RC4-ADAssessment

4.2.0

PowerShell toolkit for assessing DES and RC4 Kerberos encryption usage in Active Directory. Discovers RC4/DES dependencies across DC encryption, trusts, KRBTGT, service accounts, KDC registry, KDCSVC events, and Security event logs — with inline remediation commands and assessment comparison for tracking progress toward the July 2026 RC4 removal deadline.

Minimum PowerShell version

5.1

There is a newer prerelease version of this module available.
See the version list below for details.

Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Module -Name RC4-ADAssessment -RequiredVersion 4.2.0

Copy and Paste the following command to install this package using Microsoft.PowerShell.PSResourceGet More Info

Install-PSResource -Name RC4-ADAssessment -Version 4.2.0

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deploy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More

Owners

Copyright

(c) Jan Tiedemann. All rights reserved.

Package Details

Author(s)

  • Jan Tiedemann

Tags

ActiveDirectory Kerberos RC4 DES AES Encryption Security Assessment Remediation

Functions

Invoke-RC4Assessment Invoke-RC4AssessmentComparison Invoke-RC4ForestAssessment

Dependencies

This module has no dependencies.

Release Notes

## [4.2.0] - 2026-04-07

### Added

- Track `SessionKeyEncryptionType` alongside `TicketEncryptionType` in event log analysis,
 following Microsoft's `Get-KerbEncryptionUsage.ps1` pattern ([Kerberos-Crypto](https://github.com/microsoft/Kerberos-Crypto))
- New counters: `SessionKeyRC4`, `SessionKeyDES`, `SessionKeyAES`, `RC4SessionKeyAccounts`
- `RC4 SessKey` column in per-DC summary table and forest summary table
- `RC4 Session Keys` comparison line in `Invoke-RC4AssessmentComparison` (backward-compatible
 with older JSON exports)
- Detect old event format (pre-January 2025 cumulative update) and show informational message
 instead of misleading zeros
- 6 new unit tests for session key tracking (total: 486 tests)

### Changed

- GPO recommendation text now includes **Future encryption types** alongside AES128_HMAC_SHA1 and AES256_HMAC_SHA1, per CIS Benchmark 2.3.11.4
- `Get-EncryptionTypeString` recognises the `0x80000000` (Future encryption types) bit
- Updated guidance in `Get-GuidancePlainText` and `Show-ManualValidationGuidance` GPO Validation sections
- Updated DeepScan inline info message to reference Future encryption types

FileList

Version History

Version Downloads Last updated
4.4.0-previe... 2 4/7/2026
4.3.0 15 4/7/2026
4.3.0-previe... 1 4/7/2026
4.3.0-previe... 1 4/7/2026
4.3.0-previe... 1 4/7/2026
4.2.0 (current version) 10 4/7/2026
4.2.0-previe... 1 4/7/2026
4.2.0-previe... 3 4/7/2026
4.2.0-previe... 5 3/31/2026
4.2.0-previe... 2 3/31/2026
4.1.2 36 3/31/2026
4.1.1 7 3/30/2026
4.1.0-previe... 2 3/30/2026
4.1.0-previe... 2 3/30/2026
4.0.0 7 3/30/2026
4.0.0-previe... 2 3/30/2026
4.0.0-previe... 2 3/30/2026
Show less