Following a Windows update, the RDP sessions using Safeguard fail. RDP sessions that bypass Safeguard are successful.
August 29, 2025—KB5064081 (OS Build 26100.5074) Preview August 29, 2025—KB5064081 (OS Build 26100.5074) Preview - Microsoft Support
September 9, 2025 - KB5065426 (OS Build 26100.6584) September 9, 2025—KB5065426 (OS Build 26100.6584) - Microsoft Support 
This is causing RDP Sessions to fail on One Identity Safeguard for Privileged Sessions, Safeguard for Privileged Sessions On Demand and PAM Essentials.
The log related error in an SPS Support Bundle is shown as follows:
CSSP Packet contains NTSTATUS error code; error_code='80090308'
CSSP Packet; version='6', tokens='0'
CSSP errorCode; value='0x80090308'
Failed to mangle SPNEGO message; status='5', last_msg='NULL'
Failed to mangle CredSSP packet;
Error parsing incoming data;
VERSION 2
Version 1 of this Hotfix inadvertently introduced an issue causing RDP Sessions to remain connected instead of being properly terminated if the user checks in the session without disconnected from RDP manually.
This V2 Hotfix corrects that issue. It can be installed without removing the previous version. It is not dependent on the previous version and can be installed on it's own. The installation instructions remain the same as below.
RESOLUTION - One Identity Safeguard for Privileged Sessions
A Hotfix is available to resolve this issue in the following versions and is available for download now.
This hotfix can be applied in the WebUI using the following steps. After you have downloaded the Hotfix it needs to be unzipped first.
NOTE:
This will need to be applied to each node in the environment.
Once the hotfix is applied the service handling RDP traffic will be automatically restarted.
This means all current RDP connections will be terminated and will need to be reestablished.  
IMPORTANT - The hotfix should NOT be installed on a Search Master node as RDP traffic should not be routed through a Search Master. The RDP service is not running. If the hotfix is installed on a Search Master a reboot should be scheduled. 
As an emergency, you can run the following command until a restart can be scheduled. 
#systemctl stop zorp@scb_rdp.service 
Upload will fail in the following cases:
If upload fails, SPS will revert to its previous state automatically.
RESOLUTION - Safeguard for Privileged Sessions On Demand
HotFixes will be applied to environments as soon as possible.
RESOLUTION - PAM ESSENTIALS
This issue has been fixed within the product.
© 2025 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center