KB4025335 kills certificate based computer authentication RRS feed

  • Question

  • Hi,

    This morning I became aware of the fact that one of our two NAPs (Windows Server 2012 R2) refused to authenticate client machines through our switches -> 802.1X, computer certificate based authentication.

    From the logs: Microsoft Windows security autiting | Even-ID: 6273 |  Code 16

    The machine in question has just installed the update KB4025335 tonight and seems to have this problem since then. The other machine did not install this update so far and is still working properly. Given the fact are there is a couple of of NPA related things mentioned in the description of the update, I guess Microsoft did screw up something.

    Is anybody else facing this problem since the update?



    Wednesday, July 19, 2017 2:23 PM

All replies

  • Yes, yes yes. just spent 4 hours and came t o same conclusion. And whats worse is it fails to unistall for me. Looking att restore from backup now...



    • Edited by Joffa72 Wednesday, July 19, 2017 10:17 PM
    Wednesday, July 19, 2017 10:15 PM
  • Yes we are experiencing the same issue.  Was working my way through removing Patches applied the day before to find the culprit.  Would love any updates you get from MS about this.
    Thursday, July 20, 2017 1:25 PM
  • We haven't been able to remove the update, we get an error when trying to do so. We've also restored the NPS server which is in use to before the patch was installed and are still having problems. I can get the NPS policy to work when using "smart card or other certificate". PEAP seems to be the issues we are seeing. We're using the NPS to authenticate for Cisco Wireless LAN Controller.
    Thursday, July 20, 2017 11:59 PM
  • We have also spent hours troubleshooting why our 200 teachers and support staff couldn't connect to WiFi today using cert based computer authentication.  

    We have reverted back to a previous veeam replica, taken before this update installed, and all is working.

    Monday, July 24, 2017 6:33 AM
  • Argh yes - Just spent 3 hours today on troupleshooting until i tried uninstalling the latest two updates. After uninstall of KB4025335 it all works again... and our WIFI worldwide was up again.

    Monday, July 24, 2017 9:22 AM
  • I can confirm that uninstalling resolved this as well. I guess we won't be installing any "Preview" updates from MS anymore.
    Monday, July 24, 2017 6:15 PM
  • Same Problem. Same Error Message with Cisco WLC.

    After uninstall Patch KB4025335 works fine. Anyone Fix?

    Tuesday, July 25, 2017 6:51 AM
  • Hello,

    As a workaround, create the following registry on your server:

    Create DWORD registry key under:
    New_DWORD: DisableEndEntityClientCertCheck
    and set value to 0

    Let us know if this fixes the problem with the patch being installed.

    • Proposed as answer by zzdallep Tuesday, July 25, 2017 7:50 AM
    Tuesday, July 25, 2017 7:22 AM
  • This workaround has fixed the issue for me. 

    thanks alot. 

    Tuesday, July 25, 2017 7:50 AM
  • Hello,

    This registry fix has resolved the issue. Thanks!

    I also have experienced same issue with not being able to uninstall kb4025335. Any ideas?


    Tuesday, July 25, 2017 9:33 AM
  • This worked for us as well. Can you please provide more information about what this setting actually does and if there are any risks involved with setting this value? I have searched but could only find very little information about this setting.
    Tuesday, July 25, 2017 6:13 PM
  • Perfect. Worked for me.
    Wednesday, July 26, 2017 8:17 AM
  • ok, I think I may have found something? it may not be related, but it's awfully suspicious... (disclaimer, the issue was only affecting Windows 7 clients in my environment.)

    I happen to run across this link while troubleshooting today. https://cantechit.com/2015/07/10/windows-nap-as-radius-in-a-windows-7-server-2012-wireless-world/

    Just so happens that we installed that update on the 17th, and I find that I have a new certificate that was installed on the 17th as well on my NPS server. This certificate however does not have subject name. Which Windows 7 clients balk at and will not connect. Once I generated a new cert with a subject name all my clients connected again.

    Did this update generate a new certificate? if so, WTF Microsoft?

    Thursday, July 27, 2017 9:16 PM
  • It worked for us too.  We applied the workaround and then installed the update again.

    Thank you for the fix.

    Friday, July 28, 2017 3:58 AM
  • Workaround works, but what exactly does this regkey do, besides fix EAP-TLS ?

    There is no online documentation for this key

    Friday, July 28, 2017 7:20 AM
  • Im having the same issue ,and im really shure cause since this update as its shown in my installed updates ,i dont eaven have more installed ,AND the weirdest thing is up till the kb3000850 IN the update history there are updates but this last kb3000850 says failed ,so i try to manually install it ,and it says its allready there. Does anyone can do or will explain wth is going on cause i deinstalled this update(kb4025335) turned of extras did a win update fix and i still cant update ..

    Somethin weirder is after i re-installed win8 again on this lap the sfc /scannow doesnt work right ,but thats another story ..

    edit: im still missing more updates with the same story btw inc deffinitions :(

    edy2: welp its fixed now im not downloading this update anymore im trying the new rollup tho xD gl&hf bill gates ! man that reminds me of komputer

    Friday, July 28, 2017 12:41 PM
  • Same Problem. Same Error Message with Cisco WLC.

    After uninstall Patch KB4025335 works fine. Anyone Fix?

    idk but im glad i couldt just uninstall it ..

    on a diff connection somewhere wifi too omg
    Friday, July 28, 2017 3:24 PM
  • Hi   @all,

    we got the same Problem. System patched and NO authentication on 802.1x is working. After 3 hour of searching testing and everything else we found this posts. Uninstall KB4025335 and everything works fine.

    I'm asking me if Microsoft is testing his own Patches, it going on my nerve that every third patch is faulty!

    Thanks of guys who tease the solution.

    Monday, July 31, 2017 12:11 PM
  • Is there any chance this affects Server 2008R2?

    Is it only Server 2012R2? Are Windows 8.1 clients affected?

    We have 2008R2 NPS servers and some Windows 8.1 clients, don't want to be bitten.

    Is it only PEAP that's affected or Certificate based too?


    Tuesday, August 8, 2017 10:40 PM
  • Hi,
    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, August 11, 2017 4:07 AM
  • Hi

    Yes, the regedit fixed the issue for us however can anyone explain what is going in the KB to cause the issue?

    If I understand correctly.. it seems the KB would have turned “on” disable the client Cert check so it no longer is being checked (which causes the problem) and this registry modification forces it to stay “off” so it is being checked… if that makes sense.

    Monday, August 14, 2017 4:26 AM
  • Any news on this one from Microsoft? Is there a fix or will there be one?
    Tuesday, August 22, 2017 7:19 PM
  • Can we've some info about the reg Key you've to set ? And the Bug with the KB4034681 ??

    It's look not very serious for a compagny like Microsoft to relase update with no info about the bug??

    Thursday, August 24, 2017 12:09 PM
  • Is this still an issue that needs reg hacks to work around or is there a new update or hotfix that provides a proper fix?
    Friday, January 11, 2019 7:47 PM
  • From what I know this has been fixed.
    Saturday, May 4, 2019 2:57 PM