Beyond RC4 for Windows authentication - Question regarding KB5073381

I have been testing this behavior in a lab while analyzing Kerberos events related to the RC4 deprecation effort.

One important observation is that even when an account still allows RC4 (for example when msDS-SupportedEncryptionTypes includes RC4 or is not explicitly defined), modern domain controllers will still prefer AES when both the client and the service support it.

From the event log perspective, you can see this clearly in Event ID 4769. When AES is available, the ticket encryption type will be AES (0x12 or 0x11) even if RC4 is technically still permitted by the account configuration.

In practice, this means that the new recommendation of DefaultDomainSupportedEncTypes = 0x18 aligns with what we are observing operationally: the KDC automatically prefers AES, and RC4 tends to appear mainly when there is a capability mismatch — for example with legacy clients or accounts that do not yet have AES keys because the password has not been reset since AES support was introduced.

For organizations preparing for the RC4 enforcement phase, analyzing Event IDs 4768 and 4769 across domain controllers is extremely helpful to identify the real sources of RC4 usage before enforcing stronger policies.

For additional technical context and practical analysis approaches, we documented our findings here:
https://github.com/v-jfanca/cve-2026-20833-rc4-kerberos/blob/main/docs/kerberos-rc4-cve-2026-20833-EN-US.md