Hi All,
following a few months of monitoring and mitigation, I successfully disabled RC4 encryption for Kerberos in our domain yesterday.
In our case only non-Windows devices and servers were using RC4 encrypted service tickets, whereas all TGTs were already using AES encryption. Mitigation only required to configure the msDS-SupportedEncrytionTypes attribute to 28 (0x1C) for devices that appeared in the log in order to add support for AES, after which they disappeared.
Once the log stayed empty, I unticked "RC4_HMAC_MD5" in the setting "Network security: Configure encryption types allowed for Kerberos" in our DC hardening GPO. All 4768 and 4769 events now show 0x12 (AES256) under Ticket Encryption Type.
Good luck with your endeavors in this respect! The clock is ticking, as Microsoft will enforce AES encryption by mid-2026.