Microsoft
MicrosoftGreat catch Shnitzel! - I have made the table corrections.
Shaz_Blog - Once logging confirms tickets are no longer issued with RC4 you will want to use the "Configure encryption types allowed" policy to remove RC4 support for all domain members and not just the domain controllers. After a Windows device processes that policy it will dynamically update the msDS-SupportedEncryptionTypes attribute on its own computer account.
If the keytab file is only being used to consume a service ticket (no authentication back to the domain), the 4768/4769 events will be no help in identifying keytabs which only support RC4. However, if the keytab is being used to acquire TGTs from the KDC, the Ticket Encryption Type field in the 4768 will reflect encryption type used to perform the pre-authentication rather than the encryption used for the TGT. I know that might not seem right so here is an example from my lab.
I used the "Configure encryption types allowed" policy to only allow RC4 on a Windows 10 computer. When Bob logged on, he received an AES encrypted TGT but because his device only supported RC4 during pre-authentication the session key for the TGT was RC4. As you can see the 4768 showed the Ticket Encryption Type field logged RC4 (session key\pre-auth) rather than AES which was the encryption type of the TGT. However, the 4769 actually reflected the encryption type of the Service Ticket rather than the session key encryption type.