client Port>     Advertized Etypes: <Advertized Kerberos Encryption Types> See https://go.microsoft.com/fwlink/?linkid=2344614 to learn more. |
|
Comments |
Warning event 206 will be logged if:
|
|
Event Log |
System |
|
Event Type |
Warning |
|
Event Source |
Kdcsvc |
|
Event ID |
207 |
|
Event Text |
The Key Distribution Center detected <Cipher Name> usage that will be unsupported in enforcement phase because service msds-SupportedEncryptionTypes is configured to only support AES-SHA1 but the service account doesn’t have AES-SHA1 keys.  Account Information     Account Name: <Account Name>     Supplied Realm Name: <Supplied Realm Name>     msds-SupportedEncryptionTypes: <Supported Encryption Types>     Available Keys: <Available Keys> Service Information:     Service Name: <Service Name>     Service ID: <Service SID>     msds-SupportedEncryptionTypes: <Service Supported Encryption Types>     Available Keys: <Service Available Keys> Domain Controller Information:     msds-SupportedEncryptionTypes: <Domain Controller Supported Encryption Types>     DefaultDomainSupportedEncTypes: <DefaultDomainSupportedEncTypes Value>     Available Keys: <Domain Controller Available Keys> Network Information:     Client Address: <Client IP Address>     Client Port: <Client Port>     Advertized Etypes: <Advertized Kerberos Encryption Types> See https://go.microsoft.com/fwlink/?linkid=2344614 to learn more. |
|
Comments |
Warning event 207 will be logged if:
|
|
Event Log |
System |
|
Event Type |
Warning |
|
Event Source |
Kdcsvc |
|
Event ID |
208 |
|
Event Text |
The Key Distribution Center intentionally denied cipher usage because service msds-SupportedEncryptionTypes is configured to only support AES-SHA1 but the client doesn’t advertize AES-SHA1 Account Information     Account Name: <Account Name>     Supplied Realm Name: <Supplied Realm Name>     msds-SupportedEncryptionTypes: <Supported Encryption Types>     Available Keys: <Available Keys> Service Information:     Service Name: <Service Name>     Service ID: <Service SID>     msds-SupportedEncryptionTypes: <Service Supported Encryption Types>     Available Keys: <Service Available Keys> Domain Controller Information:     msds-SupportedEncryptionTypes: <Domain Controller Supported Encryption Types>     DefaultDomainSupportedEncTypes: <DefaultDomainSupportedEncTypes Value>     Available Keys: <Domain Controller Available Keys> Network Information:     Client Address: <Client IP Address>     Client Port: <Client Port>     Advertized Etypes: <Advertized Kerberos Encryption Types> See https://go.microsoft.com/fwlink/?linkid=2344614 to learn more. |
|
Comments |
Error event 208 will be logged if:
|
|
Event Log |
System |
|
Event Type |
Warning |
|
Event Source |
Kdcsvc |
|
Event ID |
209 |
|
Event Text |
The Key Distribution Center intentionally denied cipher usage because service msds-SupportedEncryptionTypes is configured to only support AES-SHA1 but the service account doesn’t have AES-SHA1 keys Account Information     Account Name: <Account Name>     Supplied Realm Name: <Supplied Realm Name>     msds-SupportedEncryptionTypes: <Supported Encryption Types>     Available Keys: <Available Keys> Service Information:     Service Name: <Service Name>     Service ID: <Service SID>     msds-SupportedEncryptionTypes: <Service Supported Encryption Types>     Available Keys: <Service Available Keys> Domain Controller Information:     msds-SupportedEncryptionTypes: <Domain Controller Supported Encryption Types>     DefaultDomainSupportedEncTypes: <DefaultDomainSupportedEncTypes Value>     Available Keys: <Domain Controller Available Keys> Network Information:     Client Address: <Client IP Address>     Client Port: <Client Port>     Advertized Etypes: <Advertized Kerberos Encryption Types> See https://go.microsoft.com/fwlink/?linkid=2344614 to learn more. |
|
Comments |
Error event 209 will be logged if:
|
Note
If you find any of these warning messages are logged on a domain controller, it is likely that all the domain controllers in your domain are not up to date with a Windows update released on or after January 13, 2026. To mitigate the vulnerability, you will need to investigate your domain further to find the domain controllers that are not up to date. Â
If you see an Event ID: 0x8000002A logged on a domain controller, please see KB5021131: How to manage the Kerberos protocol changes related to CVE-2022-37966.
Frequently asked questions (FAQ)
This hardening impacts Windows domain controllers when they issue service tickets. The Kerberos Trust and referral flow is unaffected.
Third-party domain devices that are unable to process AES-SHA1 should have already been explicitly configured to allow AES-SHA1.
No. We will log warning events for insecure configurations for DefaultDomainSupportedEncTypes. Additionally, we will not ignore any configuration explicitly set by a customer.
Resources
KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967
KB5021131: How to manage the Kerberos protocol changes related to CVE-2022-37966
