"Password is incorrect" on Win 11 clients in AD domain with 2025 domain controller

Hello David,

This is a known interoperability issue with Windows Server 2025 domain controllers acting as Global Catalogs. The symptom you describe - "valid domain credentials rejected with no 4625 events and inconsistent pwdLastSet replication" - is tied to machine account password handling between Windows 11 24H2/25H2 clients and Server 2025 DCs. The fact that Reset-ComputerMachinePassword succeeds against 2022 DCs but fails against the 2025 GC confirms the trust channel problem.

At present, Microsoft has acknowledged this as a bug in Server 2025 builds, and there is no permanent fix available yet. The only reliable mitigation is to force clients to reset their machine account passwords against the 2022 DCs and extend the machine account password age to reduce frequency, exactly as you’ve done. Alternatively, you can temporarily remove the 2025 server from the Global Catalog role or restrict client logons to the 2022 DCs until Microsoft releases an update.

In short, disabling automatic machine password changes or redirecting trust resets to 2022 DCs is the only safe workaround. I recommend monitoring the Windows Server 2025 release notes and cumulative updates closely, as this is expected to be patched in a future servicing release.

If the above response helps answer your question, please hit "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

Domic V.

I opened a case with Microsoft, and over about 10 days we went back and forth with various tests, settings and logs. It seems like the best mitigation option for me right now is to remove the Global Catalog role from the 2025 DC, and keep the old 2019 DC online at the same site. It's been 4 days since I made this change, no issues so far. Here’s some comments from Microsoft:

“What may be happening is that the Windows 11 client attempts to authenticate, and the DC Locator selects a local DC or local GC (Server 2025). The Kerberos flow passes through the GC, and the 2025 DC intermittently fails to respond within the expected timeframe, fails a referral, or returns a transient error.

This scenario is consistent with bugs or regressions in the authentication stack of newer versions, particularly those involving the Global Catalog in conjunction with Kerberos. Therefore, the appropriate mitigation strategy for now is to prevent the 2025 DCs from participating in this critical flow, to standardize the DC Locator configuration to use DNS/FQDN in order to reduce errors, and to maintain the 2019 DC as a stability anchor.

A definitive fix depends on a software update and is already explicitly listed under “Known / Emerging Issues” for Windows 11 and Windows Server 2025. This type of fix is ​​delivered exclusively via cumulative updates or servicing stack updates.”

So for now, we wait. It’s been a very disruptive issue, but if removing the GC role mitigates it, I can live with that.

Hopefully this helps others who have this issue.

Hi David Fosbenner,

Has your issue been resolved yet? If it has, please consider accepting the answer as it helps others sharing the same problem benefit too. Thank you :)

Domic V.

The described symptoms match a known, niche issue with machine password rotation when Windows 11 24H2/25H2 devices and Windows Server 2025 are involved, particularly when Kerberos and Credential Guard–related scenarios are in play.

From the context:

• After installing Windows 11 24H2 or Windows Server 2025, devices using the Identity Update Manager certificate/PKINIT can experience passwords not rotating correctly, causing authentication failures.
• Devices then fail to change their machine password at the default 30‑day interval and can be perceived as stale, disabled, or deleted, leading to user authentication issues.
• This affects a small number of enterprise devices and is tied to Kerberos and Credential Guard–protected machine accounts.

Resolution and recommended actions:

1. Install the April 2025 security update or later on all affected systems
   • For Windows 11 24H2 and Windows Server 2025, install KB5055523 (April 2025 Windows security update) or any later cumulative update.
   • This update explicitly resolves the machine password rotation issue that leads to authentication failures.
   • Ensure the Windows Server 2025 Global Catalog and all Windows 11 24H2/25H2 clients at the remote site are fully updated.
2. Be aware of the temporary feature change
   • The feature “Machine Accounts in Credential Guard” (which depends on machine password rotation via Kerberos) has been disabled until a permanent fix is available.
   • If relying on this feature, review the guidance in the “Credential Guard protected machine accounts” documentation referenced in the context.
3. Avoid long machine password intervals as a primary mitigation
   • Increasing “Domain member: Maximum machine account password age” to 365 days and manually running Reset-ComputerMachinePassword against a 2022 DC is only a workaround.
   • Once KB5055523 or later is installed on both the Windows Server 2025 GC and the Windows 11 clients, revert machine account password age to a more secure value (for example, the default 30 days) and rely on normal automatic rotation.
4. Verify after patching
   • After updates are applied and devices rebooted, confirm that:
     • pwdLastSet for the computer accounts begins updating again on schedule.
     • Clients can log on consistently without “password incorrect” messages.
     • Test-ComputerSecureChannel continues to return True without needing manual resets.

If the environment also uses features like Credential Guard–protected machine accounts, monitor Microsoft’s guidance for when that feature is re‑enabled and adjust configuration accordingly.

References:

• Resolved issues in Windows 11, version 24H2
• Resolved issues in Windows Server 2025