Microsoft quietly makes a requirement mandatory for Windows 11 25H2 24H2 installations

Microsoft last month released the Windows 11 2025 update (version 25H2) and following that, it announced that the feature update was rolling out to everyone be it on Windows 11 or 10 on supported systems.

Since the launch of the update, Microsoft has made several major announcements for office and enterprise PCs as well. The most recent announcement of such nature happened in the second half of last month as the tech giant revealed a full list of 36 new settings IT administrators can use to manage and deploy various features on enterprise-managed Windows 11 25H2 systems. You can check out the full list in its dedicated article here.

Of course, if you are an IT admin and are looking to install Windows 11 25H2 on your devices you do need to be mindful of when you proceed with the installation in case you are hotpatching.

Aside from these, Microsoft has also made another important change for office and enterprise systems for Windows 11 25H2 installations, though it applies to those who use some of these features at home too. The company has confirmed that it is no longer possible to successfully authenticate devices on NTLM and Kerberos with duplicate computer SIDs (security identifiers) on Windows 11 2025 update. Neowin noticed this new document. The change applies to Windows 11 24H2 as well since the two versions share a common servicing branch and codebase.

Microsoft notes that users will be noticing the following issues including problems accessing shared network drives and such:

• Users are repeatedly prompted for credentials.
• Access requests with valid credentials fail with on-screen errors, such as:
  • Login attempt failed.
  • Login failed/your credentials didn't work.
  • There is a partial mismatch in the machine ID.
  • The username or password is incorrect.
• Shared network folders cannot be accessed via IP address or hostname.
• Remote desktop connections cannot be established, including Remote Desktop Protocol (RDP) sessions initiated through Privileged Access Management (PAM) solutions or third-party tools.
• Failover Clustering fails with an "access denied" error.
• Event Viewer might display one of the following errors in the Windows logs:
  • The Security log contains the SEC_E_NO_CREDENTIALS error.
  • The System log contains Local Security Authority Server Service (lsasrv.dll) Event ID: 6167 with the message text: There is a partial mismatch in the machine ID. This indicates that the ticket has either been manipulated or it belongs to a different boot session.

This is actually a new security enforcement made to prevent unathorized access to potentially restricted files that could previously be accessed on another system using a duplicated SID. Microsoft has recommended admins and users alike to use Sysprep, a native Windows tool, to ensure SID uniqueness when doing OS cloning and duplication tasks on Windows 11, versions 24H2 and 25H2, and Windows Server 2025.

If you are wondering how Sysprep helps, it essentially "generalizes" a Windows image thus removing duplicated SIDs and unique PC-specific information from a Windows installation. You can find the support article here under KB5070568 on Microsoft's official site.

 

[Diguelo]

Oh goody, they are going to impliment the "AI: Im going to be really annoying and make sure its you after you touch every key and just to make doubly sure im going to send you a code to your email whch when youve answered it with the correct code I will get a door knocker to call round with a camera to take your picture and send it to us via Email, then we have to verify the picture is actually you by sending you a copy to validate that it is in fact you, but wait we cant send it to you because we havent verified its you so we will get your local Police force to come out and arrest you so they can take an official image and then apply for a copy of your birth certificate to be sent to us as well then we may allow the OK button you attempted to press to be acyivated, if this process fails you can always call us on our $400 per minute call centre on 0800-daylightrobbery and ask to speak to personal verification issues. We appologised for the delay on the service as it iis suffering high volumes of traffic right now. You can opt to have a call made to you for a cost of $2500 by pressing 1 to save you waiting in the queue. Once your identity has been verified you may then pree the OK button to complete the next step of the security verification process."

This must be the "GRANNY KNOWS BEST" version.

Turning off the security in windows 11 is the 100% best way to achieve security and peace of mind. All of mine is turn off and is being looked after by BODGIT & SCARPER LEADING TECHNICAL ANALYSTS OF SECURITY ON YOUR PC. A firm of great repute.

And of course I have Comodo Internet Security doing the real job. I got Malware Bytes covering the downloads and web pages and I just dont get viruses or malware at all.

Updates by Microsoft technically arent updates, they are corrections to mistakes they made when they rush to get things out for christmas, then they have to repair the updates they made to get the updates out for christmas in time to get the easter updates sorted to correct the mistakes they made in the last pack of updates and of course they have to get the update a fany name and make the graphics up to suit the name and make it look really swish.

TO: MICROSODT.
Your new program policy should include the following. Make a mistake dont publish it, publish a mistake your fired, if your fired we can reassign you once you have corrected the mistake you made in the first place, then we can retrain you so you dont make the mistake you made in the first place again.

In other words GET IT RIGHT FIRST TIME.

WINDOWS 3.1 was indistructable. It worked, it did what its supposed to do.

{mumbling incoherantly he leaves along the dark corridor, in the distance you hear a door close}

 

[DVDR_Dog]

The more crap, err features, they pile up the more broken pieces Windows 11 has. Engineering at Redmond must be a disaster area of English as a second language interns; read cheap labor. Add one feature, break another and open some security holes while you are at it. Gone are the days of 3.1, quality of features that work, not quantity and pride in their product. It's now a matter of pleasing the stockholders, not the end consumers. Not a good formula for longevity.

 

[Diguelo]

SHHHHHHHHH, it isnt crap it is carefully packaged adaptive software with zero purpose.

If one day someone actually finds a use for one of these programs or "APPS" then what, does the world come to an end.

As for the junk part, if Microsoft got rid of every piece of bloat they stuff in this OS would the whole thing run on a Commodore 64/128

Oh and apparently now, get this I need to prove that I am over 18 years of age, considering I have had a Microsoft Account with the same details since 1992 I guess they cant be toooooooo careful.

God when will this security thing end?

 

[DVDR_Dog]

SHHHHHHHHH, it isnt crap it is carefully packaged adaptive software with zero purpose.

If one day someone actually finds a use for one of these programs or "APPS" then what, does the world come to an end.

As for the junk part, if Microsoft got rid of every piece of bloat they stuff in this OS would the whole thing run on a Commodore 64/128

Oh and apparently now, get this I need to prove that I am over 18 years of age, considering I have had a Microsoft Account with the same details since 1992 I guess they cant be toooooooo careful.

God when will this security thing end?

I don't know. It seems to be these security schemes they devise don't make a great deal of sense. My favorite saying is Internet security is an oxymoron. You see these security admin jobs get listed all the time. My guess is they hire some poor bloke, they collect a six figure salary until someone breaches the security and then they can blame the poor bloke citing his incompetence, someone has to be a scapegoat.
As long as there are users who haven't a clue other than what to tabs to push and the email recipient who easily falls victim to social engineering, most of the time, personal greed with the occasional attempt to frighten the user into doing tremendously stupid things to the system by accusing them making an error.
You aren't ever going to fix those problems.

 

[Diguelo]

To achieve surity things have to be secure, so if they are constantly being updated then they cant be that secure.