Microsoft has taken significant steps to rectify a series of critical issues impacting Windows Server 2025 domain controllers, as highlighted in its June 2025 Patch Tuesday updates. These updates have effectively addressed authentication failures and network connectivity problems that have troubled administrators since April.
The resolution is encapsulated in update KB5060842, which targets vulnerabilities that have caused substantial operational disruptions within enterprise environments.
Kerberos Authentication Problems Traced
The authentication challenges originated from security update KB5055523, which was rolled out in April 2025 to mitigate the CVE-2025-26647 vulnerability. This particular update altered the method by which domain controllers validate certificates used for Kerberos authentication, necessitating that certificates chain to an issuing certificate authority (CA) in the NTAuth store.
This modification had a pronounced effect on Windows Hello for Business (WHfB) Key Trust deployments and Device Public Key Authentication (Machine PKINIT), leading to two distinct scenarios based on registry configuration. When the AllowNtAuthPolicyBypass registry value was either unconfigured or set to “1”, domain controllers logged Kerberos-Key-Distribution-Center event ID 451 repeatedly. Conversely, when set to “2”, self-signed certificate-based authentication faltered, triggering event ID 211.
The June updates have rectified the erroneous logging behavior that was causing these events for self-signed certificates that do not legitimately chain to a CA in the NTAuth store. This fix is part of KB5060842 for Windows Server 2025, along with corresponding updates for earlier server versions.
Network Traffic Management Failures
In addition to authentication issues, a separate critical problem affected the ability of Windows Server 2025 domain controllers to manage network traffic appropriately following system restarts. This issue arose when domain controllers failed to apply domain firewall profiles, reverting instead to standard firewall profiles.
This misconfiguration rendered domain controllers unreachable on domain networks or allowed incorrect access over ports and protocols that should have been restricted by the correct firewall profiles. Consequently, applications and services operating on the affected domain controllers or remote devices encountered failures or became inaccessible.
As a temporary measure, Microsoft advised administrators to manually restart network adapters using the PowerShell command:
powershellRestart-NetAdapter *
However, this workaround had to be repeated after each reboot until the permanent fix was implemented.
Comprehensive Resolution
The June 2025 Patch Tuesday delivered a comprehensive suite of fixes addressing both authentication and network management issues. Microsoft released coordinated updates across multiple Windows Server versions to ensure a consistent resolution:
| Windows Version | Update KB | Status |
|---|---|---|
| Windows Server 2025 | KB5060842 | Resolved |
| Windows Server 2022 | KB5060526 | Resolved |
| Windows Server 2019 | KB5060531 | Resolved |
| Windows Server 2016 | KB5061010 | Resolved |
The June updates address a total of 66 vulnerabilities, including 10 rated as Critical, with one zero-day exploit actively being utilized by attackers. Microsoft strongly recommends the immediate installation of these updates, underscoring that they contain “important improvements and issue resolutions.”
For organizations still operating on pre-June updates, Microsoft advises against setting the AllowNtAuthPolicyBypass registry key to ‘2’ on domain controllers managing self-signed certificate-based authentication until the latest updates are applied. These fixes signify crucial stability enhancements for Windows Server 2025 environments, particularly for those leveraging modern authentication protocols and hybrid cloud capabilities.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates
