Action required: Windows Kerberos hardening (RC4) may affect FSLogix profiles on SMB storage

Starting from the April 2026 cumulative update for Windows, there will be a change in the default behaviour of Kerberos. When the encryption type of an Active Directory object is not specifically defined (or is set to null), Windows will now default to AES-SHA1 instead of relying on the legacy defaults that usually led to RC4 being used. This update is part of a security enhancement for the Windows platform, while the Azure Virtual Desktop service will remain unaffected.

This change could have implications for customers using FSLogix, whether they’re on Azure Virtual Desktop or working with non-AVD setups, particularly if their FSLogix profile storage relies on SMB file shares that integrate with Active Directory. If any associated system (like a file server, NAS, or service account) lacks support for AES-SHA1 with Kerberos, you may experience authentication failures.

You might be affected if:

• You’re accessing SMB storage for FSLogix profiles using Kerberos, and
• Your Kerberos encryption settings are restricted to RC4 or left unset (null) for the relevant Active Directory objects or service accounts.

• April 2026:  We’ll see the start of the Enforcement Phase, where it will be possible to roll back manually: The default Kerberos behaviour will change, meaning domain controllers will now rely solely on AES‑SHA1 encryption for accounts without specified encryption settings. Enforcement mode will be enabled by default on Windows domain controllers, but you can still use Audit mode as a manual rollback option until July 2026.
• July 2026:  This marks the full Implementation Phase: the Audit mode will be removed, making Enforcement mode the only choice available.

1. First, check for any usage of RC4 and identify any null encryption settings that relate to Active Directory objects linked to SMB access (which includes FSLogix profile storage).
2. Next, make necessary updates to ensure your configurations support and prioritise AES-based Kerberos encryption (AES-SHA1).
3. Finally, confirm that end-to-end sign-ins and access to FSLogix profiles work smoothly in both your AVD and non-AVD environments.

FAQs

What is Kerberos and why is it important?

Kerberos is a network authentication protocol that uses tickets to allow nodes to prove their identity securely. It’s crucial for maintaining the security of communications in networks, especially with services like FSLogix.

How do I check if I’m using RC4 for Kerberos?

You can check Active Directory settings in PowerShell. Use the command to get the encryption settings for the relevant accounts and see if they’re set to RC4.

What should I do if my system doesn’t support AES-SHA1?

If your file server or service configuration doesn’t support AES-SHA1, you’ll need to upgrade or modify it to ensure successful authentication after the update.

Will this change affect all Windows users?

This change mainly impacts users of Active Directory and those using Kerberos for authentication in SMB storage. If you use these services, you could experience issues if your settings are outdated.