Broken DES_CBC_MD5 key derivation after Windows Update

[MichaelGrafnetter]

Hi, installing October or November 2025 updates on Windows Server 2025 and Windows 11 seems to break the DES_CBC_MD5 kerberos key derivation.

The following method in Crypto.cs returns error code 0x80080341, which is then thrown as an exception:

 // locate the crypto system for the hash type we want
int status = Interop.CDLocateCSystem(etype, out pCSystemPtr);

pCSystem = (Interop.KERB_ECRYPT)System.Runtime.InteropServices.Marshal.PtrToStructure(pCSystemPtr, typeof(Interop.KERB_ECRYPT));
if (status != 0)
    throw new System.ComponentModel.Win32Exception(status, "Error on CDLocateCSystem");

I stumbled upon this issue in DSInternals, so I presume Rubeus (and SharpDPAPI, DumpGuard, mimikatz, kekeo,...) to be affected as well. I have not found any info on this in the respective KBs though.