For years, one of Windows’ most critical vulnerabilities remained active despite being directly linked to major cyberattacks that shaped the history of cybersecurity. We're talking about an obviously outdated encryption system that, surprisingly, has remained in the operating system until now… although its days are finally numbered.
What’s truly remarkable isn’t that it’s being removed, but that Microsoft took 25 years to do so—even after RC4 was deemed insecure by the cybersecurity community and even criticized by the U.S. Senate for continuing to allow its use.
Now, the change is official. Microsoft has announced that it will permanently end support for RC4 encryption. Starting mid-2026, Windows will only accept AES by default, a much more modern and secure algorithm, as confirmed by the company in a recent statement.
RC4, short for Rivest Cipher 4, is a stream cipher compatible with Windows that was created by Ron Rivest in 1987. For years, it was widely used for two clear reasons: it was fast and easy to implement. Thanks to this, it ended up being used in well-known protocols such as SSL/TLS for secure web communication and WEP in Wi-Fi networks.
The problem is that what was once an advantage has now become a liability. RC4 is considered an insecure and entirely outdated cipher, as it contains serious vulnerabilities that allow attackers to decrypt information—especially when weak keys or flawed implementations are used. Well-known attacks like BEAST made it clear long ago that RC4 no longer meets modern security standards.
In 2000, Microsoft launched Active Directory, its directory service for authenticating users and managing access in enterprise environments. And here came the major issue: in one of Windows' core security components, RC4 became the only encryption system supported by default—a decision that remained in place until today.
The first warning signs came early. Back in 1994, after the algorithm was leaked, cryptography experts demonstrated that RC4 posed serious risks and could be exploited using various attack techniques.
Over the years, and due to its widespread presence in corporate environments worldwide, these weaknesses became a perfect entry point for cybercriminals. One of the clearest examples is the attack known as Kerberoasting, which exploits RC4 to steal credentials and move laterally within corporate networks.
The consequences have been very real. One of the most notable cases was the attack on Ascension, a large U.S. healthcare provider, which affected 140 hospitals and resulted in the exposure of the medical data of 5.6 million patients—information that ended up in the hands of cybercriminals.
The risk level became so high that even in 2024, U.S. Senator Ron Wyden called on authorities to investigate Microsoft for what he described as “gross security negligence” for continuing to allow the use of RC4, even calling it a threat to national security.
Read more: Malicious NPM Package Steals WhatsApp Accounts and Messages
According to Microsoft, the problem wasn’t just RC4 itself, but everything that had been built around it over more than 20 years of Windows evolution. Steve Syfuhs, head of the Windows Authentication team, explained that this encryption was deeply embedded in legacy rules that directly affected the system’s compatibility and interoperability.
Removing it abruptly was not an option. Doing it wrong could break complex enterprise environments—something unacceptable for organizations that rely on Active Directory every day. That’s why the process has been slow and almost “surgical.”
Over the past decade, Microsoft gradually introduced changes to prioritize AES, causing RC4 usage to steadily decline until it became almost negligible. Only at that point did it become truly feasible to announce its complete deprecation.
The key change will arrive in mid-2026. At that time, Microsoft will update the default settings of the Key Distribution Center (KDC) in Windows Server 2008 and later versions, allowing only AES-SHA1 encryption in Kerberos.
In practice, RC4 will be disabled by default and will only be usable if an administrator explicitly enables it—something Microsoft advises against except in very specific cases.
The company emphasizes that secure Windows authentication no longer requires RC4, as AES-SHA1 has been available in all supported versions for over a decade. Additionally, to ease the transition, Microsoft has added new auditing tools, more detailed event logs, and PowerShell scripts that help detect and remove any remaining RC4 dependencies before the deadline arrives.