Microsoft has fixed a known issue causing authentication problems when Credential Guard is enabled on systems using the Kerberos PKINIT pre-auth security protocol.

According to Redmond, these authentication issues impact both client (Windows 11, version 24H2) and server (Windows Server 2025) platforms, albeit only in some niche scenarios.

On affected systems, users experience problems because the passwords aren't rotating correctly when using the Identity Update Manager certificate/Pre-Bootstrapping Key Initialization (PKINIT) protocol.

However, because Kerberos Authentication is most commonly used on enterprise endpoints, home devices are likely not impacted by this known issue.

"With this issue, devices fail to change their password every 30 days as the default interval. Because of this failure, devices are perceived as stale, disabled, or deleted, leading to user authentication issues," Microsoft explained in a Windows release health dashboard update.

"Devices running Windows Home edition are unlikely to be affected by this issue, as Kerberos authentication is typically used in enterprise environments and is not common in personal or home settings."

Microsoft says the issue was fixed in April 2025 with Windows security updates for Windows 11 24H2 and Windows Server 2025. However, it also added that it disabled Machine Accounts in Credential Guard, a feature dependent on Kerberos password rotation, until a permanent fix is found.

"We recommend you install the latest update for your device as it contains important improvements and issue resolutions, including this one," the company said.

In November 2022, Redmond released emergency out-of-band (OOB) updates to fix another known issue triggering Kerberos sign-in failures and various other authentication problems on enterprise Windows domain controllers.

It also addressed authentication failures related to Kerberos delegation scenarios on Windows Server in November 2021 and similar Kerberos auth problems affecting domain-connected devices running Windows 2000 and later one year earlier.