In the world of Active Directory security, 2026 is the year the “Compatibility Tax” finally comes due. For decades, Kerberos has quietly allowed a fallback to RC4 encryption. It was convenient, it was compatible, and, by modern standards, it is a massive security hole. With CVE-2026-20833, Microsoft has officially pulled the plug. We are currently in the final “Enforcement Phase.” If an account in your domain doesn’t have its AES bits flipped, your Domain Controllers will soon stop issuing it tickets. Period.
The Problem: We’ve Been Looking at the Wrong Thing
Most admins spend their time hunting for “Who is using RC4.” That’s a reactive approach. In a complex enterprise, the real danger isn’t just the presence of RC4; it’s the absence of AES. Many service accounts created years ago are “ghosts.” They lack the msDS-SupportedEncryptionTypes attribute entirely. When this attribute is null, the system defaults to legacy behavior. To fix this, we don’t just need to “disable RC4″—we need to explicitly enable AES.
The Solution: Auditing the “Gaps”
To help our organization (and yours) navigate this, I’ve released a set of [Security Audit Tools] on GitHub. Unlike standard scripts that just check for “Insecure” flags, these tools perform Bitwise Auditing.
What makes these tools different?
- Bitwise Precision: We don’t do string matching (e.g.,
-like "*RC4*"). We use the-bandoperator to check the actual 0x08 (AES128) and 0x10 (AES256) bits. This is the only mathematically certain way to verify support. - The “Null” Flag: Our audit explicitly identifies accounts with null attributes—the “Critical” risks that will break the moment Microsoft’s enforcement lands.
- The Password Age Factor: AES keys are only generated when a password is set. Our script tracks
PasswordLastSetbecause flipping the AES bit on an account with a 3-year-old password will actually cause a lockout.
Why This Matters Now
By July 2026, the “Audit Mode” is gone. The registry keys that allow a rollback will be ignored. If you haven’t identified your AES gaps by then, your help desk is going to have a very long summer. Security isn’t about clicking “Update All.” It’s about having the visibility to know exactly what is going to break before it does. Download the tools, run the audit, and let’s get these legacy accounts into the modern era.