Azure Files RC4 Encryption Impact

Tikoo, Shivata 0 Reputation points
2026-05-08T11:38:13.3333333+00:00

Hello Team,

We have received a notification regarding the need to upgrade the encryption protocol from RC4 to AES-256 on the Azure Storage Account file share currently being used for FSLogix profiles.

We would appreciate your guidance on the following points:

  • The recommended procedure to upgrade or migrate the existing configuration from RC4 to AES-256.
  • Any prerequisites, compatibility requirements, or dependencies that should be verified before performing the upgrade.
  • Whether there will be any impact on existing FSLogix profile containers subscriptions or active user sessions during the change.
  • Recommended validation steps and rollback considerations, if applicable.
  • Any Microsoft documentation or best practices related to this upgrade.

Please let us know the recommended approach and any precautions we should take before proceeding.

Azure Files
Azure Files

An Azure service that offers file shares in the cloud.

0 comments No comments

2 answers

Sort by: Most helpful
  1. Ravi Varma Mudduluru 12,455 Reputation points Microsoft External Staff Moderator
    2026-05-08T16:54:33.29+00:00

    Hello @Tikoo, Shivata,

    Thank you for reaching out to Microsoft Q&A.

    It looks like you’re getting ready for the July 2026 Windows update that flips Kerberos defaults from RC4 to AES-256. Here’s a high-level playbook you can share with your team:

    1. Prerequisites & Compatibility • Make sure you’re running the AzFilesHybrid PowerShell module v0.2.2 or later (AES-256 became default in v0.2.5). • Confirm your on-prem AD DS domain controllers and clients support AES-256 Kerberos. • If you’ve got custom SPNs or DNS suffixes for your file share (e.g., “storageaccount.company.local”), note that an April 2026 update may hit you sooner—plan accordingly. • Verify your SMB clients (Windows Server versions, FSLogix agent versions, etc.) can negotiate SMB 3.x + Kerberos/AES.
    2. Upgrade Procedure a. Install or update AzFilesHybrid on one domain-joined server: Install-Module AzFilesHybrid –Force b. Re–register your storage account for Kerberos with AES: $ctx = New-AzStorageContext –StorageAccountName <name> –StorageAccountKey <key> Update-AzFilesKerberosEncryption –Context $ctx –EncryptionType AES256 c. Confirm the msDS-SupportedEncryptionTypes attribute on the computer object for your Azure Files computer account is set to include AES (and no longer blank).
    3. Impact on FSLogix & User Sessions • New Kerberos tickets will negotiate AES-256. Existing RC4 tickets remain valid until they expire, so plan this during a maintenance window. • Users may need to re-mount their file shares or log off/on to get new tickets. • FSLogix profile containers themselves aren’t touched—the change is at the SMB/Kerberos layer.
    4. Validation Steps • On a client, run klist tickets /raw and look for “CTGS: AES256-…” against your file share SPN. • Test mount operations from a representative Windows client (with FSLogix agent installed). • Monitor Windows event logs for any Kerberos errors (Event ID 4768/4771/4776).
    5. Rollback Considerations • If you run into mount failures, you can re-enable RC4 by re-running Update-AzFilesKerberosEncryption and including the RC4 bit in the –EncryptionType parameter. • Keep your previous msDS-SupportedEncryptionTypes values handy so you can revert quickly.
    6. References & Further Reading • Troubleshooting Azure Files Kerberos encryption: https://learn.microsoft.com/troubleshoot/azure/azure-storage/files/security/files-troubleshoot-smb-authentication • Azure Files planning (encryption section): https://learn.microsoft.com/azure/storage/files/storage-files-planning#encryption-for-azure-files • Transition Azure NetApp Files from RC4 to AES: https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-smb-performance#smb-encryption

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Was this answer helpful?

    0 comments No comments

  2. AI answer

    2026-05-08T11:38:32.71+00:00

    For Azure Files with on-premises AD DS authentication, Kerberos encryption must be moved off RC4 to avoid upcoming Windows changes that will break SMB access. For FSLogix, the same hardening applies because FSLogix profile containers are stored on SMB file shares.

    Below is the guidance based on the provided information.

    1. Recommended procedure to move from RC4 to AES

    For Azure Files using on-premises AD DS authentication:

    1. Identify storage accounts still using RC4-only SPNs:
      • Run the following PowerShell command on a domain-joined machine:
             Get-ADObject `
                 -LDAPFilter "(&(servicePrincipalName=*.file.core.windows.net)(!(msDS-SupportedEncryptionTypes=*)))" -Properties servicePrincipalName, msDS-SupportedEncryptionTypes |
                 Select-Object Name, ObjectClass, servicePrincipalName, msDS-SupportedEncryptionTypes
        
      • Any Azure Files computer objects returned without msDS-SupportedEncryptionTypes set are effectively RC4-only and must be updated.
    2. Upgrade the Azure Files AD DS integration to support AES-256:
      • Ensure use of AzFilesHybrid module v0.2.2 or later (AES-256 supported) and preferably v0.2.5 or later (AES-256 default) when (re)configuring the storage account’s AD DS integration.
      • Re-run the AzFilesHybrid configuration steps so that the storage account’s computer object in AD is stamped with msDS-SupportedEncryptionTypes including AES-256.

    For FSLogix profile containers on SMB storage (Azure Files or Azure NetApp Files):

    • Windows is changing the default Kerberos encryption type from RC4 to AES-SHA1 starting with the April 2026 Windows Server update.
    • File shares hosting FSLogix containers must be upgraded to support AES-SHA1 before installing that update.
    • For Azure Files or Azure NetApp Files used by FSLogix, ensure the underlying SMB/Kerberos configuration (as above for Azure Files, or per storage provider guidance) is updated so that Kerberos tickets can be issued using AES rather than RC4.
    1. Prerequisites, compatibility, and dependencies

    Before upgrading:

    • Azure Files with on-prem AD DS:
      • Confirm the AzFilesHybrid module version is at least v0.2.2; v0.2.5 or later is recommended so AES-256 is the default.
      • Ensure domain controllers and domain functional level support AES Kerberos encryption.
      • If using custom DNS suffixes or custom SPNs (for example, storageaccount.domain.com instead of <storageaccount>.file.core.windows.net), be aware these may be impacted earlier (April 2026 Windows Update) and must be upgraded before that update.
    • FSLogix profile containers:
      • Confirm that the SMB storage (Azure Files, Azure NetApp Files, or other SMB provider) supports AES-based Kerberos.
      • Ensure session hosts are joined to a supported identity source (AD DS, Microsoft Entra Domain Services, or Microsoft Entra ID with Kerberos) as per the chosen FSLogix configuration.
      • Verify that share-level and NTFS permissions are correctly configured for the user groups that access FSLogix containers.
    1. Impact on existing FSLogix profiles and active sessions
    • The change is at the Kerberos encryption level between clients, domain controllers (or Microsoft Entra Kerberos), and the SMB file share.
    • When properly configured, upgrading to AES-based Kerberos should not change the FSLogix container layout or data.
    • Potential impact if not upgraded before Windows hardening:
      • After the April 2026 Windows Server update (and later RC4 hardening changes), file shares that still rely on RC4 may experience access issues.
      • For FSLogix, this can manifest as failures to attach profile containers, leading to temporary or local profiles instead of the expected roaming profile.

    To minimize impact:

    • Perform the Kerberos/AES configuration change and validation before deploying the Windows updates that enforce AES.
    • Schedule changes during a maintenance window to avoid affecting active user sessions while testing.
    1. Validation steps and rollback considerations

    Validation steps:

    1. Pre-change inventory:
      • Use the Get-ADObject command above to list storage accounts still missing msDS-SupportedEncryptionTypes.
    2. Post-change verification for Azure Files:
      • Confirm that the storage account’s computer object in AD now has msDS-SupportedEncryptionTypes populated to include AES-256.
      • From a domain-joined session host, access the Azure Files share and verify successful mount and file operations.
    3. FSLogix-specific validation:
      • Sign in with a test user to a session host that uses FSLogix profile containers.
      • Confirm that the FSLogix profile container attaches successfully and that the profile behaves as expected.
      • Check FSLogix logs on the session host for any SMB or authentication errors.

    Rollback considerations:

    • The primary risk is applying the Windows updates that disable/limit RC4 before the storage and identity configuration is ready for AES.
    • If issues are encountered after enabling AES support but before the Windows hardening updates are installed, revert to the previous configuration of the storage account’s AD object and AzFilesHybrid settings if necessary.
    • Once Windows hardening updates are installed and RC4 is restricted, rollback options are limited; the recommended path is to correct the Kerberos/AES configuration rather than revert the OS update.
    1. Documentation and best practices

    Relevant guidance from the provided content:

    • Azure Files and on-premises AD DS:
      • AES-256 Kerberos encryption is supported from AzFilesHybrid v0.2.2 and is the default from v0.2.5.
      • Storage accounts not upgraded to AES-256 may experience mount errors when the July 2026 Windows Server update changes the default Kerberos encryption type from RC4 to AES-256.
      • Storage accounts with custom DNS suffixes or SPNs may be impacted earlier, starting with the April 2026 Windows Update.
    • FSLogix profile containers on SMB storage (Azure Files, Azure NetApp Files, or other SMB):
      • The April 2026 Windows Server update changes the default Kerberos encryption type from RC4 to AES-SHA1.
      • File shares hosting FSLogix containers that are not upgraded to AES-SHA1 may have access issues after this change.
      • Complete the upgrade to AES-SHA1 before installing the April 2026 update.
    • FSLogix storage and permissions:
      • FSLogix uses SMB storage with NTFS ACLs and, for Azure Files, requires an AD source and appropriate share-level permissions.
      • Ensure share-level and NTFS permissions are correctly configured for the user groups using FSLogix.

    Following these steps and validating before applying the Windows hardening updates will minimize disruption to FSLogix profiles and Azure Files access.


    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.