Windows 11 24H2 KB5065426 Breaks RDP, SMB and Printer Sharing on Cloned Machines Due to Duplicate Local SIDs
After installing KB5065426 on Windows 11 24H2, RDP, SMB file sharing, and printer connectivity fail across cloned machine estates including Citrix MCS and PVS deployments. The update introduces stricter SID-based authentication checks that reject connections from machines sharing identical local Security Identifiers inherited from a common master image. Remediation requires regenerating unique SIDs via Sysprep on master images before provisioning, or temporarily uninstalling KB5065426 as an emergency workaround.
Indicators
- RDP connections to cloned Windows 11 24H2 machines fail — connections refused or drop immediately after KB5065426 installation
- SMB file sharing (network drive access via UNC paths) fails between machines or from clients to cloned 24H2 hosts
- Printer sharing connectivity failures — shared printers hosted on or accessed via cloned 24H2 machines become unreachable
- Issue is consistent across multiple cloned machines in the same MCS/PVS catalog sharing the same master image SID
- Failures commence after application of Windows 11 24H2 update KB5065426
- Non-cloned Windows 11 24H2 machines in the same network function correctly
Likely causes
- KB5065426 (Windows 11 24H2) introduces security hardening that enforces stricter local SID validation during RDP, SMB, and printer sharing authentication — cloned machines with identical local SIDs fail these checks
- Citrix MCS and PVS clone machines from a master image without regenerating unique local SIDs, causing all clones in a catalog to present the same local SID to the network
- The security behaviour change in 24H2 exposes a pre-existing SID duplication condition that was tolerated by older Windows builds
Diagnostic steps
-
Confirm KB5065426 is installed: Get-HotFix -Id KB5065426Verifies the security behaviour change introduced by KB5065426 is present and is the likely trigger for failures
-
Compare local SIDs across affected machines using PsGetSid: PsGetSid \\machine1 and PsGetSid \\machine2 — or run wmic useraccount get sid on each machine and compare the SID prefix across clonesConfirms duplicate local SIDs exist across cloned machines, which is the root condition KB5065426 now rejects
-
Attempt RDP connection to an affected cloned machine and capture the exact error message; review Event Viewer on target under Windows Logs > System and Security for authentication or network logon failure events at the time of failed connectionDocuments the failure mode and event log evidence to confirm connectivity failure is authentication/SID-related rather than network or firewall
-
Test RDP and SMB connectivity to a non-cloned Windows 11 24H2 machine (unique SID) in the same network segmentIsolates the failure to the shared-SID condition rather than a universal 24H2 RDP/SMB regression
-
Review the Citrix support article at support.citrix.com regarding KB5065426 and SID-sharing behaviour for any Citrix-specific hotfixes, updated MCS/PVS agents, or catalog configuration flagsDetermines whether Citrix has released a specific fix that addresses the SID conflict without requiring full reprovisioning
-
Attempt to access an SMB share on an affected cloned machine via \\<machinename>\ShareName and note any error messages returnedConfirm SMB connectivity failure is consistent and co-located with RDP failure on the same machines, ruling out unrelated network or firewall causes
Resolution path
- 1. Consult the Citrix support advisory at support.citrix.com regarding KB5065426 and SID-sharing behaviour for the specific recommended remediation path for MCS/PVS environments
- 2. For Citrix MCS: regenerate the master image using Sysprep (sysprep /generalize /oobe /shutdown) to ensure unique SID generation, then update the MCS catalog to use the new master image snapshot — all newly provisioned clones will receive unique SIDs
- 3. For Citrix PVS: run Sysprep on the vDisk master target device to reset the SID before sealing the vDisk, or use Citrix PVS device personality/AD machine account approach for unique identity
- 4. Emergency temporary workaround: uninstall KB5065426 to restore prior security behaviour: wusa /uninstall /kb:5065426 /quiet /norestart then reboot — this leaves machines on older security baseline and must be followed by proper SID remediation
- 5. After catalog rebuild or SID remediation, validate RDP, SMB, and printer sharing on representative machines before releasing to users
Prevention
- Always run Sysprep on master/template images before sealing for MCS or PVS provisioning — ensures every cloned machine receives unique local SID at first boot
- Establish pre-deployment validation gate: test Windows quality/feature updates (especially major releases like 24H2) on non-cloned reference machine and small pilot cloned catalog before production rollout
- Monitor Citrix support advisories and Windows Update release notes for security behaviour changes affecting cloned or shared-image environments — schedule catalog maintenance proactively when such changes are announced
Tools
- PsGetSid (Sysinternals) — enumerate and compare local machine SIDs across cloned machines
- wmic — query local SID values (wmic useraccount get sid) as an alternative to PsGetSid for SID comparison across clones
- Sysprep (Windows built-in) — regenerate unique SIDs on master images before provisioning
- wusa.exe — Windows Update Standalone Installer for KB uninstallation
- Get-HotFix (PowerShell) — confirm presence of KB5065426
- Citrix Studio / Web Studio — update MCS catalog master image or PVS vDisk version
- Event Viewer (eventvwr.msc) — review System and Security logs for authentication failure events