check before: 2025-08-01
Product:
Windows, Windows Server
Platform:
Online, Windows Desktop, World tenant
Status:
Change type:
Admin impact
Links:
Details:
Administrative actions are undergoing hardening changes that might require operational change to support your organization's security posture. With the August 2025 Windows non-security update, devices were hardened against unauthorized attempts to bypass loopback detection. However, if you've cloned machines without Sysprep, you might see Kerberos and NTLM authentication failures. This is by design. The recommended solution is to rebuild affected devices using supported imaging methods. A temporary workaround is also available.
When will this happen:
September 2025 and later: Windows security updates include hardening changes that strengthen the trust boundary between identity, authentication, and User Account Control (UAC).
April 2026 and later: Windows security updates include a temporary workaround for machines cloned without Sysprep. This registry-based compatibility option isn't recommended. It reduces security protections introduced by recent updates.
End of 2027: The temporary workaround expires.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2026-04-10
updated:
2026-04-10
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Authentication Failures
Cloned machines without Sysprep may experience Kerberos and NTLM authentication failures, leading to access issues for users.
- roles: IT Administrators, End Users
- references: https://support.microsoft.com/topic/kerberos-and-ntlm-authentication-failures-due-to-duplicate-sids-76f7394d-c460-4882-9ed1-d27e0960f949, https://learn.microsoft.com/troubleshoot/windows-server/setup-upgrade-and-drivers/windows-installations-disk-duplication
Increased Downtime
Rebuilding devices from scratch due to duplicate SIDs will lead to increased downtime for affected users.
- roles: IT Administrators, End Users
- references: https://aka.ms/HardeningAdministrativeActions, https://support.microsoft.com/topic/strengthening-administrator-protection-and-kerberos-authentication-f67abf78-41c5-4a89-a2da-a7b2fe280270
Operational Disruption
Stopping automation for cloning without Sysprep may disrupt current operational workflows, affecting productivity.
- roles: IT Administrators, Operations Managers
- references: https://learn.microsoft.com/windows-hardware/manufacture/desktop/sysprep--generalize--a-windows-installation?view=windows-11, https://support.serviceshub.microsoft.com/supportforbusiness/manage
Security Risks
Using the temporary registry-based workaround reduces security protections, potentially exposing the organization to vulnerabilities.
- roles: IT Security Officers, Compliance Officers
- references: https://aka.ms/HardeningAdministrativeActions, https://support.microsoft.com/topic/strengthening-administrator-protection-and-kerberos-authentication-f67abf78-41c5-4a89-a2da-a7b2fe280270
User Experience Degradation
Users may experience degraded performance and access issues due to authentication failures and downtime during device rebuilds.
- roles: End Users, Help Desk Support
- references: https://support.microsoft.com/topic/kerberos-and-ntlm-authentication-failures-due-to-duplicate-sids-76f7394d-c460-4882-9ed1-d27e0960f949, https://learn.microsoft.com/troubleshoot/windows-server/setup-upgrade-and-drivers/windows-installations-disk-duplication
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
XXXXXXX ... free basic plan only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
