Windows is turning off an old security setting this month. If a login or a background job breaks, this is why.
Microsoft & Cloud

Windows is turning off an old security setting this month. If a login or a background job breaks, this is why.

The Windows update due on 14 July finishes a change that stops the login system trusting the weak RC4 cipher. Anything on your network still relying on it can fail without warning.

10 July 20264 min read

On or after this month's Windows security update, due on 14 July, Microsoft finishes a change it has been rolling out since January: switching off an old, weak encryption method called RC4 in the part of Windows that handles logins. If a service account, an app or a non-Windows device on your network still leans on RC4, it can stop working after the update, and the failure is not always obvious.

What is actually changing

RC4 is a decades-old way of scrambling data that has been considered weak for years. Windows uses a system called Kerberos to check who is allowed onto the network. Microsoft is making Kerberos stop trusting RC4 and use the stronger AES standard instead. The move is tied to a flaw tracked as CVE-2026-20833, where an attacker could grab a login 'ticket' still protected with weak RC4 encryption and work on it offline until they recovered a service account's password.

It has arrived in three stages

Since January the change has come in phases. January's update just watched and logged where RC4 was still in use and broke nothing. April's update flipped the default over to AES but left a way to switch back. This month's update removes that escape hatch: once it is on, the old behaviour cannot be turned back on and enforcement is permanent. That last step is the one worth preparing for.

What can break

This is not really about staff signing into their PCs. The things most likely to trip up are the quiet ones: a service account running a scheduled job, a Linux or Unix box authenticating to Windows, an older piece of kit, or an integration between two systems that was set up years ago and never revisited. A nightly file transfer that still uses RC4 can simply stop one morning with nobody having touched it. Because these run in the background, a break can go unnoticed until something downstream turns up missing.

What to check before it lands

The question to put to whoever runs your IT is a plain one: do we have anything still using RC4, and has it been moved over to AES? The answer sits in the Windows logs, which can show where RC4 is still being requested. Anything that shows up gets updated to use AES and tested before the July update goes on. If you pay for managed IT support, this is the kind of change they should be handling for you ahead of time, not explaining after something has fallen over.

What this means for your business

Microsoft is right to retire RC4; it has been weak for a long time. The catch is that a security tidy-up like this can knock over an old integration nobody remembers setting up. We check the systems we look after for these dependencies before the update lands, move service accounts and apps onto AES, and test them, so a background job does not fail quietly on a Monday. If you are not certain whether anything on your network still relies on RC4, that is worth pinning down before 14 July.

#WEARECOBALT

Ready when you are.

Tell us what's slowing your business down. We'll tell you exactly how we'd fix it — plainly, with no obligation.