Microsoft Starts New Kerberos Hardening Phase for Windows Domain Controllers

Microsoft appears to be kicking off yet another secure, hardening phase for Active Directory domain controllers. In a recent KB guide, the company mentioned that a new Kerberos vulnerability has been discovered, which is being tracked as CVE-2026-20833.

New Kerberos protections target RC4 and legacy encryption

To tackle that, Microsoft has started rolling out protections designed to prevent information disclosure attacks that could expose Kerberos service tickets using weak or legacy encryption, including RC4. Those protections are included with the latest Patch Tuesday updates.

For those curious, Microsoft notes that if the vulnerability is exploited by attackers, it could allow them to carry out offline attacks to recover service account passwords. The consequences sound scary, to say the least.

Microsoft says that the key changes it made are related to encryption. The company has changed the default behavior of domain controllers so that only AES-SHA1–encrypted Kerberos tickets are supported for accounts without an explicit encryption configuration. In short, older and weaker encryption methods are now being pushed out in favor of modern standards.

Why installing the update alone isn’t enough

It’s important to note that simply installing the update won’t fully close the door for attackers. By default, the changes land in Audit mode, which means warning events are logged, such as KDCSVC Event ID 205, when insecure configurations are detected.

Microsoft wants admins to review these logs, fix risky setups, and prepare for what comes next. Some strict changes are being made in the coming months as well. Starting April 2026, Enforcement mode will be automatically enabled on all Windows domain controllers, which will block vulnerable Kerberos connections from non-compliant devices. Not to forget, Audit mode will be removed entirely in July 2026. For organizations that still rely on RC4, Microsoft says the only option will be to explicitly enable it per service.

As a quick reminder, the guidance mentioned above applies to Windows Server 2008 Premium Assurance, Windows Server 2008 R2 Premium Assurance, Windows Server 2012 ESU, Windows Server 2012 R2 ESU, Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025.