🚨 Active Incident — Windows Server 2016

RDP Authentication Broken After January 2026 Update
KB5073722 — Server 2016 Fix & Workarounds

📅 March 31, 2026 🕐 10 min read 🔒 Applies to: Server 2016, Windows App, AVD ⚠️ Microsoft has not released a patch

The January 2026 cumulative update for Windows Server 2016 introduced a regression in the RDP authentication stack. Users cannot connect. Credential prompts loop. Domain controllers flood with Event ID 4625 and 4776. Accounts lock out. Here is exactly what happened and how to fix it right now.

🚨
No Microsoft patch available for Server 2016 As of March 2026, Microsoft has released fixes for Windows client builds and newer server versions but has not patched Server 2016. The rollback of KB5073722 is the primary remediation.
✅ Rollback steps included 💻 PowerShell commands ready 🔒 Block reinstallation guide 🚧 EOL migration roadmap
100% of Server 2016 environments with KB5073722 installed are affected by broken RDP authentication
0 patches released by Microsoft for Windows Server 2016 — rollback is the only fix as of March 2026
Jan 2027 Windows Server 2016 end of extended support — reduced patch priority is expected to continue
3 min time to run the rollback command — RDP authentication restores after the next reboot
Root Cause

What Exactly Broke After the January 2026 Updates

The January 2026 cumulative update for Windows Server 2016 (KB5073722) introduced a regression deep inside the RDP authentication handshake. This is not a configuration error on your end. Every business running Server 2016 with this update installed is hitting the same wall.

Here is the exact failure sequence. The RDP client connects normally and presents the credential prompt. Instead of forwarding the credentials the user types, the client defaults to the current local session identity. The server reads this as an invalid or mismatched credential and rejects the connection instantly. The client retries using the same broken identity in a continuous loop. Every retry writes a new Event ID 4625 and 4776 to your domain controller's Security log.

📌
Same authentication stack bug family This regression mirrors the behavior confirmed in Windows App builds 26100.7623 and 26200.7623, where credential prompts failed entirely. Microsoft released an out-of-band fix for the Windows App (KB5077744) but has not extended that fix to Windows Server 2016 itself.

What Users Report

Businesses across RDP, Azure Virtual Desktop, Windows 365, and the Windows App are all reporting the same cluster of symptoms. The server is healthy. The credentials are correct. Nothing works.

🔄

Credential Prompt Loop

The sign-in prompt appears and disappears immediately. Retrying with the correct password produces the same instant failure over and over.

User-Facing
🔒

Account Lockouts

Each retry counts as a failed logon attempt. Lockout thresholds are hit within seconds, locking out legitimate user accounts automatically.

Active Directory
📄

Event ID Storm on DC

Domain controllers flood with Event ID 4625 (failed logon) and Event ID 4776 (NTLM credential validation failure) from every affected RDP client.

Event Viewer
😸

Desktop Never Loads

RDP sessions never reach the remote desktop. The server is online and healthy. The issue is entirely in the authentication handshake before the session is established.

Session Layer

Affected Systems

The regression affects multiple Windows versions, but Server 2016 is the only one without a released fix. This is why Server 2016 environments are generating the highest volume of RDP support requests in 2026.

Operating System Update RDP Status Fix Available
Windows Server 2016 KB5073722 ⚠ Broken Rollback only
Windows Server 2019 Jan 2026 CU ✓ Fixed Patch released
Windows Server 2022 Jan 2026 CU ✓ Fixed Patch released
Windows App (Client) Builds 26100 / 26200 ⚠ OOB Fix KB5077744
Azure Virtual Desktop Server 2016 backend ∼ Partial Depends on backend OS
Remediation Guide

Step-by-Step Fix for KB5073722 RDP Authentication Failure

Applies to Windows Server 2016. Follow these steps in order. Each step is additive.

1
Roll Back KB5073722 (Primary Fix)
Removes the broken authentication stack immediately
Do This First

Since Microsoft has not released a patch for Server 2016, uninstalling KB5073722 is the most reliable fix available. Rolling it back removes the broken credential handshake behavior and restores normal RDP authentication.

Open PowerShell as Administrator on the affected server and run:

# Uninstall the problematic January 2026 update
wusa /uninstall /kb:5073722 /quiet /norestart

Schedule the server reboot for your next maintenance window. After the reboot, test RDP authentication and confirm users can connect normally before calling this step complete.

2
Block Reinstallation of KB5073722
Prevents Windows Update from re-introducing the regression
Do This Next

After removal, Windows Update will attempt to reinstall KB5073722 automatically during the next update cycle. Block it immediately using one of these methods:

  • Use the Microsoft wushowhide.diagcab tool to hide the specific update from the Windows Update list on the affected server.
  • In WSUS, decline or pause KB5073722 to prevent it from distributing to Server 2016 targets.
  • Apply a Group Policy Object to defer cumulative updates temporarily while you plan the Server 2019 or 2022 migration.
  • In Intune or Configuration Manager, create a software update exclusion rule targeting KB5073722 on Server 2016 device groups.
3
Switch Users to Legacy mstsc.exe
Bypasses the broken credential handoff path in the Windows App
Workaround

The modern Windows App is the most severely affected client. The legacy mstsc.exe client uses a different credential flow and is not impacted by the same handshake regression. While the rollback and block are being implemented, redirect users to the classic client.

  • Tell users to launch mstsc.exe from the Start menu or Run dialog instead of the Windows App.
  • If the Windows App is enforced by policy, disable the "Use Windows App for RDP" group policy setting temporarily.
  • Use VPN plus LAN-side RDP as an additional bypass for users connecting remotely, which routes around some of the broken pre-authentication logic.
4
Temporarily Adjust Account Lockout Policies
Prevent mass lockouts during remediation
Temporary

The credential loop generates multiple failed logon attempts per second per affected user. With default lockout thresholds, entire user bases will be locked out within minutes. Buy yourself time to remediate by adjusting these settings temporarily in Group Policy.

  • Increase the Account Lockout Threshold to a higher value (20 to 50 attempts) to slow down the lockout rate.
  • Extend the Observation Window and Lockout Duration so accounts recover faster without admin intervention.
  • Enable fine-grained auditing to identify which specific accounts are being affected most aggressively.
⚠️
Revert these settings immediately after remediation Relaxed lockout policies increase your attack surface. This is a temporary measure only. Restore your standard lockout policy as soon as RDP authentication is working again.
5
Validate Domain Controller Health
Confirm DCs are not overloaded after the Event ID storm
Verification

The repeated NTLM and Kerberos failures generated by the authentication loop can strain domain controllers significantly. After rolling back the update, verify the environment has recovered cleanly before restoring full lockout policy settings.

# Verify AD replication health across all DCs
repadmin /replsummary
  • Open Event Viewer → Windows Logs → Security and confirm Event ID 4625 and 4776 entries have stopped flooding in.
  • Check DC CPU utilization in Task Manager or Performance Monitor. LSASS.exe should not be pegged at high CPU after the rollback.
  • Run repadmin /replsummary to confirm replication across all domain controllers is healthy and no errors were introduced during the lockout storm.
  • Unlock any user accounts that were locked out during the incident and communicate with affected users that access has been restored.
Long-Term Recommendation

Server 2016 Is Running Out of Time

This incident is not an isolated patch quality issue. It is a preview of the operational risk that comes with staying on Windows Server 2016. End of extended support arrives in January 2027. Microsoft is already deprioritizing patches for this OS version. Server 2019 and 2022 received fixes for this same regression. Server 2016 did not.

Businesses running RDP-dependent workflows on Server 2016 should treat this incident as the forcing function to begin migration planning now.

🚀
The path forward Migrate to Windows Server 2019 or 2022, modernize remote access using RD Gateway, Entra ID, and Conditional Access, and reduce reliance on legacy NTLM authentication. These steps eliminate this category of risk entirely for future patch cycles.
🚀
Migrate to Server 2019/2022
Both versions received patches for this exact regression. Extended support through 2029 and 2031.
🔑
Modernize RDP Access
RD Gateway, Entra ID, and Conditional Access replace legacy direct RDP exposure entirely.
🔒
Retire Legacy NTLM
Kerberos and modern authentication methods eliminate this entire class of NTLM-related failures.
How Navatek Solutions Helps

Server Issues Are Our Specialty

We handle rollbacks, patch management, and server migrations entirely remotely for small and medium businesses nationwide.

🚨

Emergency Windows Server Support

RDP down means your team is locked out. We respond in under 15 minutes, connect remotely, and roll back the problematic update during a single session.

Get Emergency Help →
📊

Patch Management & Update Control

We test, approve, and deploy Windows updates on a managed schedule. Regressions like KB5073722 get caught in our staging environment before they ever reach production.

Learn More →
🚀

Server Migration Planning

If this incident is the sign you needed to move off Server 2016, we plan and execute the migration to Server 2019 or 2022 with zero data loss and minimal downtime.

Learn More →
Frequently Asked Questions

RDP Authentication Failure — KB5073722 FAQ

The January 2026 cumulative update KB5073722 introduced a regression in the RDP authentication handshake. The RDP client cannot pass user credentials correctly and defaults to the local session identity instead. The server reads this as an invalid login and rejects the connection. Every retry generates a failed logon event, which triggers account lockout policies quickly.
As of March 2026, no. Microsoft released an out-of-band fix (KB5077744) for the Windows App client builds, and patches are available for Server 2019 and 2022. However, Server 2016 remains unpatched. Rolling back KB5073722 is the only supported remediation for Server 2016 at this time.
Domain controllers affected by this regression will show storms of Event ID 4625 (failed logon) and Event ID 4776 (NTLM credential validation failure) in the Security event log. These are generated by the repeated authentication retries from each affected RDP client session. High volumes of these events can strain domain controller performance during the incident.
Yes, if the backend session host is running Windows Server 2016. The regression affects RDP authentication at the server level, so Azure Virtual Desktop and Windows 365 environments using Server 2016 hosts will exhibit the same credential prompt failure. Environments using Server 2019 or 2022 hosts received patches and should apply the available update.
Rolling back a single cumulative update does remove the security fixes it contained. This is a short-term operational trade-off. You should treat the rollback as a temporary measure and track the Microsoft update catalog for a Server 2016-specific fix. In the interim, use network-level controls (VPN, firewall rules limiting RDP exposure) to reduce risk while the server is running on the prior update baseline.
Windows Server 2016 reaches end of extended support in January 2027. Microsoft is progressively reducing patch priority for this version as it approaches EOL. Server 2019 and 2022 received patches for this same regression, demonstrating that the fix exists but was not backported to Server 2016. This pattern is likely to continue as the EOL date approaches.
Yes. We handle this type of remediation entirely remotely. We connect to the server using an alternative access method, run the rollback, block the update from reinstalling, validate domain controller health, and restore normal RDP access in a single session. Emergency response for existing clients is under 15 minutes. New businesses can book an emergency session through our scheduling link.
NS
Navatek Solutions IT Team
Windows Server & Managed IT Specialists
If your team suddenly can’t log in through Remote Desktop on Windows Server 2016, you’re not alone. The January 2026 cumulative update KB5073722 introduced a major regression that breaks RDP authentication entirely, causing credential loops, mass account lockouts, and floods of Event ID 4625/4776 on domain controllers. Even worse—Microsoft has not released a fix for Server 2016, leaving thousands of businesses stuck until they roll the update back.
Share This Guide in LinkedIn 𝕏 Share ✉ Email
RDP Still Down? We Fix This Remotely.

Get Your Server 2016 RDP Working Again Today

Our certified engineers connect remotely, roll back KB5073722, block reinstallation, validate your domain controller health, and restore access in a single session. Emergency response under 15 minutes.

🚨 Book Emergency Server Support View Server Support Plans
✓ 20+ Years Server Experience  ·  ✓ 100% Remote  ·  ✓ Under 15 Min Response  ·  ✓ Fixed or No Charge