MicrosoftWillAftring I hope you are doing well!
I am writing to seek clarification regarding the behavior of the Windows Cumulative Updates scheduled for release in July 2026.
The current documentation states that while the behavior will be identical to the April 2026 updates, users will no longer have the option to roll back to audit mode. Could you please clarify if this means the "DefaultDomainSupportedEncTypes" exception will also cease to function after the July patch is applied?
If that is the case, I am concerned about the potential impact on customers still running business-critical applications on Windows Server 2003 that rely on domain-based authentication.
I look forward to your guidance on how this update might affect these legacy environments.
Thanks,
Raj
MicrosoftHi Raj,
Could you please clarify if this means the "DefaultDomainSupportedEncTypes" exception will also cease to function after the July patch is applied?
There is currently no plan to remove the DefaultDomainSupportedEncTypes functionality.
I am concerned about the potential impact on customers still running business-critical applications on Windows Server 2003 that rely on domain-based authentication.
I understand your concern; however, it is important to note that Windows Server 2003 is out of support and has been since July 14th, 2015. In the Windows Update that introduced the DefaultDomainSupportedEncTypes registry configuration, the following is called out under the Frequently Asked Questions (FAQ) and Known Issues section.
Unsupported versions of Windows includes Windows XP, Windows Server 2003, Windows Server 2008 SP2, and Windows Server 2008 R2 SP1 cannot be accessed by updated Windows devices unless you have an ESU license. If you have an ESU license, you will need to install updates released on or after November 8, 2022 and verify your configuration has a common Encryption type available between all devices.
Next Steps Install updates, if they are available for your version of Windows and you have the applicable ESU license. If updates are not available, you will need to upgrade to a supported version of Windows or move any application or service to a compliant device.
IMPORTANT We do not recommend using any workaround to allow non-compliant devices to authenticate, as this might make your environment vulnerable.
We strongly recommend migrating to a supported version of Windows.
Hi Will,
With regards to "There is currently no plan to remove the DefaultDomainSupportedEncTypes functionality." comment, does this mean that it will continue to work and allow RC4 after the July 26 update?
The published info I've read, and it's a concern many of my peers have expressed, seem to indicate this will stop working at that time.
We're moving heaven and earth to remove all dependencies, but with a HUGE LINUX base, and thousands and thousands of individual key tabs relying on RC4, this will take us into Autumn or even Winter 26.
Many thanks,
MicrosoftAs mentioned in How to manage Kerberos KDC usage of RC4 for service account ticket issuance changes related to CVE-2026-20833, only the default value of DefaultDomainSupportedEncTypes is being updated. If the registry key has already been defined, then there will be no change in functionality. Additionally, there is currently no plan to remove RC4 functionality from the DefaultDomainSupportedEncTypes.
