Edit

RC4 deprecation advance dependency test in Microsoft Entra Domain Services

Microsoft is deprecating RC4 encryption for Kerberos in Microsoft Entra Domain Services as part of the security hardening related to CVE-2026-20833. To assess customer readiness before RC4 is permanently disabled, the Domain Services team runs an advance dependency test: a controlled, time-limited disablement of RC4 encryption on managed domain controllers. The test surfaces active RC4 dependencies so you can remediate them before enforcement becomes permanent.

This article explains what the advance dependency test is, when it runs, and how to prepare for and recover from it.

How the advance dependency test works

During the test, the team temporarily moves RC4 to enforcement mode (AES-only encryption) on the domain controllers in your region. If your workloads depend on RC4 for Kerberos authentication or LDAP binds, they might experience authentication failures after the test starts. Starting the week of July 13, 2026, RC4 is permanently disabled across all regions.

Schedule

Tests start at 10:00 local time in each region, in three waves across the Americas, Europe, and Asia-Pacific and China. If your workloads are affected, you self-remediate by using the recovery steps later in this article.

Wave 1 — Americas (Mon, Jul 6, 2026)

PaaS region Local timezone Local start time UTC start time
West Central US MT (UTC-6) 10:00 MDT 16:00 UTC
West US PT (UTC-7) 10:00 PDT 17:00 UTC
East US ET (UTC-4) 10:00 EDT 14:00 UTC
US Gov Virginia ET (UTC-4) 10:00 EDT 14:00 UTC
US Gov Arizona MT (UTC-6) 10:00 MDT 16:00 UTC
US Nat East ET (UTC-4) 10:00 EDT 14:00 UTC
US Nat West PT (UTC-7) 10:00 PDT 17:00 UTC
US Sec East ET (UTC-4) 10:00 EDT 14:00 UTC
US Sec West PT (UTC-7) 10:00 PDT 17:00 UTC

Wave 2 — Europe (Tue, Jul 7, 2026)

PaaS region Local timezone Local start time UTC start time
West Europe (Netherlands) CEST (UTC+2) 10:00 CEST 08:00 UTC
North Europe (Ireland) IST (UTC+1) 10:00 IST 09:00 UTC
BLEU France Central (Paris) CEST (UTC+2) 10:00 CEST 08:00 UTC
BLEU France South (Marseille) CEST (UTC+2) 10:00 CEST 08:00 UTC
Delos Germany Central (Frankfurt) CEST (UTC+2) 10:00 CEST 08:00 UTC
Delos Germany North (Berlin) CEST (UTC+2) 10:00 CEST 08:00 UTC

Wave 3 — Asia-Pacific and China (Wed, Jul 8, 2026)

PaaS region Local timezone Local start time UTC start time
Southeast Asia (Singapore) SGT (UTC+8) 10:00 SGT 02:00 UTC
Japan East (Tokyo) JST (UTC+9) 10:00 JST 01:00 UTC
Japan West (Osaka) JST (UTC+9) 10:00 JST 01:00 UTC
China North 2 (Beijing) CST (UTC+8) 10:00 CST 02:00 UTC
China East 2 (Shanghai) CST (UTC+8) 10:00 CST 02:00 UTC

Prepare for the test

Before the test window for your region, take the following steps:

  1. Turn on security audits for the managed domain by following Enable security and DNS audits for Microsoft Entra Domain Services.
  2. Use Sample query 7 to identify Kerberos RC4 ticket issuance in your environment.
  3. Migrate the affected workloads to AES encryption.

Recover if you're impacted

If your workloads experience authentication failures during the test, members of the AAD DC Administrators group can immediately restore RC4 by using the self-service RC4 configuration steps. Set rc4DefaultDisablementPhase to 1 (audit mode) and defaultDomainSupportedEncTypes to 60. Changes apply within about 10 minutes.

File an Azure support request only if the self-service steps don't restore your workloads.