Hey everyone,
I'm having some serious issues after applying the April 2025 patches related to CVE-2025-26647. The update introduced a new registry key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesKdc - AllowNtAuthPolicyBypass. When I set it to 2 for testing, I started running into multiple problems.
For instance, I received an error that said: "The domain controller rejected the client certificate of user CN='CN=SRV008' for smart card logon. A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider." Other messages included failures with Group Policy authentication and issues with smartcard logons due to certificates not being validated properly.
One major issue was that 802.1x Wi-Fi connections failed completely. Reverting the setting back to 1 resolved the problems, but I suspect this might be a bug in the patch since the CA certificate is actually trusted across the board in our environment.
Has anyone else experienced similar issues with this patch?
2 Answers
To avoid problems, you should set that registry value to 1 for auditing and bypass purposes. Setting it to 2 enforces the change and that's where the issues arise. I’d recommend checking Microsoft's guidance on this for clarity.
Yes, I've seen enforcement completely broken after this patch. Microsoft is reportedly working on a fix. Key Trust authentication fails when you enable enforcement. Definitely something to keep an eye on.
I did revert to 1, but thanks for the reminder! I wanted to bypass it until Microsoft sorts things out.