After update to latest Win 11 24H2 RDP kerberos authentication from non-domain PC to domain joined PC stop working

Two new "observations":

1. The January 2025 Windows Update did not correct the bug.
2. While I have several Windows 24H2 clients (at home), where RDP into my (business) domain-joined RDP servers IS possible, I have only one client, that cannot RDP into my domain on 24H2 (while it works fine on 23H2, as said before).

Now the new observation is, that even with the client, that has a problem to RDP into the domain, I CAN RDP to one server (Windows 10 22H2), whilst RDP fails to two other servers (Windows server 2019 & Windows 11 24H2). That means, the obvious bug in 24H2 needs an additional "condition" of the RDP server to prevent login.

Now I found that the one server, where it works, has the setting "require devices to use Network Local Authentication to connect (recommended)" DEACTIVATED, whilst the two servers, where RDP fails, have it ACTIVATED. Now it might be possible, that deactivating this setting could be a workaround until Microsoft fixes the problem. Unfortunately, I downgraded to 23H2 before testing and for some unknown reason, my computer doesn't offer an upgrade to 24H2 any more, so I can't test at the moment.

I mentioned turning off NLA in my first post.

"
As a workaround, NLA can be turned off in the GPO for domain computers, but this is a security degradation.

or as admin run before RDP command: klist add_bind OURDOAMIN.COM dc1.ourdomain.com but for this has user no rights.

"

But then it's necessary to log in twice, first when connecting and then again on the remote computer.

Has anyone opened a ticket with Microsoft and reported this as a bug? Because when I tried, Microsoft wouldn't let me create a ticket due to the fact that we only have server licenses under our account which is ridiculous. (Win 11 we buy with new computers)

Hi.

This bug (in my opinion, this is a bug) introduced in the Windows 11 24H2 package affects more than just RDP. I have a single machine at home that can no longer connect to network shares on a Windows Server (2019 Standard), and it's only this one machine. I don't think it's the server. After reading this thread I reverted the 24H2 update on the one machine and, hey presto, connectivity is restored. I don't remember if this machine had a Windows 10 installation that was subsequently updated to Windows 11, but that nugget might be a clue. Now, unfortunately, the 24H2 update is queued for installation again on the affected machine, so I know it will lose its marbles again after a reboot.

This solved it for us. Notably for our use previously kerberos realms were mapped with ksetup /addhosttorealmmap. But after 24H2 that has stopped mapping the domain at all. As in it shows no change in the output of ksetup, which appears broken.

If I understand this correctly, I may just be manually mapping to the right realm by adding the domain.com/username, although I also added a registry key-value manually in \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\HostToRealm.

TBH, its finally working again so I don't want to fiddle with it. But theoretically, if I had the realm mapping right, I may just be able to provide the username without any domain.com/* or *@domain.com, which potentially may have been why they changed it in the first place. 🤷

Hi MPLaughlin,

there is an "official" way (by Microsoft) to defer the update:

https://www.windowslatest.com/2025/01/17/microsoft-begins-auto-updating-pcs-to-windows-11-24h2-forced-download-phase/

R.Widmer