For Azure Files with on-premises AD DS authentication, Kerberos encryption must be moved off RC4 to avoid upcoming Windows changes that will break SMB access. For FSLogix, the same hardening applies because FSLogix profile containers are stored on SMB file shares.
Below is the guidance based on the provided information.
- Recommended procedure to move from RC4 to AES
For Azure Files using on-premises AD DS authentication:
- Identify storage accounts still using RC4-only SPNs:
- Run the following PowerShell command on a domain-joined machine:
Get-ADObject `
-LDAPFilter "(&(servicePrincipalName=*.file.core.windows.net)(!(msDS-SupportedEncryptionTypes=*)))" -Properties servicePrincipalName, msDS-SupportedEncryptionTypes |
Select-Object Name, ObjectClass, servicePrincipalName, msDS-SupportedEncryptionTypes
- Any Azure Files computer objects returned without
msDS-SupportedEncryptionTypes set are effectively RC4-only and must be updated.
- Upgrade the Azure Files AD DS integration to support AES-256:
- Ensure use of AzFilesHybrid module v0.2.2 or later (AES-256 supported) and preferably v0.2.5 or later (AES-256 default) when (re)configuring the storage account’s AD DS integration.
- Re-run the AzFilesHybrid configuration steps so that the storage account’s computer object in AD is stamped with
msDS-SupportedEncryptionTypes including AES-256.
For FSLogix profile containers on SMB storage (Azure Files or Azure NetApp Files):
- Windows is changing the default Kerberos encryption type from RC4 to AES-SHA1 starting with the April 2026 Windows Server update.
- File shares hosting FSLogix containers must be upgraded to support AES-SHA1 before installing that update.
- For Azure Files or Azure NetApp Files used by FSLogix, ensure the underlying SMB/Kerberos configuration (as above for Azure Files, or per storage provider guidance) is updated so that Kerberos tickets can be issued using AES rather than RC4.
- Prerequisites, compatibility, and dependencies
Before upgrading:
- Azure Files with on-prem AD DS:
- Confirm the AzFilesHybrid module version is at least v0.2.2; v0.2.5 or later is recommended so AES-256 is the default.
- Ensure domain controllers and domain functional level support AES Kerberos encryption.
- If using custom DNS suffixes or custom SPNs (for example,
storageaccount.domain.com instead of <storageaccount>.file.core.windows.net), be aware these may be impacted earlier (April 2026 Windows Update) and must be upgraded before that update.
- FSLogix profile containers:
- Confirm that the SMB storage (Azure Files, Azure NetApp Files, or other SMB provider) supports AES-based Kerberos.
- Ensure session hosts are joined to a supported identity source (AD DS, Microsoft Entra Domain Services, or Microsoft Entra ID with Kerberos) as per the chosen FSLogix configuration.
- Verify that share-level and NTFS permissions are correctly configured for the user groups that access FSLogix containers.
- Impact on existing FSLogix profiles and active sessions
- The change is at the Kerberos encryption level between clients, domain controllers (or Microsoft Entra Kerberos), and the SMB file share.
- When properly configured, upgrading to AES-based Kerberos should not change the FSLogix container layout or data.
- Potential impact if not upgraded before Windows hardening:
- After the April 2026 Windows Server update (and later RC4 hardening changes), file shares that still rely on RC4 may experience access issues.
- For FSLogix, this can manifest as failures to attach profile containers, leading to temporary or local profiles instead of the expected roaming profile.
To minimize impact:
- Perform the Kerberos/AES configuration change and validation before deploying the Windows updates that enforce AES.
- Schedule changes during a maintenance window to avoid affecting active user sessions while testing.
- Validation steps and rollback considerations
Validation steps:
- Pre-change inventory:
- Use the
Get-ADObject command above to list storage accounts still missing msDS-SupportedEncryptionTypes.
- Post-change verification for Azure Files:
- Confirm that the storage account’s computer object in AD now has
msDS-SupportedEncryptionTypes populated to include AES-256.
- From a domain-joined session host, access the Azure Files share and verify successful mount and file operations.
- FSLogix-specific validation:
- Sign in with a test user to a session host that uses FSLogix profile containers.
- Confirm that the FSLogix profile container attaches successfully and that the profile behaves as expected.
- Check FSLogix logs on the session host for any SMB or authentication errors.
Rollback considerations:
- The primary risk is applying the Windows updates that disable/limit RC4 before the storage and identity configuration is ready for AES.
- If issues are encountered after enabling AES support but before the Windows hardening updates are installed, revert to the previous configuration of the storage account’s AD object and AzFilesHybrid settings if necessary.
- Once Windows hardening updates are installed and RC4 is restricted, rollback options are limited; the recommended path is to correct the Kerberos/AES configuration rather than revert the OS update.
- Documentation and best practices
Relevant guidance from the provided content:
- Azure Files and on-premises AD DS:
- AES-256 Kerberos encryption is supported from AzFilesHybrid v0.2.2 and is the default from v0.2.5.
- Storage accounts not upgraded to AES-256 may experience mount errors when the July 2026 Windows Server update changes the default Kerberos encryption type from RC4 to AES-256.
- Storage accounts with custom DNS suffixes or SPNs may be impacted earlier, starting with the April 2026 Windows Update.
- FSLogix profile containers on SMB storage (Azure Files, Azure NetApp Files, or other SMB):
- The April 2026 Windows Server update changes the default Kerberos encryption type from RC4 to AES-SHA1.
- File shares hosting FSLogix containers that are not upgraded to AES-SHA1 may have access issues after this change.
- Complete the upgrade to AES-SHA1 before installing the April 2026 update.
- FSLogix storage and permissions:
- FSLogix uses SMB storage with NTFS ACLs and, for Azure Files, requires an AD source and appropriate share-level permissions.
- Ensure share-level and NTFS permissions are correctly configured for the user groups using FSLogix.
Following these steps and validating before applying the Windows hardening updates will minimize disruption to FSLogix profiles and Azure Files access.
References: