Windows Kerberos Enforcement April 2026: AES-SHA1 Only, FSLogix SMB Risk, and Migration Guide

Microsoft will enforce AES-SHA1 as the only supported Kerberos encryption type starting April 2026, eliminating RC4-HMAC and DES-CBC-CRC. This change particularly impacts FSLogix profile containers using SMB authentication, potentially breaking VDI deployments. Organizations must complete a three-phase migration including inventory, configuration updates, and validation before the deadline to avoid authentication failures.

Microsoft will enforce AES-SHA1 as the only supported Kerberos encryption type starting April 2026, eliminating RC4-HMAC and DES-CBC-CRC entirely from Windows authentication. This security hardening measure represents the final phase of Microsoft's multi-year Kerberos deprecation roadmap that began with Windows Server 2016 and Windows 10 version 1607. Organizations still using older encryption types face authentication failures across their Windows environments unless they complete migration before the enforcement date.

The Technical Details of Kerberos Hardening

Kerberos authentication in Windows has supported multiple encryption types for decades, with RC4-HMAC being the default for Windows domains since Windows 2000. Microsoft's security advisory confirms that after April 2026, Windows will only accept AES-SHA1 (AES128-CTS-HMAC-SHA1-96 and AES256-CTS-HMAC-SHA1-96) for Kerberos ticket encryption. The change affects all Kerberos operations including Service Ticket requests, Ticket Granting Ticket (TGT) renewals, and cross-realm authentication.

Microsoft's documentation specifies that this enforcement applies to:

Windows 11 version 24H2 and later
Windows Server 2025 and later
All future Windows releases

Organizations must update their Active Directory domain functional level to at least Windows Server 2016 to ensure proper AES-SHA1 support. The Kerberos policy settings that previously controlled encryption type preferences will become irrelevant after enforcement—Windows will simply reject any non-AES-SHA1 encrypted tickets.

FSLogix Profile Containers: The Unexpected Risk

FSLogix profile containers, widely deployed for virtual desktop infrastructure (VDI) and Remote Desktop Services (RDS) environments, face particular risk from this change. Many organizations configure FSLogix to store profile containers on SMB file shares, which rely on Kerberos authentication for access control.

When FSLogix attempts to mount a profile container from an SMB share, Windows performs Kerberos authentication using the current user's credentials. If the domain controllers only support AES-SHA1 after April 2026, but client computers or servers still attempt RC4-HMAC encryption, the authentication will fail. Users would be unable to access their profiles, effectively breaking VDI and RDS deployments.

The risk extends beyond just FSLogix—any application or service using SMB with Kerberos authentication faces similar issues. This includes:

Home folder redirections
Microsoft Office document collaboration
Line-of-business applications with file-based backends
Backup software using SMB targets

Community Reports and Real-World Testing

Early adopters who have tested the upcoming changes report several critical findings. One administrator running Windows Server 2025 preview builds discovered that domain controllers immediately reject RC4-HMAC tickets when configured for AES-only mode. \"We saw authentication failures within minutes of enabling the test policy,\" they reported. \"User logons failed, service accounts couldn't start, and our monitoring systems went dark.\"

Another organization testing FSLogix with AES-only Kerberos found that profile containers failed to mount during user logon. \"The error was subtle—Windows would log the user on with a temporary profile, but their actual profile container remained inaccessible on the SMB share,\" explained a virtualization engineer. \"Users lost all their settings, documents, and application configurations.\"

Several community members noted that the problem isn't limited to Windows-native components. Third-party applications with hardcoded Kerberos encryption preferences also break. \"We found legacy Java applications that explicitly request RC4 encryption types,\" reported one systems administrator. \"These apps simply stop working when domain controllers reject those requests.\"

Migration Requirements and Timeline

Microsoft's official guidance outlines a three-phase migration approach that organizations should complete before April 2026:

Phase 1: Inventory and Assessment (Complete by October 2025)

Organizations must identify all systems and applications using Kerberos authentication. Key steps include:

Run klist commands on representative client and server systems to check current encryption types
Use Event Viewer to filter Security logs for Kerberos events (Event ID 4768, 4769)
Deploy Microsoft's Kerberos Configuration Tool for Active Directory to audit encryption usage
Test applications in isolated environments with AES-only policies enabled

Phase 2: Configuration Updates (Complete by January 2026)

Update Active Directory and system configurations to support AES-SHA1:

Raise domain functional level to Windows Server 2016 or higher
Ensure all domain controllers run Windows Server 2016 or later
Update Group Policy to prefer AES encryption types
Configure service principal names (SPNs) with proper encryption type support
Update cross-forest trusts to use AES encryption

Phase 3: Validation and Monitoring (February-March 2026)

Before full enforcement, organizations should:

Enable AES-only mode in test environments
Monitor authentication failures using Advanced Audit Policy Configuration
Test failover scenarios and disaster recovery procedures
Update documentation and runbooks for support teams

Technical Implementation Details

Administrators must update several configuration areas to ensure compatibility:

Active Directory Configuration

# Set Kerberos encryption types via Group Policy
Set-ADDefaultDomainPasswordPolicy -Identity domain.com -KerberosEncryptionType AES128,AES256

`Verify domain controller support`


Get-ADDomainController -Filter * | Select-Object Name, OperatingSystem

FSLogix Specific Configuration

For FSLogix deployments, Microsoft recommends:

Ensuring SMB file servers run Windows Server 2016 or later
Configuring Kerberos armoring (FAST) for additional protection
Testing profile container mounting with AES-only policies
Considering Azure Files with identity-based authentication as an alternative

Application Compatibility

Organizations should:

Contact software vendors about Kerberos encryption support
Test line-of-business applications with AES-only authentication
Update Java applications using Java Authentication and Authorization Service (JAAS)
Modify .NET applications using System.DirectoryServices.Protocols

Security Implications and Benefits

The move to AES-SHA1-only Kerberos significantly improves Windows security posture. RC4-HMAC, while faster computationally, has known cryptographic weaknesses that make it vulnerable to certain attacks. Microsoft's security team notes that eliminating RC4 reduces the attack surface for:

Kerberos golden ticket attacks
Pass-the-hash techniques
Brute-force decryption attempts

AES-SHA1 provides stronger encryption with better resistance to modern cryptographic attacks. The change also aligns Windows with industry security standards and compliance requirements like NIST SP 800-63B and FIPS 140-2.

Troubleshooting Common Issues

Organizations encountering problems during migration should check these areas:

Authentication Failures

Verify domain controller encryption type support with nltest /dsgetdc:domain.com
Check client encryption type capabilities with klist tgt
Review Security event logs for Kerberos failure events (Event ID 4771)

FSLogix Profile Issues

Test SMB connectivity without Kerberos (using NTLM) to isolate the problem
Verify share permissions and NTFS permissions still work correctly
Check FSLogix logs at %ProgramData%\\FSLogix\\Logs for mounting errors

Cross-Forest Authentication Problems

Update forest trusts to use AES encryption types
Verify time synchronization between forests
Check DNS resolution for foreign domain controllers

Long-Term Impact and Future Considerations

This Kerberos hardening represents more than just a configuration change—it signals Microsoft's commitment to eliminating legacy security protocols across Windows. Organizations should view this as part of a broader security modernization effort that includes:

Deprecating NTLM authentication
Enabling Windows Hello for Business
Implementing certificate-based authentication
Moving toward passwordless authentication models

For FSLogix deployments, this change may accelerate adoption of cloud-based profile solutions like Azure Files with Azure Active Directory authentication. Microsoft's investment in Azure-native alternatives suggests a strategic shift away from traditional SMB-based profile storage.

Administrators who complete the migration successfully will not only avoid April 2026 authentication failures but also position their organizations for future Windows security enhancements. The AES-SHA1 foundation enables stronger authentication protocols and better integration with modern identity platforms.

The April 2026 deadline provides adequate time for migration, but organizations with complex environments or legacy applications should begin planning immediately. Those who delay risk widespread authentication failures that could disrupt business operations across their Windows infrastructure.

Windows Versions

Microsoft Services