A recent Windows security update has led to login failures for some Windows Hello for Business (WHfB) users, Microsoft has confirmed. The patch, part of the April 2025 update (KB5055523), was intended to resolve a critical Kerberos vulnerability (CVE-2025-26647) but has instead disrupted authentication processes.
The vulnerability fix targeted an inconsistency in how Windows stored Kerberos certificates. It aimed to ensure only trusted certificates in the NTAuth store were used for authentication, blocking those from the root store. However, this change has caused problems for Active Directory Domain Controllers (DCs) that rely on certificate-based credentials, including WHfB and Machine PKINIT setups.
Users have reported login failures, particularly in environments using smart cards, third-party single sign-on (SSO) solutions, and identity management systems. Microsoft confirmed that the bug affects all Windows Server versions from 2016 onwards.
Microsoft’s advisory notes that the problem is triggered when the registry key AllowNtAuthPolicyBypass is set to ‘2’. As a temporary fix, the company recommends resetting this value to ‘1’. “We are actively working on a solution and will provide an update as soon as possible,” Microsoft said.
The situation highlights the challenges of maintaining secure, reliable authentication in complex IT environments. Windows admins are familiar with the occasional disruptions caused by security patches. While patching is essential to secure systems, the diversity of Windows environments makes comprehensive testing difficult.
This incident also emphasizes the trade-off between security and stability. As Microsoft continues to patch vulnerabilities in critical systems, ensuring that fixes do not create new problems remains a persistent challenge. Organizations using Windows Server and WHfB should monitor Microsoft’s updates and prepare for potential troubleshooting until a final solution is released.