After decades of known vulnerabilities, Microsoft confirms it will disable RC4 by default in Active Directory by mid-2026, forcing a global migration to AES encryption.
REDMOND - In a decisive move to harden global enterprise infrastructure against persistent cyber threats, Microsoft has officially set a countdown for the elimination of the Rivest Cipher 4 (RC4) encryption algorithm. According to new guidance from Redmond, the technology giant will disable RC4 by default in Windows authentication processes by mid-2026. The decision marks the final chapter for a 37-year-old cryptographic standard that, while once ubiquitous, has become a preferred tool for attackers exploiting vulnerabilities in corporate networks.
The deprecation targets the use of RC4 in the Kerberos Key Distribution Center (KDC), a critical component of Active Directory that manages authentication tickets for users and computers. By mandating a shift to the stronger Advanced Encryption Standard (AES), Microsoft aims to close security loopholes that have fueled high-profile attacks, including the widespread "Kerberoasting" technique and breaches akin to the SolarWinds and NotPetya incidents.
Table of contents [Show]
The phase-out process is already underway, but the newly announced timeline provides definitive deadlines for IT administrators. According to Matthew Palko, a principal program manager at Microsoft, the default behavior of domain controllers will change significantly over the next 18 months.
Microsoft indicated that by mid-2026, the KDC on Windows Server 2008 and later versions will be updated to only allow AES-SHA1 encryption by default. While Microsoft had previously considered deprecating RC4 by 2025, reports from Ars Technica suggest the company "punted" on that initial target after discovering that a "surgical" approach was required to fix vulnerabilities without causing widespread system failures.
"By mid-2026, we will be updating domain controller defaults for the Kerberos Key Distribution Center (KDC) on Windows Server 2008 and later to only allow AES-SHA1 encryption. RC4 will be disabled by default..." - Microsoft
This move follows earlier incremental steps. Windows Updates released on or after November 8, 2022, already began shifting default encryption types to AES-SHA1 for certain accounts. Furthermore, future updates to Windows 11 version 24H2 and Windows Server 2025 intend to disable RC4 encryption by default, signaling that new deployments will be secure out-of-the-box.
Developed in 1987 by cryptographer Ron Rivest, RC4 was notable for its speed and simplicity. However, its age has become its greatest liability. Unlike modern block ciphers, RC4 is a stream cipher, and researchers have long identified biases in its output keystream that allow attackers to recover plaintext.
In the context of Windows Active Directory, the persistence of RC4 has enabled "Kerberoasting." This attack vector allows hackers to request Kerberos service tickets encrypted with RC4, take them offline, and crack them relatively easily due to the weak encryption algorithm. Once cracked, these tickets can provide unauthorized access to service accounts, often leading to full domain compromise. Slashdot noted that this specific weakness was the "root cause of the initial intrusion into Ascension's network," highlighting the real-world consequences of legacy crypto.
The transition to AES is not merely a software update; it is a significant operational shift for legacy environments. While modern systems support AES natively, older applications and third-party appliances hardcoded to use RC4 will face connectivity issues once the cipher is disabled.
Administrators are advised to audit their environments immediately. Microsoft Support documentation indicates that applications calling into SChannel directly will continue to use RC4 unless they opt into stronger security options. Conversely, developers using SChannel can block RC4 by passing the SCH_USE_STRONG_CRYPTO flag. The delay until mid-2026 provides a grace period for organizations to identify dependencies, but experts warn that waiting until the deadline could result in critical service interruptions.
The removal of RC4 reflects a broader industry trend toward "crypto-agility"-the ability to replace cryptographic primitives without disrupting infrastructure. As computing power increases, algorithms that were once considered secure inevitably become obsolete. The shift to AES-SHA1 is a necessary evolution, though it too is an intermediate step as the industry looks toward even stronger standards like AES-SHA256 and future post-quantum cryptography.
For the immediate future, the focus remains on remediation. With the mid-2026 deadline fixed, the window for migrating off RC4 is closing. Organizations that fail to modernize their authentication protocols risk not only operational downtime but also leaving their digital doors open to attackers utilizing well-known, decades-old exploits.
Federal regulators have launched a sweeping investigation into nearly 3 million Tesla vehicles, citing concerns over traffic violations and performance in low visibility, marking a critical turning point for autonomous driving oversight.
As 2025 draws to a close, Seattle solidifies its rank as a global AI superpower. However, the region's tech sector is undergoing a massive reboot, trading speculative hype for 'boring' back-end efficiency and agentic workflows.
At CES 2026, the tech industry pivots from cloud dependence to on-device intelligence. New chips from Qualcomm, Intel, and AMD promise a revolution in privacy and performance.
