Product:
Microsoft Defender for Identity
Area:
Security posture assessment / Recommendation
Recommendation:
Stop weak cipher usage
Issue type:
Product bug / detection logic issue
Description:
The Defender for Identity recommendation "Stop weak cipher usage" does not detect affected entities when the Kerberos EncryptionType value appears as "rc4hmac" instead of "Rc4Hmac".
According to Microsoft Support, the current detection logic only matches the exact value "Rc4Hmac". If the same weak encryption type appears in lowercase as "rc4hmac", the entity is not detected by the recommendation.
Expected behavior:
The recommendation should detect weak RC4 Kerberos encryption usage independently of letter casing, for example:
Actual behavior:
The entity is only detected when EncryptionType exactly matches "Rc4Hmac". If the same weak encryption type appears as "rc4hmac", the affected entity is missed.
Impact:
This can cause incomplete exposure visibility and incomplete remediation tracking for weak Kerberos cipher usage. Affected entities may not appear in the Defender for Identity recommendation even though RC4 is still being used.
Suggested fix:
Normalize the EncryptionType value before evaluation, for example by applying case-insensitive comparison or converting the value to lowercase before matching.
Additional context:
Microsoft Support confirmed that this behaviour is caused by exact value matching of EncryptionType. They stated that this needs to be handled as a product bug / feature change rather than a standard support ticket.
Product:
Microsoft Defender for Identity
Area:
Security posture assessment / Recommendation
Recommendation:
Stop weak cipher usage
Issue type:
Product bug / detection logic issue
Description:
The Defender for Identity recommendation "Stop weak cipher usage" does not detect affected entities when the Kerberos EncryptionType value appears as "rc4hmac" instead of "Rc4Hmac".
According to Microsoft Support, the current detection logic only matches the exact value "Rc4Hmac". If the same weak encryption type appears in lowercase as "rc4hmac", the entity is not detected by the recommendation.
Expected behavior:
The recommendation should detect weak RC4 Kerberos encryption usage independently of letter casing, for example:
Actual behavior:
The entity is only detected when EncryptionType exactly matches "Rc4Hmac". If the same weak encryption type appears as "rc4hmac", the affected entity is missed.
Impact:
This can cause incomplete exposure visibility and incomplete remediation tracking for weak Kerberos cipher usage. Affected entities may not appear in the Defender for Identity recommendation even though RC4 is still being used.
Suggested fix:
Normalize the EncryptionType value before evaluation, for example by applying case-insensitive comparison or converting the value to lowercase before matching.
Additional context:
Microsoft Support confirmed that this behaviour is caused by exact value matching of EncryptionType. They stated that this needs to be handled as a product bug / feature change rather than a standard support ticket.