diff --git a/lib/ldap.c b/lib/ldap.c
index 046fcd48e8..e0da4a0776 100644
--- a/lib/ldap.c
+++ b/lib/ldap.c
@@ -43,20 +43,15 @@
  * OpenLDAP library versions, USE_OPENLDAP shall not be defined.
  */
 
-/* Wincrypt must be included before anything that could include OpenSSL. */
-#ifdef USE_WIN32_CRYPTO
-#include <wincrypt.h>
-/* Undefine wincrypt conflicting symbols for BoringSSL. */
+#ifdef USE_WIN32_LDAP           /* Use Windows LDAP implementation. */
+# include <winldap.h>
+/* Undefine indirect <wincrypt.h> symbols conflicting with BoringSSL. */
 #undef X509_NAME
 #undef X509_EXTENSIONS
 #undef PKCS7_ISSUER_AND_SERIAL
 #undef PKCS7_SIGNER_INFO
 #undef OCSP_REQUEST
 #undef OCSP_RESPONSE
-#endif
-
-#ifdef USE_WIN32_LDAP           /* Use Windows LDAP implementation. */
-# include <winldap.h>
 # include <winber.h>
 #else
 # define LDAP_DEPRECATED 1      /* Be sure ldap_init() is defined. */
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index a632e80943..0834109ae7 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -29,10 +29,31 @@
 
 #if defined(USE_QUICHE) || defined(USE_OPENSSL)
 
-/* Wincrypt must be included before anything that could include OpenSSL. */
 #ifdef USE_WIN32_CRYPTO
 #include <wincrypt.h>
-/* Undefine wincrypt conflicting symbols for BoringSSL. */
+/* If <wincrypt.h> is included directly, or indirectly via <schannel.h>,
+ * <winldap.h>, <iphlpapi.h>, or something else, <wincrypt.h> does this:
+ *   #define X509_NAME  ((LPCSTR)7)
+ *
+ * And in BoringSSL/AWC-LC's <openssl/base.h> there is:
+ *  typedef struct X509_name_st X509_NAME;
+ *  etc.
+ *
+ * The redefined symbols break these OpenSSL headers when included after
+ * <wincrypt.h>.
+ * The workaround is to undefine those defines here (and only here).
+ *
+ * For unity builds it may need to be repeated elsewhere too, e.g. in ldap.c,
+ * to apply to other sources using OpenSSL includes. Each compilation unit
+ * needs undefine them between the first <wincrypt.h> include and the first
+ * OpenSSL include.
+ *
+ * OpenSSL does this in <openssl/ssl.h> and <openssl/x509v3.h>, but it
+ * also does the #undef by including <openssl/ossl_typ.h>. <3.1.0 only does
+ * it on the first include.
+ *
+ * LibreSSL automatically undefines these symbols before using them.
+ */
 #undef X509_NAME
 #undef X509_EXTENSIONS
 #undef PKCS7_ISSUER_AND_SERIAL
diff --git a/lib/vtls/schannel.h b/lib/vtls/schannel.h
index c617233e08..78db502b9e 100644
--- a/lib/vtls/schannel.h
+++ b/lib/vtls/schannel.h
@@ -28,43 +28,12 @@
 
 #ifdef USE_SCHANNEL
 
-/* Wincrypt must be included before anything that could include OpenSSL. */
-#ifdef USE_WIN32_CRYPTO
-#include <wincrypt.h>
-/* Undefine wincrypt conflicting symbols for BoringSSL. */
-#undef X509_NAME
-#undef X509_EXTENSIONS
-#undef PKCS7_ISSUER_AND_SERIAL
-#undef PKCS7_SIGNER_INFO
-#undef OCSP_REQUEST
-#undef OCSP_RESPONSE
-#endif
-
 #include <schannel.h>
 #include "../curl_sspi.h"
 
 #include "../cfilters.h"
 #include "../urldata.h"
 
-/* <wincrypt.h> has been included via the above <schannel.h>.
- * Or in case of ldap.c, it was included via <winldap.h>.
- * And since <wincrypt.h> has this:
- *   #define X509_NAME  ((LPCSTR)7)
- *
- * And in BoringSSL's <openssl/base.h> there is:
- *  typedef struct X509_name_st X509_NAME;
- *  etc.
- *
- * this will cause all kinds of C-preprocessing paste errors in
- * BoringSSL's <openssl/x509.h>: So just undefine those defines here
- * (and only here).
- */
-#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
-#undef X509_NAME
-#undef X509_CERT_PAIR
-#undef X509_EXTENSIONS
-#endif
-
 extern const struct Curl_ssl Curl_ssl_schannel;
 
 CURLcode Curl_verify_host(struct Curl_cfilter *cf, struct Curl_easy *data);