diff --git a/dlls/secur32/ntlm.c b/dlls/secur32/ntlm.c
index a3f584fd34a..930c41b435b 100644
--- a/dlls/secur32/ntlm.c
+++ b/dlls/secur32/ntlm.c
@@ -1445,6 +1445,8 @@ static SECURITY_STATUS SEC_ENTRY ntlm_EncryptMessage(PCtxtHandle phContext,
 static SECURITY_STATUS SEC_ENTRY ntlm_DecryptMessage(PCtxtHandle phContext,
         PSecBufferDesc pMessage, ULONG MessageSeqNo, PULONG pfQOP)
 {
+    SECURITY_STATUS ret;
+    ULONG ntlmssp_flags_save;
     PNegoHelper helper;
     TRACE("(%p %p %ld %p)\n", phContext, pMessage, MessageSeqNo, pfQOP);
 
@@ -1475,7 +1477,16 @@ static SECURITY_STATUS SEC_ENTRY ntlm_DecryptMessage(PCtxtHandle phContext,
                 pMessage->pBuffers[1].pvBuffer, pMessage->pBuffers[1].cbBuffer);
     }
 
-    return ntlm_VerifySignature(phContext, pMessage, MessageSeqNo, pfQOP);
+    /* Make sure we use a session key for the signature check, EncryptMessage
+     * always does that, even in the dummy case */
+    ntlmssp_flags_save = helper->neg_flags;
+
+    helper->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
+    ret = ntlm_VerifySignature(phContext, pMessage, MessageSeqNo, pfQOP);
+
+    helper->neg_flags = ntlmssp_flags_save;
+
+    return ret;
 }
 
 static SecurityFunctionTableA ntlmTableA = {
diff --git a/dlls/secur32/tests/ntlm.c b/dlls/secur32/tests/ntlm.c
index 1b13948d544..244a502f93e 100644
--- a/dlls/secur32/tests/ntlm.c
+++ b/dlls/secur32/tests/ntlm.c
@@ -819,10 +819,9 @@ static void testSignSeal()
         memcpy(data[1].pvBuffer, crypt_message_server, data[1].cbBuffer);
 
         sec_status = pDecryptMessage(client.ctxt, crypt, 0, &qop);
-        todo_wine {
+
         ok(sec_status == SEC_E_OK, "DecryptMessage returned %s, not SEC_E_OK.\n",
                 getSecError(sec_status));
-        }
         ok(!memcmp(crypt->pBuffers[1].pvBuffer, message_binary,
                    crypt->pBuffers[1].cbBuffer),
                 "Failed to decrypt message correctly.\n");