2026-04 Update Breaks Domain Logins

Thomas--

Thanks, great minds think alike!  Since my 2 DCs are also VMs, I shut them both down and restored a DC from backup that was dated before the 2026-04 patch.  Once the restored DC was up and running, I enabled the AES encryption attributes on the userids (my AD dates from 2000 so the schema supported AES encryption but it was not enabled on any user accounts leading to my login issues).  I also updated the ticketing service password twice (waiting over 10 hours in between) and modified the GPOs to force AES encryption.

Once I was able to access all my domain resources again, I realized I was going to experience USN issues since the 2 VM backups were over 6 hours apart by time stamp.  (I have since addressed this issue by adjusting backup schedules so the 2 DCs will be backed up at the same time.)   I restored the second DC VM, started it, logged in and immediately demoted it from being a DC.

Again I verified that everything inside the domain could be accessed.  I removed DNS from the second DC, waited a few hours, and added back in DNS and AD DS.  All seems to be good now!  I just hope I am already prepared for the next Microsoft enforcement change coming in June 2026.

For now, you can revert this behaviour from "enforcement mode" to "audit mode" by applying a registry setting to your domain controllers and restarting them. After installing the July 2026 updates you won't be able to roll back.

Here are some articles to read to understand the changes and what you can do about it.

What Changed in RC4 with the January 2026 Windows Update and Why it is Important | Microsoft Community Hub

What is going on with RC4 in Kerberos? | Microsoft Community Hub

https://support.microsoft.com/en-us/topic/how-to-manage-kerberos-kdc-usage-of-rc4-for-service-account-ticket-issuance-changes-related-to-cve-2026-20833-1ebcda33-720a-4da8-93c1-b0496e1910dc

Same here, 2 Domain Controllers with Server 2025 say wrong Password since Update 2026-04
Any idea how to fix this?