By Jordan Polasek · July 14, 2026

There is a strange twist in security work: sometimes the update that protects you is also the one that can knock your own people offline. The Windows update shipping today is exactly that kind — and unlike most, it comes with no undo button.

### ⚡ The 60-Second Version
- What: Today's July 2026 Windows update completes a two-year project to kill off RC4, an old, weak way of scrambling logins inside a Windows network. As of this update, the safety switch that let administrators roll the change back is gone for good. Any account or app still relying on RC4 will simply stop being able to log in. Microsoft tracks the underlying weakness as CVE-2026-20833.
- Fix: Before (or right as) the July update lands, confirm every service account, application, and non-Windows device on your network can authenticate without RC4. Also install today's broader Patch Tuesday — 127 vulnerabilities in all.
- By when: Now. The enforcement change takes effect with the July 14, 2026 update, and there is no phased rollback after it installs.

What actually changes today

Let me translate the jargon, because the pieces matter.

When someone on your team logs into a Windows network — opens a shared drive, prints, gets their email from an on-site server — a system called Kerberos quietly checks their identity in the background. To do that, it scrambles the login "tickets" so they can't be stolen off the wire. For years, Windows would fall back to an old, breakable scrambling method called RC4 if a newer one wasn't available. Attackers love RC4, because a weak scramble is a crackable scramble.

Microsoft has spent 2026 phasing RC4 out on Windows domain controllers (the servers that hold the keys to your network):

In plain terms: the training wheels come off today, permanently.

Why this one is different — there is no rollback

Most Windows updates can be paused, uninstalled, or rolled back if something breaks. This one is designed not to be. The registry setting that let administrators say "not yet, keep the old behavior" (Microsoft's RC4DefaultDisablementPhase) is no longer read after today's update installs. There is no domain-wide off switch left.

That's good security — RC4 genuinely needed to die. But it means the risk here isn't a hacker; it's a self-inflicted outage. If a service account still holds only an RC4 key, or an older line-of-business app or a non-Windows device (a Linux box, an appliance, a copier joined to the domain) still insists on RC4, its logins will start failing the moment this update takes hold. No error a normal user understands — just "access denied," a service that won't start, or an app that can't reach the server.

The businesses that get hurt this week are not the ones under attack. They're the ones that never checked what was quietly still using RC4.

And, yes, it is Patch Tuesday too

Today is also Microsoft's monthly patch day, and it carries 127 vulnerabilities across Windows and Office. That's calmer than June's record-breaking 206, but still well above the pre-2026 norm. Several are the serious kind — flaws that let an attacker run code on a machine over the network. This also lands days after Microsoft shipped an emergency, out-of-band fix for a Defender privilege-escalation flaw (the "RoguePlanet" bug I wrote about last week), so the whole month has been busy.

The takeaway is simple: today's update isn't optional on two counts. It closes real holes attackers are already probing, and it flips the RC4 switch. You want both — you just don't want the second one to surprise you.

What this means for your business

If your business runs an on-site Windows server or Active Directory (many do, even alongside Microsoft 365), here's the prioritized list for this week:

1. Don't skip today's update — but don't let it ambush you either. Test it on one machine or one domain controller first, confirm logins and services still work, then roll it out. On a healthy network that did its homework, this is a non-event.

2. Hunt for RC4 before it hunts you. The January and April updates left logs showing exactly which accounts still used RC4. Service accounts (the invisible logins that run backups, databases, and apps) are the usual culprits. Fix or re-key them so they use the modern method.

3. Check the odd devices. Copiers, NAS boxes, Linux servers, and old appliances joined to your domain are the classic stragglers. If it authenticates to Windows, it's in scope.

4. Patch everything else while you're in there. With 127 fixes out today, don't cherry-pick — apply the full set on a normal cadence.

5. If you're not sure whether any of this applies to you, ask before Friday. "We think we're fine" is not the same as "we checked the logs."

None of this is exotic. It's the un-glamorous, know-your-own-network work that separates a quiet week from a Monday morning where half the office can't log in.

How BVTech helps

For our managed clients, this is already handled — we've been reading the RC4 audit logs since January, re-keyed the service accounts that needed it, and today's update rolls out on a tested schedule, not a hope. The whole point of managed IT is that a deadline like this passes without you ever hearing about it.

If you run your own Windows network — or you're honestly not sure who's watching this for you — I'd rather you find out now than after the update locks someone out. Book a quick call and we'll check your exposure, or take a look at our managed IT and cybersecurity services. A ten-minute look at your logs this week is a lot cheaper than an outage.

— Jordan Polasek · Founder, BVTech LLC