Well, @Daniel Keer found something interesting this morning: Kerberos and NTLM authentication failures due to duplicate SIDs - Microsoft Support Looks like them duplicate SIDs are about to catch up with us all after all these years... Posting this in the general channel is this has ramifications on multiple platforms. Citrix: CITRIX | Support Omnissa: Potential impact to Instant Clones from Microsoft Windows update KB5065426 (6001154)

I ran into this at a customer site. They had built up a VMWare template machine, and then cloned it for a brand new deployment. We couldn't connect to SQL on another box from the new DDC. They hadn't done the sysprep before cloning. So that was broken as well.

Yeah, when I saw this, I was like "forget VDI, I'm thinking of all the Windows Server VMs that were cloned without sysprep that won't be able to talk to their counter-parts".... Application servers to SQL servers, DCs, etc...

People have reported success using this to change the SID without needing to reinstall https://www.stratesave.com/html/sidchg.html

Yeah, but that's 3rd party isn't it?

Yup.

I don't know if I'd trust that in prod lol

Break out the old newsid.exe from sysinternals

That's what I was thinking too but it looks like they killed all the download links.

Luckily it looks like 2507 and 2511 MCS generate new sids correctly. Need to check some older versions to see if they are showing the same.

We've been discussing this on two other threads. FWIW, we've had decent success with SIDCHG. Maybe 80/20, with a handful of exceptions that just "didn't work", then of that remaining 20, we've just had to adjust switches (primarily around boxes with IIS and adding /NMG). https://worldofeuc.slack.com/archives/CK6RVLZ8S/p1760021337823109?thread_ts=1759361577.514009&cid=CK6RVLZ8S https://worldofeuc.slack.com/archives/CKL5UCNCX/p1759936620316169

Mark Russinovich wrote an interesting article back in the days which is no longer online b/c of "reasons": Mark's Blog : The Machine SID Duplication Myth

Yeah what Mark said was true then but MS made changes now that devalidates what was said back then.

I remember the last time MS did this. Before SPNs, that's when I used newsid the most. Then they didn't need it, now they do again. Everything old is new again.

Good thing MS just announced non-persistent AVD machines. Maybe they will address it properly

@Jeff Riechers

Luckily it looks like 2507 and 2511 MCS generate new sids correctly.

I'm DaaS deployed -> VMWare on-prem. Current iteration deployed 30th of August w/ VDA 2507 and I still have dupe sids. Did I miss something on my last MC recreation?

yes the SID hardening update from September will have caused issues with anything for local SIDs being cloned (not just Citrix). So without a full Sysprep, that was a pain. Citrix has since posted a workaround for us that will get us around it. Of course domain SIDs are always different.

ive been using the gpo here to bypass this update for now - https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX695388&artic[…]g_And_Printer_Connectivity_Issues_With_PVS_And_MCS_Machines