When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Windows Kerberos hardening may cause authentication issues for some PCs next month

Windows 11's April 2026 update could quietly break logins on some PCs as Microsoft flips a major Kerberos security switch.

Neowin · · Hot! with 2 comments

Windows 11 logo

All signs point towards the April 2026 update for Windows being pretty major in terms of new features and changes to the operating system. So far, the optional preview update has introduced support for 1000Hz+ displays and improved the File Explorer, and Microsoft has also talked about how it will soon modify a Windows kernel policy that may block many legacy drivers from loading. Now, a Kerberos change may cause some issues for some PCs next month too, unless it is handled properly by IT admins.

With the April security update, Microsoft is hardening the Kerberos network authentication protocol to leverage the AES-SHA1 encryption algorithm for Active Directory objects whose encryption type is not explicitly identified and is set to null. Previously, these objects would fallback to legacy options like RC4, which is not very secure.

The usage of AES-SHA1 may impact FSLogix customers whose profile storage depends on SMB file shares integrated with Active Directory (AD). If these systems do not support AES-SHA1 for Kerberos, authentication may fail. It is worth noting that this is a platform change on the Windows side, and not related to the Azure Virtual Desktop (AVD) service or non-AVD environments.

Customers who rely on Kerberos-based authentication to access SMB storage for FSLogix profiles or those who have set encryption settings to null or RC4-only are expected to be directly impacted by this. FSLogix is essentially a configuration that stores portable user profiles in Virtual Hard Disk (VHD) containers on a network share, which is mounted on login. If that sounds gibberish to you, that's probably a good sign. It likely means that you're not among those impacted or even if you are, your IT admin will hopefully take care of the encryption fallback for you.

The timeline for this Kerberos change is as follows:

  • April 2026: Enforcement Phase with manual rollback: Default Kerberos behavior changes so domain controllers use AES‑SHA1-only encryption for accounts without explicit encryption type settings, and Enforcement mode is enabled by default on Windows domain controllers. Audit mode remains available as a manual rollback option until July 2026.
  • July 2026: Enforcement Phase: Audit mode is removed, leaving Enforcement mode as the only option.

Microsoft has encouraged IT admins to identify potential RC4 usage for AD objects that are associated with SMB access, particularly that used for FSLogix profiles. If any such instance is found, it should be updated to support AES-SHA1, and the authentication process should be validated.

The Redmond tech firm has been hardening Windows on the network authentication front for quite some time. It recently patched a Kerberos vulnerability for Domain Controllers (DCs) and is phasing out NTLM in favor of Kerberos too.

gigabyte gaming 9060 xt 8gb
Next Article

Sapphire, Gigabyte AMD RX 9070 XT GPUs are great deals on Spring Day Sale

Star Citizen
Previous Article

Star Citizen Alpha 4.7 lands with an inventory rework, crafting system, and more

2 Comments

Load the comments and join the conversation!

Read the comments, ask the editors questions, show respect and join the conversation.

Click here