Microsoft's Windows IT Pro Blog (worth a subscribe) recently posted this article with some details of security hardening changes that took place in the August / September 2025 security updates:
There's a lot of detail but the long and short of it is - if you're cloning devices without Sysprep, you really shouldn't be (duh!) - and you need to rebuild all devices that were done so, before the end of 2027.
Otherwise you'll see various Kerberos and NTLM authentication failures. You can identify them by the LsaSrv event 6167 log in the auth target machine, for both NTLM and Kerberos protocols.
I am sure in our community the need to use Sysprep was clear before this, but I wasn't aware of these specific issues and changes last year, and it's nice to see a good writeup and explanation of why.