A Windows security hardening change beginning in April 2026 updates default Kerberos encryption behavior and may impact FSLogix profile access for customers using SMB plus Active Directory storage. If your environment still relies on RC4 or has encryption settings left unset (null), you may see authentication issues unless you move to AES-SHA1. Review your configuration now, especially for non-Azure Files SMB storage, or Azure Files with AD DS where remediation is recommended by the end of June 2026.
Beginning with the April 2026 Windows cumulative update, Kerberos default behavior changes: when an Active Directory object’s encryption type is not explicitly set (null), Windows will default to AES-SHA1 instead of legacy defaults that often resulted in RC4. This is a Windows platform security change. Azure Virtual Desktop service behavior is not being modified.
This may impact FSLogix customers (Azure Virtual Desktop and non-AVD) when FSLogix profile storage depends on SMB file shares integrated with Active Directory. If a dependent system (file server, NAS, or service account configuration) does not support AES-SHA1 for Kerberos, authentication may fail.
You may be impacted if:
- You use Kerberos-based access to SMB storage for FSLogix profiles, and
- Kerberos encryption settings are RC4-only or unset (null) for relevant AD objects or service accounts.
When will this happen:
- April 2026: Enforcement Phase with manual rollback: Default Kerberos behavior changes so domain controllers use AES‑SHA1-only encryption for accounts without explicit encryption type settings, and Enforcement mode is enabled by default on Windows domain controllers. Audit mode remains available as a manual rollback option until July 2026.
- July 2026: Enforcement Phase: Audit mode is removed, leaving Enforcement mode as the only option.
What you should do now:
- Identify RC4 usage and null encryption settings for AD objects tied to SMB access (including FSLogix profile storage).
- Update configurations to support and prefer AES-based Kerberos encryption (AES-SHA1).
- Validate end-to-end sign-in and FSLogix profile access for your AVD and non-AVD environments.
Resources:
- Troubleshoot Azure Files identity-based authentication and authorization issues (SMB) - Azure | Microsoft Learn
- Read the full hardening guidance: How to manage Kerberos KDC usage of RC4 for service account ticket issuance changes related to CVE-2026-20833.
- Learn about RC4 usage in Windows and its risks: Detect and remediate RC4 usage in Kerberos.
- Learn more about the related vulnerability: CVE-2026-20833.
- Windows Server Blog: Beyond RC4 for Windows authentication
Updated Mar 27, 2026
Version 1.0
Jason_Parker
Microsoft
Microsoft