How to manage Kerberos KDC usage of RC4 for service account ticket issuance changes related to CVE-2026-20833

Original publish date: January 13, 2026

KB ID: 5073381

Change date

Change description

February 10, 2026

Added the documentation link to the occurrences of DefaultDomainSupportedEncTypes.
Corrected the wording of the second bullet point in the "Step3: Enable" section.From: Introduces the registry value RC4DefaultDisablementPhase to proactively enable the change by setting the value to 2 on domain controllers when KDCSVC Audit events indicate that it is safe to do so.To: Introduces support for the registry value RC4DefaultDisablementPhase after an administrator proactively enables the change by setting the value to 2 on domain controllers when KDCSVC Audit events indicate that it is safe to do so.
Below the Important note in the "Take action" section, changed the first sentence of the paragraph to indicate approximately when Enforcement mode will be enabled.From: Starting April 2026, Enforcement mode will be enabled on all Windows domain controllers and will block vulnerable connections from non-compliant devices.To: Enforcement mode will be automatically enabled by installing Windows Updates released on or after April 2026 on all Windows domain controllers and will block vulnerable connections from non-compliant devices.
Added wording to mention this change is made by Windows Updates released on and after January 13, 2026 and CVE-2026-20833.

Summary

Windows updates released on and after January 13, 2026, contain protections for a vulnerability with the Kerberos authentication protocol. The Windows updates address an information disclosure vulnerability in CVE-2026-20833 that might allow an attacker to obtain service tickets with weak or legacy encryption types such as RC4 to perform offline attacks to recover a service account password.

To mitigate this vulnerability, the default value of DefaultDomainSupportedEncTypes is changed by enabling Enforcement mode. Updated domain controllers running in Enforcement mode will only support Advanced Encryption Standard (AES) encryption type configurations. For more information, see Supported Encryption Types Bit Flags. The default value for DefaultDomainSupportedEncTypes applies in the absence of an explicit value

On domain controllers with a defined DefaultDomainSupportedEncTypes registry value, behavior will not be functionally impacted by these changes. However, an Audit event KDCSVC Event ID: 205 will be logged in the System event log if the existing DefaultDomainSupportedEncTypes configuration is insecure (for example, when an RC4 cipher is used).

Take action

To help protect your environment and prevent outages, we recommend that you:

UPDATE Microsoft Active Directory domain controllers starting with Windows updates released on or after January 13, 2026.
MONITOR the System event log for any of the nine KDCSVC 201 > 209 Audit events logged on Windows Server 2012 and newer domain controllers that identify risks with enablement of RC4 protections.
MITIGATE KDCSVC events logged in the System event log that prevent the manual or programmatic enablement of RC4 protections.
ENABLE Enforcement mode to address the vulnerabilities addressed in CVE-2026-20833 in your environment when warning, blocking, or policy events are no longer logged.

IMPORTANT Installing updates released on or after January 13, 2026, will NOT address the vulnerabilities described in CVE-2026-20833 for Active Directory domain controllers by default. To fully mitigate the vulnerability, you should manually enable Enforcement mode (described in Step 3: ENABLE) on all domain controllers. The installation of Windows Updates released on and after July 2026 will programmatically enable Enforcement Phase.

Enforcement mode will be automatically enabled by installing Windows Updates released on or after April 2026 on all Windows domain controllers and will block vulnerable connections from non-compliant devices.  At that time, you will not be able to disable the auditing but may move back to the Audit mode setting. Audit mode will be removed in July 2026, as outlined in the Timing of updates section, and Enforcement mode will be enabled on all Windows domain controllers and will block vulnerable connections from non-compliant devices.

If you need to leverage RC4 after April 2026, we recommend to explicitly enable RC4 within the msds-SupportedEncryptionTypes bitmask on services that will need to accept RC4 usage.

Timing of updates

January 13, 2026 - Initial Deployment Phase

The initial deployment phase starts with the updates released on and after January 13, 2026, and continues with later Windows updates until Enforcement phase. This phase is to warn customers of new security enforcements that will be introduced in the second deployment phase. This update:

Provides audit events to warn customers who might be negatively affected by the upcoming security hardening.
Introduces support for the registry value RC4DefaultDisablementPhase after an administrator proactively enables the change by setting the value to 2 on domain controllers when KDCSVC Audit events indicate that it is safe to do so.

April 2026 - Enforcement Phase with manual rollback

This update changes the default DefaultDomainSupportedEncTypes value for KDC operations to leverage AES-SHA1 for accounts that do not have an explicit msds-SupportedEncryptionTypes active directory attribute defined.

This phase changes the default value for DefaultDomainSupportedEncTypes to AES-SHA1 only: 0x18.

This phase also enables the manual configuration of the RC4DefaultDisablementPhase rollback value until programmatic enforcement in July 2026.

July 2026 - Enforcement Phase

The Windows updates released in or after July 2026 will remove support for the registry subkey RC4DefaultDisablementPhase.

Deployment guidelines

To deploy the Windows updates released on or after January 13, 2026, follow these steps:

UPDATE your domain controllers with a Windows update released on or after January 13, 2026.
MONITOR events logged during the initial deployment phase to help secure your environment.
MOVE your domain controllers to Enforcement mode by using the Registry settings section.

Step 1: UPDATE 

Deploy the Windows update released on or after January 13, 2026 to all applicable Windows Active Directory running as a domain controller after deploying the update.

Audit events will appear in System event logs if your Windows Server 2012 or later domain controllers are receiving Kerberos service ticket requests that require RC4 cipher to be used but the service account has default encryption configuration.
Audit Event 205 will be logged in the System event log if your domain controller has an explicit DefaultDomainSupportedEncTypes configuration to allow RC4 encryption.

Step 2: MONITOR 

Once domain controllers are updated, if you don’t see any audit events, switch to Enforcement mode by changing the RC4DefaultDisablementPhase value to 2.  

If there are audit events generated, you will need to either, remove RC4 dependencies, or explicitly configure the accounts Kerberos supported encryption types to support the continued use of RC4 following the manual or automatic enablement of Enforcement mode.

To learn how to detect RC4 usage in your domain, audit will identify device and user accounts that still depend on RC4. Administrators should take steps to remediate usage in favor of stronger encryption types or manage RC4 dependencies. For more information, see Detect and remediate RC4 usage in Kerberos.

Step 3: ENABLE 

Enable Enforcement mode to address the CVE-2026-20833 vulnerabilities in your environment.

If a KDC is requested to provide an RC4 service ticket for an account with default configurations an error event will be logged.
You will continue to see an Event ID: 205 logged for any insecure configuration of DefaultDomainSupportedEncTypes.

Registry settings

After the Windows updates released on or after January 13, 2026, are installed, the following registry key is available for the Kerberos protocol.

This registry key is used to gate the deployment of the Kerberos changes. This registry key is temporary and will no longer be read after the enforcement date.

Registry key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters
Data type	REG_DWORD
Value name	RC4DefaultDisablementPhase
Value data	0 – No audit, no change 1 - Warning events will be logged on default RC4 usage. (Phase 1 default) 2 – Kerberos will start assuming RC4 is not enabled by default. (Phase 2 default)
Restart required?	Yes

Audit events

After the Windows updates released on or after January 13, 2026, are installed, the following KSCSVC Audit event types are added to the System event log of Windows Server 2012 and later running as a domain controller.

Event Log	System
Event Type	Warning
Event Source	Kdcsvc
Event ID	201
Event Text	The Key Distribution Center detected <Cipher Name> usage that will be unsupported in enforcement phase because service msds-SupportedEncryptionTypes is not defined and the client only supports insecure encryption types. Account Information     Account Name: <Account Name>     Supplied Realm Name: <Supplied Realm Name>     msds-SupportedEncryptionTypes: <Supported Encryption Types>     Available Keys: <Available Keys> Service Information:     Service Name: <Service Name>     Service ID: <Service SID>     msds-SupportedEncryptionTypes: <Service Supported Encryption Types>     Available Keys: <Service Available Keys> Domain Controller Information:     msds-SupportedEncryptionTypes: <Domain Controller Supported Encryption Types>     DefaultDomainSupportedEncTypes: <DefaultDomainSupportedEncTypes Value>     Available Keys: <Domain Controller Available Keys> Network Information:     Client Address: <Client IP Address>     Client Port: <Client Port>     Advertized Etypes: <Advertized Kerberos Encryption Types> See https://go.microsoft.com/fwlink/?linkid=2344614 to learn more.
Comments	Event ID: 201 will be logged if: The client is only advertising RC4 as a Advertized Etypes The target service does NOT have a msds-SET defined The domain controller does NOT have DDSET defined The registry value RC4DefaultDisablementPhase is set to 1 Warning Event 201 transitions into Error event 203 in Enforcement mode This event is logged per request Warning Event 201 is NOT logged if DefaultDomainSupportedEncTypes is manually defined

Event Log	System
Event Type	Warning
Event Source	Kdcsvc
Event ID	202
Event Text	The Key Distribution Center detected <Cipher Name> usage that will be unsupported in enforcement phase because the service msds-SupportedEncryptionTypes is not defined and the service account only has insecure keys.  Account Information     Account Name: <Account Name>     Supplied Realm Name: <Supplied Realm Name>     msds-SupportedEncryptionTypes: <Supported Encryption Types>     Available Keys: <Available Keys> Service Information:     Service Name: <Service Name>     Service ID: <Service SID>     msds-SupportedEncryptionTypes: <Service Supported Encryption Types>     Available Keys: <Service Available Keys> Domain Controller Information:     msds-SupportedEncryptionTypes: <Domain Controller Supported Encryption Types>     DefaultDomainSupportedEncTypes: <DefaultDomainSupportedEncTypes Value>     Available Keys: <Domain Controller Available Keys> Network Information:     Client Address: <Client IP Address>     Client Port: <Client Port>     Advertized Etypes: <Advertized Kerberos Encryption Types> See https://go.microsoft.com/fwlink/?linkid=2344614 to learn more.
Comments	Warning event 202 will be logged if: The target service does not have AES keys The target service does NOT have a msds-SET defined The domain controller does NOT have DDSET defined The registry value RC4DefaultDisablementPhase is set to 1 Error event 202 transitions into Error 204 in Enforcement mode Warning event 202 is logged on a per request Warning Event 202 is NOT logged if DefaultDomainSupportedEncTypes is manually defined

Event Log	System
Event Type	Warning
Event Source	Kdcsvc
Event ID	203
Event Text	The Key Distribution Center blocked cipher usage because service msds-SupportedEncryptionTypes is not defined and the client only supports insecure encryption types. Account Information     Account Name: <Account Name>     Supplied Realm Name: <Supplied Realm Name>     msds-SupportedEncryptionTypes: <Supported Encryption Types>     Available Keys: <Available Keys> Service Information:     Service Name: <Service Name>     Service ID: <Service SID>     msds-SupportedEncryptionTypes: <Service Supported Encryption Types>     Available Keys: <Service Available Keys> Domain Controller Information:     msds-SupportedEncryptionTypes: <Domain Controller Supported Encryption Types>     DefaultDomainSupportedEncTypes: <DefaultDomainSupportedEncTypes Value>     Available Keys: <Domain Controller Available Keys> Network Information:     Client Address: <Client IP Address>     Client Port: <Client Port>     Advertized Etypes: <Advertized Kerberos Encryption Types> See https://go.microsoft.com/fwlink/?linkid=2344614 to learn more.
Comments	Error event 203 will be logged if: The client is only advertising RC4 as a Advertized Etypes The target service does NOT have a msds-SET defined The domain controller does NOT have DDSET defined The registry value RC4DefaultDisablementPhase is set to 2 Per request

Event Log	System
Event Type	Warning
Event Source	Kdcsvc
Event ID	204
Event Text	The Key Distribution Center blocked cipher usage because the service msds-SupportedEncryptionTypes is not defined and the service account only has insecure keys.  Account Information     Account Name: <Account Name>     Supplied Realm Name: <Supplied Realm Name>     msds-SupportedEncryptionTypes: <Supported Encryption Types>     Available Keys: <Available Keys> Service Information:     Service Name: <Service Name>     Service ID: <Service SID>     msds-SupportedEncryptionTypes: <Service Supported Encryption Types>     Available Keys: <Service Available Keys> Domain Controller Information:     msds-SupportedEncryptionTypes: <Domain Controller Supported Encryption Types>     DefaultDomainSupportedEncTypes: <DefaultDomainSupportedEncTypes Value>     Available Keys: <Domain Controller Available Keys> Network Information:     Client Address: <Client IP Address>     Client Port: <Client Port>     Advertized Etypes: <Advertized Kerberos Encryption Types> See https://go.microsoft.com/fwlink/?linkid=2344614 to learn more.
Comments	Error event 204 will be logged if: The target service does not have AES keys The target service does NOT have a msds-SET defined The domain controller does NOT have DDSET defined The registry value RC4DefaultDisablementPhase is set to 2 Per request

Event Log	System
Event Type	Warning
Event Source	Kdcsvc
Event ID	205
Event Text	The Key Distribution Center detected explicit cipher enablement in the Default Domain Supported Encryption Types policy configuration. Cipher(s): <Enabled Insecure Ciphers> DefaultDomainSupportedEncTypes: <Configured DefaultDomainSupportedEncTypes Value> See https://go.microsoft.com/fwlink/?linkid=2344614 to learn more.
Comments	Warning event 205 will be logged if: The domain controller HAS DDSET defined to include anything except AES-SHA1. The registry value RC4DefaultDisablementPhase is set to 1, 2 This will NEVER turn into an error Purpose is to make customer aware of insecure behavior that we will not be changing Logged each time on the start of the KDCSVC

Event Log	System
Event Type	Warning
Event Source	Kdcsvc
Event ID	206
Event Text	The Key Distribution Center detected <Cipher Name> usage that will be unsupported in enforcement phase because service msds-SupportedEncryptionTypes is configured to only support AES-SHA1 but the client doesn’t advertize AES-SHA1 Account Information     Account Name: <Account Name>     Supplied Realm Name: <Supplied Realm Name>     msds-SupportedEncryptionTypes: <Supported Encryption Types>     Available Keys: <Available Keys> Service Information:     Service Name: <Service Name>     Service ID: <Service SID>     msds-SupportedEncryptionTypes: <Service Supported Encryption Types>     Available Keys: <Service Available Keys> Domain Controller Information:     msds-SupportedEncryptionTypes: <Domain Controller Supported Encryption Types>     DefaultDomainSupportedEncTypes: <DefaultDomainSupportedEncTypes Value>     Available Keys: <Domain Controller Available Keys> Network Information:     Client Address: <Client IP Address>     Client Port: <Client Port>     Advertized Etypes: <Advertized Kerberos Encryption Types> See https://go.microsoft.com/fwlink/?linkid=2344614 to learn more.
Comments	Warning event 206 will be logged if: The client is only advertising RC4 as an Advertized Etypes Either of the following occurs: The target service HAS msds-SET defined to AES-SHA1 only The domain controller HAS DDSET defined to AES-SHA1 only The registry value RC4DefaultDisablementPhase is set to 1 Warning event 2016 transitions to Error event 2018 in Enforcement mode Logged on a per request basis

Event Log	System
Event Type	Warning
Event Source	Kdcsvc
Event ID	207
Event Text	The Key Distribution Center detected <Cipher Name> usage that will be unsupported in enforcement phase because service msds-SupportedEncryptionTypes is configured to only support AES-SHA1 but the service account doesn’t have AES-SHA1 keys.  Account Information     Account Name: <Account Name>     Supplied Realm Name: <Supplied Realm Name>     msds-SupportedEncryptionTypes: <Supported Encryption Types>     Available Keys: <Available Keys> Service Information:     Service Name: <Service Name>     Service ID: <Service SID>     msds-SupportedEncryptionTypes: <Service Supported Encryption Types>     Available Keys: <Service Available Keys> Domain Controller Information:     msds-SupportedEncryptionTypes: <Domain Controller Supported Encryption Types>     DefaultDomainSupportedEncTypes: <DefaultDomainSupportedEncTypes Value>     Available Keys: <Domain Controller Available Keys> Network Information:     Client Address: <Client IP Address>     Client Port: <Client Port>     Advertized Etypes: <Advertized Kerberos Encryption Types> See https://go.microsoft.com/fwlink/?linkid=2344614 to learn more.
Comments	Warning event 207 will be logged if: The target service does not have AES keys Either of the following occurs: The target service HAS msds-SET defined to AES-SHA1 only The domain controller HAS DDSET defined to AES-SHA1 only The registry value RC4DefaultDisablementPhase is set to 1 This will turn into 209 (Error) in Enforcement mode Per request

Event Log	System
Event Type	Warning
Event Source	Kdcsvc
Event ID	208
Event Text	The Key Distribution Center intentionally denied cipher usage because service msds-SupportedEncryptionTypes is configured to only support AES-SHA1 but the client doesn’t advertize AES-SHA1 Account Information     Account Name: <Account Name>     Supplied Realm Name: <Supplied Realm Name>     msds-SupportedEncryptionTypes: <Supported Encryption Types>     Available Keys: <Available Keys> Service Information:     Service Name: <Service Name>     Service ID: <Service SID>     msds-SupportedEncryptionTypes: <Service Supported Encryption Types>     Available Keys: <Service Available Keys> Domain Controller Information:     msds-SupportedEncryptionTypes: <Domain Controller Supported Encryption Types>     DefaultDomainSupportedEncTypes: <DefaultDomainSupportedEncTypes Value>     Available Keys: <Domain Controller Available Keys> Network Information:     Client Address: <Client IP Address>     Client Port: <Client Port>     Advertized Etypes: <Advertized Kerberos Encryption Types> See https://go.microsoft.com/fwlink/?linkid=2344614 to learn more.
Comments	Error event 208 will be logged if: The client is only advertising RC4 as a Advertized Etypes EIther of the following occurs: The target service HAS msds-SET defined to AES-SHA1 only The domain controller HAS DDSET defined to AES-SHA1 only The registry value RC4DefaultDisablementPhase is set to 2 Per request

Event Log	System
Event Type	Warning
Event Source	Kdcsvc
Event ID	209
Event Text	The Key Distribution Center intentionally denied cipher usage because service msds-SupportedEncryptionTypes is configured to only support AES-SHA1 but the service account doesn’t have AES-SHA1 keys Account Information     Account Name: <Account Name>     Supplied Realm Name: <Supplied Realm Name>     msds-SupportedEncryptionTypes: <Supported Encryption Types>     Available Keys: <Available Keys> Service Information:     Service Name: <Service Name>     Service ID: <Service SID>     msds-SupportedEncryptionTypes: <Service Supported Encryption Types>     Available Keys: <Service Available Keys> Domain Controller Information:     msds-SupportedEncryptionTypes: <Domain Controller Supported Encryption Types>     DefaultDomainSupportedEncTypes: <DefaultDomainSupportedEncTypes Value>     Available Keys: <Domain Controller Available Keys> Network Information:     Client Address: <Client IP Address>     Client Port: <Client Port>     Advertized Etypes: <Advertized Kerberos Encryption Types> See https://go.microsoft.com/fwlink/?linkid=2344614 to learn more.
Comments	Error event 209 will be logged if: The target service does not have AES keys Either of the following occurs: The target service HAS msds-SET defined to AES-SHA1 only The domain controller HAS DDSET defined to AES-SHA1 only The registry value RC4DefaultDisablementPhase is set to 2 Per request

Note

If you find any of these warning messages are logged on a domain controller, it is likely that all the domain controllers in your domain are not up to date with a Windows update released on or after January 13, 2026. To mitigate the vulnerability, you will need to investigate your domain further to find the domain controllers that are not up to date.

If you see an Event ID: 0x8000002A logged on a domain controller, please see KB5021131: How to manage the Kerberos protocol changes related to CVE-2022-37966.

Frequently asked questions (FAQ)

This hardening change only impacts Windows domain controllers. The Kerberos Trust and referral flow with other Windows domain controllers or third-party KDCs is unaffected.

Third-party domain devices that are unable to process AES-SHA1 encryption should have already been explicitly configured to allow AES-SHA1 encryption.

No. We will log warning events for insecure configurations for DefaultDomainSupportedEncTypes. Additionally, we will honor any configuration explicitly set by an administrator.

Resources

KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967

KB5021131: How to manage the Kerberos protocol changes related to CVE-2022-37966

Supported Encryption Types Bit Flags

How to manage Kerberos KDC usage of RC4 for service account ticket issuance changes related to CVE-2026-20833

In this article

Summary

Take action

Timing of updates

January 13, 2026 - Initial Deployment Phase

April 2026 - Enforcement Phase with manual rollback

July 2026 - Enforcement Phase

Deployment guidelines

Step 1: UPDATE

Step 2: MONITOR

Step 3: ENABLE

Registry settings

Audit events

Note

Frequently asked questions (FAQ)

Resources

Need more help?

Want more options?

Was this information helpful?

Thank you for your feedback!

Change log

In this article

Summary

Take action

Timing of updates

January 13, 2026 - Initial Deployment Phase

April 2026 - Enforcement Phase with manual rollback

July 2026 - Enforcement Phase

Deployment guidelines

Step 1: UPDATE

Step 2: MONITOR

Step 3: ENABLE

Registry settings

RC4DefaultDisablementPhase

Audit events

Event ID: 201

Event ID: 202

Event ID: 203

Event ID: 204

Event ID: 205

Event ID: 206

Event ID: 207

Event ID: 208

Event ID: 209

Note

Frequently asked questions (FAQ)

How does this change interact with domains that have third-party KDCs?

How does this change interact with domains that are not Windows domain devices?

Will Microsoft remove the ability to configure DefaultDomainSupportedEncTypes?

Resources

Need more help?

Want more options?

Was this information helpful?

Thank you for your feedback!

January 13, 2026 - Initial Deployment Phase

July 2026 - Enforcement Phase

Step 1: UPDATE 

Step 2: MONITOR 

Step 3: ENABLE 