New Windows update brakes cloud Kerberos Trust

Microsoft is constantly working on improving security on the Windows Server Operating Systems. However sometimes unintentianally it breakes a feature. One of them is the following update: Protections for CVE-2025-26647 (Kerberos Authentication). This Windows security updates released in April contains protections for a vulnerability with Kerberos authentication. This issue occurs when a certificate authority is part of the Windows root store but not the NTAuth store and a Subject Key Identifier (SKI) is present in a privileged account. However, Intune uses self signed certificates which are not trusted by the Windows subsystem, resulting in clients failing to authenticate to On-Premises file servers using Windows Hello for Business.

Impacted operating systems:

• Windows Server 2008 
• Windows Server 2008 R2 
• Windows Server 2012 
• Windows Server 2012 R2 
• Windows Server 2016 
• Windows 10 Pro Education, version 1607 
• Windows Server 2019 
• Windows Server, version 23H2 
• Windows Server 2025

How to verify if you are impacted?

From the event viewer on your domaincontrollers from the system log you can filter on Event ID 45. This will show you warnings and errors similar to the image below:

Workaround

Lucky there is a workaround for this issue. You can do the 2 following things untill Microsoft comes up with a permenant fix for this:

1. Instruct the user to (temporarily) log in with their username and password on his/her device
2. Add registry key on the domain controllers that will disable this security feature.

Registry key fix

The following registry key needs to be placed on all domain controllers to bypass the security implementation.

More information from Microsoft:

KB5014754: Certificate-based authentication changes on Windows domain controllers – Microsoft Support

Protections for CVE-2025-26647 (Kerberos Authentication) – Microsoft Support