Duplicate SIDs causing internal local networking issues

Question

As of the recent 25H2 update, KB5065426 was included in this major update. As a result, unique SIDs are enforced to locally network machines together.

Unfortunately, the machines I bought from Amazon seem to be incorrectly duplicated and all share SIDs. These are established machines that I've been servicing for 2 years now, and it'd be a large hassle to reimage these machines to get unique SIDs.

Is there a supported tool for changing SIDs? I've tried SysPrep to generalize them, but continue to get errors in the log.

Further, the following article mentions a Group Policy edit for this, is this publicly known?

https://support.microsoft.com/en-us/topic/kerberos-and-ntlm-authentication-failures-due-to-duplicate-sids-76f7394d-c460-4882-9ed1-d27e0960f949?utm_source=chatgpt.com

Answer 1

To address the issue of duplicate SIDs on your machines, Microsoft does not support changing SIDs through third-party tools. The recommended approach is to use the built-in Sysprep tool to generalize the machines before capturing an image. However, since you mentioned encountering errors while using Sysprep, it may be necessary to troubleshoot those specific errors to ensure that the process can be completed successfully.

If you are unable to resolve the Sysprep issues, you may need to consider reimaging the machines as a last resort to ensure unique SIDs. Unfortunately, there are no supported tools for changing SIDs other than Sysprep, as Microsoft does not provide support for computers set up using SID-duplicating tools other than Sysprep.

Regarding the Group Policy edit mentioned in the article, it is important to refer to official Microsoft documentation for any updates or publicly known solutions related to Group Policy settings that could help mitigate issues caused by duplicate SIDs.

For further assistance, you may want to consult the Microsoft support documentation or forums for specific troubleshooting steps related to the errors you are encountering with Sysprep.

---

References:

• The SID Duplication Problem
• Use Ntdsutil to find and clean up duplicate security identifiers
• The Microsoft policy for disk duplication of Windows installations
• Sysprep will not run correctly on a Windows 10 device that has been MDM enrolled

Answer 2

Hello Blaze,

Thank you for reaching out about the challenges you’re facing with duplicate SIDs after the recent 25H2 update. I understand how frustrating this can be especially since these machines have been in service for years and reimaging them would be a significant effort.

The reason this issue is occurring is that recent Windows updates including KB5065426 introduced stricter security measures that enforce unique SIDs to prevent authentication failures in Kerberos and NTLM this change was designed to strengthen security and reduce risks associated with cloned systems.

To resolve this Microsoft recommends using Sysprep to generalize the system image before deployment as this ensures each machine generates a unique SID. If Sysprep continues to fail the permanent solution is to rebuild the affected systems using supported imaging methods. While Microsoft does not support third-party SID-changing tools there is a temporary workaround available: a special Group Policy that can relax SID enforcement. This policy is not publicly distributed and can only be obtained by contacting Microsoft Support for Business. This approach can help maintain functionality while you plan for a long-term fix.

Could you share the specific errors you’re seeing in the Sysprep logs? That will help determine if there’s a way to troubleshoot the generalization process before considering a full rebuild.

I hope this answer is helpful if you have further questions feel free to reply back

Regards,

Marcelo