After 26 years, Microsoft is finally retiring the insecure RC4 algorithm from Active Directory to combat Kerberoasting and modernize Windows security.
REDMOND - In a decisive move to modernize global cybersecurity infrastructure, Microsoft has announced the final retirement of the RC4 encryption cipher, a 38-year-old algorithm that has long been considered a critical vulnerability in Windows environments. By mid-2026, the tech giant will disable RC4 by default in Active Directory Kerberos authentication, closing a security loophole that has persisted for nearly three decades and facilitated major cyberattacks.
The decision marks the end of an era for one of the internet's oldest cryptographic standards. While RC4 was once ubiquitous, its structural weaknesses have allowed attackers to compromise networks through techniques like "Kerberoasting." According to reports from Ars Technica, while Microsoft had previously upgraded Active Directory to support the secure Advanced Encryption Standard (AES), legacy support for RC4 remained active, leaving a backdoor open for attackers to exploit weak encryption tickets.
Table of contents [Show]
The deprecation plan is specific and targeted. According to Microsoft Program Manager Matthew Palko, the default settings for the Kerberos Key Distribution Center (KDC) on Windows Server 2008 and later versions will be updated by mid-2026. This update will force the system to exclusively allow AES-SHA1 encryption. Consequently, RC4 will be disabled by default and will only function if a domain administrator explicitly configures an account or the KDC to permit it.
To assist organizations in this transition, Microsoft has released new PowerShell scripts designed to identify remaining RC4 authentication instances within Windows environments. This allows administrators to locate and troubleshoot legacy connections before the hard cutoff. Furthermore, applications that utilize SChannel must now opt-in to strong security options, or they will continue to default to older protocols unless the SCH_USE_STRONG_CRYPTO flag is employed.
RC4, developed by cryptographer Ron Rivest in 1987, has been embedded in Windows systems for over 26 years. However, its age has rendered it obsolete in the face of modern computing power. Security researchers have long warned that RC4-protected tickets are susceptible to offline cracking due to weak key derivation.
"Ancient cypher meets its end after years of hacks and warnings. Software King of the World, Microsoft, is pulling the plug on RC4, an obsolete and leaky encryption cypher it has propped up by default for 26 years despite a trail of break-ins." - Fudzilla
The continued use of this cipher has had real-world consequences. Reports indicate that RC4-related weaknesses contributed to the lateral movement of attackers in high-profile incidents. Specifically, the 2024 intrusion involving Ascension, a major U.S. healthcare provider, was linked to Kerberos abuse where weak encryption types facilitated the attack. Furthermore, exploits leveraging these vulnerabilities have been associated with massive historical breaches like SolarWinds and NotPetya.
The removal of RC4 is a critical step in mitigating "Kerberoasting," a common attack vector where hackers steal a service ticket encrypted with a weak algorithm (like RC4) and crack it offline to reveal the service account's password. By enforcing AES encryption, which uses stronger key derivation and iterations, Microsoft is making offline cracking dramatically more expensive and time-consuming for adversaries.
For business leaders and IT administrators, this change signals an urgent need for compliance audits. While the deadline is set for 2026, experts warn that waiting until the last minute could result in service disruptions for legacy applications that have not been updated to support AES. The move aligns with broader industry trends where regulators and cyber insurers are increasingly mandating the removal of obsolete protocols to reduce systemic risk.
Coverage from Schneier on Security highlights that Microsoft is finally upgrading this last remaining instance after decades of pain. The delay was largely due to compatibility concerns; legacy systems and older third-party applications often break when older encryption standards are forcibly removed. Microsoft reportedly considered deprecating RC4 earlier but "punted" after discovering that doing so would require extensive fixes for improved vulnerabilities. Now, however, the threat landscape has necessitated action over convenience.
As the mid-2026 deadline approaches, organizations using Active Directory must prioritize the remediation of RC4 usage. The transition to AES-SHA1 is not just a technical upgrade but a necessary evolution to protect against sophisticated state-sponsored actors and cybercriminal gangs who feast on legacy infrastructure. By finally closing the door on RC4, the technology sector takes a significant step toward a more resilient digital ecosystem.
Federal regulators have launched a sweeping investigation into nearly 3 million Tesla vehicles, citing concerns over traffic violations and performance in low visibility, marking a critical turning point for autonomous driving oversight.
As 2025 draws to a close, Seattle solidifies its rank as a global AI superpower. However, the region's tech sector is undergoing a massive reboot, trading speculative hype for 'boring' back-end efficiency and agentic workflows.
At CES 2026, the tech industry pivots from cloud dependence to on-device intelligence. New chips from Qualcomm, Intel, and AMD promise a revolution in privacy and performance.
