Almost exactly a year ago, Microsoft shared details regarding the hardening process of Domain Controllers (DCs) to protect them against a couple of security flaws in Kerberos. Now, it is kicking off yet another hardening phase to patch DCs against security issues recently reported via CVE-2026-20833.
Basically, there is a vulnerability in the Kerberos authentication protocol that allows an attacker to exploit weak and legacy encryption algorithms like RC4 and procure service tickets that enable them to steal credentials for service accounts. This exploit is tagged as
CVE-2026-20833, and applies to DCs running the following SKUs of Windows Server:
• Windows Server 2008 Premium Assurance
• Windows Server 2008 R2 Premium Assurance
• Windows Server 2012 ESU
• Windows Server 2012 R2 ESU
• Windows Server 2016
• Windows Server 2019
• Windows Server 2022
• Windows Server 2025
To mitigate this issue, Microsoft has rolled out a few changes via the
recent Patch Tuesday update. Right now, customers are in the "Initial Deployment Phase," during which the Redmond tech giant has released Windows updates that provide audit events for customers who might face compatibility issues due to the hardening process. It has also introduced an
RC4DefaultDisablementPhase registry value to proactively enable DCs to use the AES-SHA1 algorithm when it is safe to do so.
This phase will continue until April 2026, at which point we'll enter the "Second Deployment Phase" that empowers DCs to utilize AES-SHA1 for accounts that do not have an explicit
msds-SupportedEncryptionTypes active directory attribute defined.
Finally, in July 2026, Microsoft will begin the "Enforcement Phase" that gets rid of the
RC4DefaultDisablementPhase registry subkey.
In its dedicated support article, Microsoft has encouraged IT admins to apply January 2026's Patch Tuesday updates and begin actively monitoring audit events to see if they are ready to kick off the next phase of DC hardening. You can find out more details
here.
source
