What is a one sentence summary of your feature request?

The regkey controls Kerberos Encryption Type selection and Session Key Encryption Type and should be present with correct value

Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.

This is relevant when looking at RC4 removal. See KB5021131: How to manage the Kerberos protocol changes related to CVE-2022-37966 - Microsoft Support
PingCastle should alert if key is missing or has bad values. Microsoft makes a clear recommendation in the KB article.

How do you currently solve the challenges you have by not having this feature?

Manual check or PS script

Thanks for the submission. This is a great idea

We are introducing a new privileged mode option in version 3.4 for things where we can’t get them an alternative way, I think this would be a good candidate for this to be more accurate but I believe the below are our options.

Checking the Registry

Mode: Privileged.

Check each domain controllers remote registry where accessible to check if the key exists or if it is set to a non-aes256 option.

Checking Group Policy Preferences Registry Items

Mode: Unprivileged.

Use the current GPO scanning methodology to check GPP Registry Items to see if it is present and also assigned to the Domain Controllers OU.

Regarding the output this could definitely be in a couple of places:

1. A new informative check dedicated to this
2. New output with the RC4 → AES Migration section of the report.

What do you think?

Sounds good! Regarding the output: it should definitely be in the RC4 → AES Migration section