Microsoft released Patch Tuesday updates for the month of April 2025 earlier today. On Windows 10, they were published under KB5055518, KB5055519, and KB5055521. On Windows 11, they were published under KB5055523 and KB5055528.
On the Windows 10 side, Microsoft has confirmed that there are no known issues for the latest supported version of Windows, which is a rarity. Meanwhile, over on the latest Windows 11 side, the tech giant states that it has fixed a Kerberos authentication bug.
The bug would not allow passwords to change correctly, leading to authentication failures as they are perceived as "stale, disabled, or deleted." In normal situations, these passwords are set to automatically rotate at an interval (30 days is the default).
Due to this issue, Machine accounts in Credential Guard were also disabled as the feature is dependent on Kerberos authentication working optimally. For those wondering, when using this feature, machine account credentials are moved from the registry to the Defender Credential Guard for safety.
Microsoft explains:
After installing Windows 11, version 24H2, devices using the Identity Update Manager certificate/Public Key Cryptography for Initial Authentication (PKNIT), might experience an issue with passwords not rotating correctly, causing authentication failures. This issue occurs particularly when Kerberos Authentication is used and the Credential Guard feature is enabled. Note that machine certification using PKINIT path is a niche use case, and this issue affects a small number of devices in enterprise environments.
With this issue, devices fail to change their password every 30 days as the default interval. Because of this failure, devices are perceived as stale, disabled, or deleted, leading to user authentication issues.
Devices running Windows Home edition are unlikely to be affected by this issue, as Kerberos authentication is typically used in enterprise environments and is not common in personal or home settings.
Note: The feature Machine Accounts in Credential Guard, which is dependent on password rotation via Kerberos, has been disabled until a permanent fix is made available.
The company says the issue has now been resolved:
This issue is resolved in the April 2025 Windows security update (KB5055523) and later updates. We recommend you install the latest update for your device as it contains important improvements and issue resolutions, including this one.
You can view the issue here on Microsoft's official Windows health dashboard website.
1 Comment - Add comment