Microsoft has acknowledged a significant authentication problem affecting users of recent Windows versions, stemming from security enhancements in updates released since late August 2025.
The company detailed how these updates are triggering Kerberos and NTLM failures on devices sharing identical Security Identifiers (SIDs), leading to widespread login disruptions across enterprise networks.
This issue, now officially documented, highlights the trade-offs between bolstering security and maintaining compatibility in cloned or duplicated systems.
Windows Operating Systems Affected
Affected users on Windows 11 version 24H2, version 25H2, and Windows Server 2025 report a range of frustrating symptoms following the installation of updates like KB5064081 on August 29, 2025, and KB5065426 on September 9, 2025.
Common issues include repeated credential prompts despite entering valid information, with error messages such as “Login attempt failed,” “Your credentials didn’t work,” or “There is a partial mismatch in the machine ID.”
Network access breaks down as well, preventing connections to shared folders via IP or hostname and blocking Remote Desktop Protocol (RDP) sessions, even those routed through Privileged Access Management (PAM) tools or third-party software.
Failover Clustering operations halt with “access denied” errors, complicating high-availability setups in data centers. Event Viewer logs reveal critical clues, including SEC_E_NO_CREDENTIALS in the Security log and Local Security Authority Server Service (lsasrv.dll) Event ID 6167 in the System log, signaling a machine ID mismatch that suggests ticket manipulation or session discrepancies.
These problems have surfaced prominently in virtual desktop infrastructure (VDI) environments, such as those using Citrix MCS, where multiple machines derived from the same image share SIDs, exacerbating authentication breakdowns during RDP or file sharing.
At the heart of this disruption lies a deliberate security upgrade in the updates, which now rigorously verifies SIDs during authentication handshakes to prevent unauthorized access.
Microsoft explains that duplicate SIDs, often resulting from improper cloning of Windows installations without the Sysprep tool, are no longer tolerated under this new regime.
Sysprep ensures SID uniqueness, a requirement Microsoft has long recommended for duplicating OS images, but the August updates enforce it more stringently, blocking interactions between affected devices.
This change aligns with Microsoft’s policy against unsupported disk duplication methods, which can propagate identical SIDs across networks, posing risks in enterprise settings.
While intended to enhance protection against potential exploits, the enforcement has caught many IT teams off guard, particularly in scenarios involving rapid VM deployments or legacy imaging practices.
For immediate relief, IT administrators can deploy a specialized Group Policy to mitigate the authentication blocks, though this requires contacting Microsoft Support for business to obtain it.
However, Microsoft suggests that the definitive solution involves rebuilding impacted devices using approved cloning procedures that incorporate Sysprep, ensuring each system generates a unique SID.
Organizations relying on tools like VMware or Citrix for VDI provisioning may need to revise their workflows to comply, potentially delaying updates until imaging processes are updated.
As of October 21, 2025, no broader patch has been rolled out, but Microsoft continues monitoring reports from affected users.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
