diff --git a/regress/pesterTests/SSHD.Tests.ps1 b/regress/pesterTests/SSHD.Tests.ps1
index a21a841855b..c51ef274b1c 100644
--- a/regress/pesterTests/SSHD.Tests.ps1
+++ b/regress/pesterTests/SSHD.Tests.ps1
@@ -55,8 +55,8 @@ Describe "E2E scenarios for sshd" -Tags "CI" {
 
             # with a connection, there should be two additional session processes
             $sshdPidsCountWithConn | Should Be (2 + $sshdPidCountBefore)
-            # after LoginGraceTime expires, one of the session processes should exit
-            $sshdPidsCountAfter | Should Be (1 + $sshdPidCountBefore)
+            # after LoginGraceTime expires, both session processes should exit
+            $sshdPidsCountAfter | Should Be $sshdPidCountBefore
         }
 
         It "sshd pre-auth process is spawned under runtime generated virtual account" {
diff --git a/sshd-session.c b/sshd-session.c
index bba1eaffa39..3a87617c15e 100644
--- a/sshd-session.c
+++ b/sshd-session.c
@@ -335,7 +335,7 @@ pack_config(struct sshbuf* conf)
 static void
 send_config_state(int fd, struct sshbuf* conf)
 {
-	/* copied from send_rexec_state() in sshd.c 
+	/* copied from send_rexec_state() in sshd.c
 	   On Windows, uses pack_hostkeys_for_child() and pack_config() */
 	struct sshbuf* keys;
 	u_int mlen;
@@ -542,7 +542,15 @@ privsep_child_cmdline()
 static void
 grace_alarm_handler(int sig)
 {
-#ifndef WINDOWS
+#ifdef WINDOWS
+	/*
+	 * continue to use explicit kill on the child process ID
+	 * Windows does not currently support authorized keys
+	 * command helpers, so this is sufficient
+	 */
+	if (pmonitor != NULL && pmonitor->m_pid > 0)
+		kill(pmonitor->m_pid, SIGALRM);
+#else
 	/*
 	 * Try to kill any processes that we have spawned, E.g. authorized
 	 * keys command helpers or privsep children.