Microsoft Warns of Kerberos Changes That Could Break Enterprise Logins

Microsoft is continuing its push to modernize Windows security, and this time the focus is on strengthening Kerberos authentication across the platform.

The company is preparing a major Kerberos hardening change that will begin rolling out with the April 2026 Windows update. This isn’t the only change, as Microsoft has recently released the KB5079391 update to the public.

Windows to Enforce Stronger Kerberos Encryption by Default

With this update, Windows will enforce stronger encryption standards for Kerberos authentication. Accounts that do not have explicitly defined encryption types will now default to AES-SHA1 instead of the older RC4 algorithm.

Microsoft is also removing RC4 fallback entirely, as the encryption method is now considered outdated and insecure. This marks a significant shift in how authentication is handled across enterprise and domain environments.

Potential Impact on Enterprise and Virtual Environments

While the change improves security, it may also introduce compatibility issues in certain setups. Systems that do not support AES-SHA1 encryption could fail authentication entirely once enforcement is enabled.

This is particularly relevant for environments using FSLogix or relying on SMB shares with Active Directory authentication. In such cases, failed Kerberos authentication could prevent user profiles from loading properly, especially in virtualized or enterprise deployments.

Impacted scenarios include Kerberos-based SMB access and Active Directory objects configured with either null or RC4-only encryption settings.

Admins Urged to Prepare Before Enforcement Deadline

Microsoft is advising IT administrators to review their environments ahead of the rollout. This includes identifying any use of RC4 within Active Directory, updating configurations to support AES-SHA1, and validating authentication workflows to avoid disruptions.

The rollout will follow a phased timeline. In April 2026, enforcement mode will be enabled by default, though audit mode will still be available as a fallback option. By July 2026, audit mode will be removed entirely, making enforcement mandatory across all environments.

Part of Broader Windows Security Overhaul

This Kerberos update is part of a wider effort by Microsoft to improve security across Windows. The company has been gradually moving away from legacy protocols like NTLM while strengthening modern authentication methods such as Kerberos.

It’s worth noting that this is a platform-level change affecting Windows broadly, and is not limited to services like Azure Virtual Desktop.

In other news, Microsoft has also addressed a WUSA network installation issue in the recent KB5079391 update.

Via Neowin