Favorite your Message Center and Roadmap items. Access them anytime via your Profile. Export and share with your team or your LLM.

Hardening administrative actions: Windows imaging, cloning, and auth workflows

Message ID
MC1275343
View in Message Center
Service
Windows
Category
Stay Informed
Tag
Admin impact
Rollout
August 2025September 2025April 2026

Details

Administrative actions are undergoing hardening changes that might require operational change to support your organization’s security posture. With the August 2025 Windows non-security update, devices were hardened against unauthorized attempts to bypass loopback detection. However, if you’ve cloned machines without Sysprep, you might see Kerberos and NTLM authentication failures. This is by design. The recommended solution is to rebuild affected devices using supported imaging methods. A temporary workaround is also available. 
 
When will this happen:
  • September 2025 and later: Windows security updates include hardening changes that strengthen the trust boundary between identity, authentication, and User Account Control (UAC).
  • April 2026 and later: Windows security updates include a temporary workaround for machines cloned without Sysprep. This registry-based compatibility option isn’t recommended. It reduces security protections introduced by recent updates.
  • End of 2027: The temporary workaround expires. 
 
How this will affect your organization:
This affects your organization if: 
  • You manage devices on Windows 11, version 24H2 and later or Windows Server 2025.
  • You installed the August 2025 non-security update or September 2025 security update (or later) on these devices.
  • You notice Kerberos or NTLM authentication failures. These failures surface as LsaSrv Event ID 6167 in the System event log of the target machine.
You need to adjust your strategy to clone Windows images.
 
What you need to do to prepare:
Take the following actions: 
  • Stop any automation that clones devices without Sysprep. If not addressed, devices end up with duplicate security IDs (SIDs).
  • Rebuild all devices with duplicate SIDs from scratch, then run Sysprep. It's not sufficient to unjoin devices and run Sysprep. 
  • If needed for transition only, temporarily roll back the hardening change with a registry-based option. Please contact Microsoft Commercial Customer Service and Support (CSS) to get information about this registry value. 

For details and instructions, review Hardening administrative actions: What IT pros need to know
 
Additional information:

Change History

Show
Published: April 9, 2026
Last Updated: April 9, 2026
No change history available

Never Miss a Microsoft 365 Update

Join thousands of IT professionals who rely on DeltaPulse for real-time Microsoft 365 change intelligence, automated notifications, and community insights.

Explore Dashboard Sign Up Free