Restarting all the domain controllers resolved this issue.
October update, Windows 11 24H2, issues authenticating
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 67%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDK%3C/text%3E%3C/svg%3E)
Daniel Kaliel
1,421
Reputation points
Since installing the October update for Windows 11 24H2 we have users across the domain having login issues. Sometimes making nearly 20 attempts to log into the domain before it being successful.
I have seen an article about this being the case if there are cloned machines on the network with identical SIDs. However we don't deployed cloned devices and although we do deploy images via SCCM, I have followed this article: https://dori-uw-1.kuma-moon.com/en-us/troubleshoot/windows-server/active-directory/ntdsutil-find-clean-duplicate-security-identifiers and verified that no duplicate SID's exist in our domain.
Windows for business | Windows Server | Directory services | Active Directory
Answer recommended by moderator
Answer recommended by moderator
7 additional answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 16%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
VPHAN 28,590 Reputation points Independent Advisor2025-11-10T11:11:13.45+00:00 Hi Daniel Kaliel,
So for late reply. How are you, how is everything? Have you solved the problem yet? As you mentioned, what we’re seeing is tied to the stricter Kerberos/NTLM enforcement introduced in the October 24H2 update. When users unlock their machines off‑network (before VPN is established), Windows now attempts Kerberos first, denies NTLM per your current policy, and only then falls back to cached credentials, which results in multiple failed attempts before a successful unlock.
To confirm, you could temporarily switch NTLM restrictions from Deny to Audit on a test device and see if unlock succeeds immediately. For longer term, you can try enabling pre‑logon VPN or adjusting NTLM restrictions to allow smoother cached logon.
Vivian
-
Daniel Kaliel 1,421 Reputation points
2025-11-10T16:06:45.36+00:00 We are running tests on two PC both of which are having the same issue. One has the Kerberos hardening policy where NTLM is set to Deny. The other is set to Audit. They both continue to have the same issue.
As far as the VPN, I can make no changes as it is working as per our policy.
I was more just commenting that whether a user is in the office OR they are at home with no internet connectivity, they are experiencing the issue when unlocking their PCs.
Sign in to comment -
-
VPHAN 28,590 Reputation points Independent Advisor
2025-11-05T03:59:49.5566667+00:00 Good morning Daniel Kaliel,
Have you been able to solve the issue yet? If not, is there anything I can help you with? Please let me know.
If everything is fine, would you mind sharing your experience with the issue by accepting the answer so that it could be spread further to those in need too? Thank you :)
Vivian
-
Daniel Kaliel 1,421 Reputation points
2025-11-05T16:16:29.9866667+00:00 Not yet. We have implemented Kerberos hardening on an affected users device, but the issue remains. The policy changes we made so far are:
-
Daniel Kaliel 1,421 Reputation points
2025-11-05T16:20:25.26+00:00 As an additional comment. We've seen the issue occur, if a person is unlocking their computer at their home office, where domain controllers are not to be found and the VPN connection not yet established.
Which is confusing the matter as that would suggest it is not an issue with broken trust
-
Daniel Kaliel 1,421 Reputation points
2025-11-10T16:01:58.5633333+00:00 There is no change. It remains unresolved.
Sign in to comment -
-
VPHAN 28,590 Reputation points Independent Advisor
2025-11-03T19:08:04.3+00:00 Then it might have been the fact that Microsoft hardened Kerberos and NTLM authentication flows, which has introduced new failure modes even on properly imaged, unique machines. The login issue of yours is probably related to Kerberos ticket acquisition failures caused by stricter channel binding and PAC validation.
If it's the case, the fix is to ensure all DCs and clients are patched consistently, reset secure channels on affected machines, collect Kerberos logs to confirm whether PAC validation or channel binding is failing, and the last resort is to wait for a permanent fix to be released.
If you find this information useful to some extent, please accept the answer so that your experience with the issue would help contribute to the whole community. Thank you :)
Vivian
-
VPHAN 28,590 Reputation points Independent Advisor
2025-11-03T18:09:51.99+00:00 Hi Daniel Kaliel,
Even if you have no duplicate machine SIDs, the new enforcement can cause repeated domain logon failures if there are stale machine accounts, mismatched secure channel states, or improperly generalized images.It's has been raised by other people and is recommended to re‑image improperly prepared devices or repairing trust relationships.
You can read more from this: https://support.microsoft.com/en-us/topic/kerberos-and-ntlm-authentication-failures-due-to-duplicate-sids-76f7394d-c460-4882-9ed1-d27e0960f949
If you find this information useful to some extent, please accept the answer so that your experience with the issue would help contribute to the whole community. Thank you :)
Vivian
-
Daniel Kaliel 1,421 Reputation points
2025-11-03T18:59:06.4166667+00:00 I don't believe we are experiencing this issue. Any machine that encounters this issue is not stale, and the event ID in the article is not present in the System log.
The article also focuses on the fact that the systems have a duplicate SID which we do not.
Lastly, we only started to experience this issue with the rollout of the October 2025 24H2 update and not prior.
Sign in to comment -