Microsoft’s newest server operating system, Windows Server 2025, is currently grappling with significant known issues, most notably a critical authentication flaw stemming from the April 8 security updates (including KB5055523). This flaw, which causes Kerberos logon failures, is directly linked to security measures implemented for the CVE-2025-26647 vulnerability. The issue impacts not only Windows Server 2025 but also older versions like Windows Server 2022, 2019, and 2016, according to Microsoft’s official known issues page.
The widespread authentication problem can disrupt Windows Hello for Business (WHfB) Key Trust setups and systems reliant on Device Public Key Authentication. Microsoft has acknowledged that “This can result in authentication issues in Windows Hello for Business (WHfB) Key Trust environments or environments that have deployed Device Public Key Authentication (also known as Machine PKINIT).”
Adding to the administrative headaches, a separate confirmed issue unique to Windows Server 2025 involves domain controllers incorrectly managing network traffic after a system restart, potentially leading to service outages.
While Microsoft is providing workarounds and has recently resolved other bugs—such as one affecting high core count servers and another that caused Remote Desktop sessions to become unresponsive—the current stability challenges underscore the complexities of enterprise server management. Administrators are urged to consult Microsoft’s official guidance for the latest status and mitigation steps.
Kerberos Conundrum and Domain Controller Disconnects
The primary concern for many organizations is the Kerberos authentication issue. Microsoft officially stated, “After installing the April Windows monthly security update released April 8, 2025 (KB5055523 / KB5055526 / KB5055519 /KB5055521 ) or later, Active Directory Domain Controllers (DC) might experience issues when processing Kerberos logons or delegations using certificate-based credentials that rely on key trust via the Active Directory msds-KeyCredentialLink field.”
The issue is directly linked to security measures for CVE-2025-26647. Microsoft explained that with this vulnerability, “An attacker who successfully exploited this vulnerability could be assigned much greater rights by the Key Distribution Center to the certificate than intended,” and further detailed that “An authenticated attacker could exploit this vulnerability by obtaining a certificate containing the target Subject Key Identifier (SKI) value from a Certificate Authority (CA). The attacker could then use this certificate to get a Ticket Granting Ticket (TGT) for the target user from the Key Distribution Center (KDC).”
The April updates changed how Domain Controllers validate certificates, now checking if they chain to a root in the NTAuth store, a behavior controllable via the `AllowNtAuthPolicyBypass` registry key, as detailed in Microsoft’s KB5057784 documentation. While client systems are unaffected, the server-side impact is broad.
The recommended workaround involves setting the `AllowNtAuthPolicyBypass` registry value to “1”, as outlined in a Microsoft support document. Symptoms of the issue include domain controllers logging Kerberos event ID 45, where “The Key Distribution Center (KDC) encountered a client certificate that was valid but did not chain to a root in the NTAuth store”, or, if the registry value is set to “2”, more severe logon failures with event ID 21, stating “The client certificate for the user is not valid and resulted in a failed smartcard logon.”
Separately, Windows Server 2025 domain controllers are also susceptible to a network misconfiguration post-restart. Microsoft confirmed on its known issues page that these servers might fail to apply domain firewall profiles, defaulting instead to standard profiles, which can render applications or services unreachable.
The suggested interim fix, per Microsoft’s documentation, is to restart the network adapter using a PowerShell command like `Restart-NetAdapter *`, though this must be repeated after every reboot until a permanent solution is available.
Patching Progress and Resolved Hiccups
Microsoft has been actively addressing other bugs in Windows Server 2025. Notably, an issue where the OS might not perform as expected on systems with more than 256 logical processors was resolved with the November 12, 2024, update (KB5046617).
Problems with Remote Desktop sessions freezing after the February 2025 update (KB5051987) were fixed in the April 2025 update (KB5055523). The same April update also rectified authentication issues tied to failed password rotation in specific Kerberos PKINIT and Credential Guard scenarios, and an annoyance where some text appeared in English during non-English installations from media.
Additionally, an issue causing unexpected upgrades of Windows Server 2019 and 2022 to Windows Server 2025 when managed by certain third-party applications has been mitigated, according to Microsoft Learn.
Broader Platform Shifts: The Hotpatching Example
Beyond immediate bug fixes, organizations adopting Windows Server 2025, which Microsoft describes in its overview of new features as delivering “security advancements and new hybrid cloud capabilities in a high performing, AI-capable platform”, are also navigating other platform changes.
One significant development is the shift of the hotpatching feature for Azure Arc-managed Windows Server 2025 to a paid subscription model, effective July 1, 2025. This feature, initially touted as a key capability to reduce disruptive reboots when Windows Server 2025 was debuted, will cost $1.50 per CPU core per month for Standard and Datacenter editions in on-premises and multicloud environments.
The free preview for this Azure Arc enabled service concludes on June 30, 2025. Hari Pulapaka, Microsoft’s General Manager of Windows Server, had previously described hotpatching enthusiastically, stating, “This feature will be a game changer; simpler change control, shorter patch windows, easier orchestration… and you may finally get to see your family on the weekends.”
This change means organizations must now weigh the subscription cost against the operational benefits of potentially fewer restarts, though hotpatching remains an included feature for Windows Server Datacenter: Azure Edition on Azure VMs or Azure Stack HCI.
