Windows 11 RDP failures following Microsoft update KB5064081 and KB5065426 (4380493)

Following a Windows update, the RDP sessions using Safeguard fail. RDP sessions that bypass Safeguard are successful.

August 29, 2025—KB5064081 (OS Build 26100.5074) Preview August 29, 2025—KB5064081 (OS Build 26100.5074) Preview - Microsoft Support
September 9, 2025 - KB5065426 (OS Build 26100.6584) September 9, 2025—KB5065426 (OS Build 26100.6584) - Microsoft Support 

This is causing RDP Sessions to fail on One Identity Safeguard for Privileged Sessions, Safeguard for Privileged Sessions On Demand and PAM Essentials. 

The log related error in an SPS Support Bundle is shown as follows:

CSSP Packet contains NTSTATUS error code; error_code='80090308'

CSSP Packet; version='6', tokens='0'

CSSP errorCode; value='0x80090308'

Failed to mangle SPNEGO message; status='5', last_msg='NULL'

Failed to mangle CredSSP packet;

Error parsing incoming data;

RESOLUTION - One Identity Safeguard for Privileged Sessions

A Hotfix is available to resolve this issue in the following versions and is available for download now. 

https://support.oneidentity.com/one-identity-safeguard-for-privileged-sessions/8.1/download-new-releases

https://support.oneidentity.com/one-identity-safeguard-for-privileged-sessions/8.0.1%20lts/download-new-releases

https://support.oneidentity.com/one-identity-safeguard-for-privileged-sessions/8.0%20lts/download-new-releases

https://support.oneidentity.com/one-identity-safeguard-for-privileged-sessions/7.0.5.1%20lts/download-new-releases

This hotfix can be applied in the WebUI using the following steps. After you have downloaded the Hotfix it needs to be unzipped first. 

1. Navigate to Basic Settings > System > Firmwares
2. Under the Upload new hotfix: section, click Choose File and select the hotfix file you want to upload.
3. Click Upload
4. If installation is successful, SPS will list information about the hotfix under Installed hotfixes:, such as Name, Version and Description.

NOTE: 

This will need to be applied to each node in the environment.
A reboot of the system should not be necessary.

Upload will fail in the following cases:

• The hotfix file version does not pass the version check.
• The hotfix file package is not properly signed by our Support Team.
• The file you want to upload is not an appropriate .deb package or the file is corrupted.

If upload fails, SPS will revert to its previous state automatically.

RESOLUTION - Safeguard for Privileged Sessions On Demand

HotFixes will be applied to environments as soon as possible. 

RESOLUTION - PAM ESSENTIALS

This issue has been fixed within the product.