Skip to content

feat(msft-windows): add duplicate SID temporary fix script#84

Open
mnelsondtc wants to merge 1 commit into
mainfrom
feature/sid-duplicate-temp-fix
Open

feat(msft-windows): add duplicate SID temporary fix script#84
mnelsondtc wants to merge 1 commit into
mainfrom
feature/sid-duplicate-temp-fix

Conversation

@mnelsondtc

Copy link
Copy Markdown
Contributor

Summary

Adds msft-windows/msft-windows-sid-duplicate-temp-fix.ps1 — a temporary mitigation for the duplicate local machine SID issue. Writes FeatureManagement override 1517186191 = 0 (DWORD) under HKLM\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides to disable the feature rollout that triggers the symptom, then verifies the write by read-back.

This is a temporary fix only — the permanent fix is reimaging affected machines with sysprep /generalize. Detection counterparts: msft-windows-sid-report.ps1 and msft-windows-sid-detect-duplicates.ps1.

Details

  • Follows the repo script template: RMM variable block, $env:RMM string-compare input handling, transcript logging
  • Transcript hardened: pre-created log dir, guarded Start-Transcript/Stop-Transcript, stdout output before transcript starts
  • Auto-detects non-interactive PowerShell (-NonInteractive) and falls back to RMM mode so Read-Host can't kill the script
  • HKLM\SYSTEM is not WOW6432-redirected, so the 32-bit NinjaOne PowerShell host writes the correct key without a sysnative relaunch
  • Exit codes: 0 = applied and verified, 1 = write/verify failure

RMM Compatibility

NinjaOne preset variables: RMM, Description, RMMScriptPath (all optional; interactive mode prompts for Description). Runs as SYSTEM.

Testing

  • Reviewed against repo template and existing SID scripts; registry write verified by read-back in the script itself

🤖 Generated with Claude Code

Disables Windows FeatureManagement override 1517186191 to stop the
duplicate-SID symptom. Temporary mitigation only; permanent fix is
sysprep /generalize reimaging.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@mnelsondtc mnelsondtc requested a review from Gumbees as a code owner June 10, 2026 13:32
@mnelsondtc mnelsondtc added type:enhancement New work that adds or improves capability (Halo: Enhancement) category:feature Net-new capability the customer/operator didn't have labels Jun 10, 2026

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Code review skipped — your organization has reached its monthly code review spending cap.

An organization admin can view or raise the cap at claude.ai/admin-settings/claude-code. The cap resets at the start of the next billing period.

Once the cap resets or is raised, push a new commit or reopen this pull request to trigger a review.

@Gumbees Gumbees left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed the script and verified the substance. Override ID 1517186191 and the registry path check out against Microsoft and multiple writeups — this is the documented mitigation for the fall-2025 SID-uniqueness enforcement (KB5065426 family) that blocks NTLM/Kerberos auth between cloned machines. The claim is accurate.

Overall: solid. Cleaner than its siblings, actually — it uses the mandated $env:RMM pattern, whereas msft-windows-sid-detect-duplicates.ps1 still uses the bare $RMM footgun the template warns against. Guarded transcript, non-interactive fallback, read-back verify, real exit codes all look good.

Should fix before merge — reboot messaging

The override requires a reboot to take effect. The script writes the value, reads it back, and prints [SUCCESS] ... override applied / verified. But the read-back only confirms the value persisted — it does not confirm the symptom cleared. A tech who sees "SUCCESS, applied and verified" will reasonably conclude the machine is fixed, when auth will keep failing until reboot.

Fix is messaging only (no auto-reboot on a fleet):

Write-Host "[SUCCESS] Verified '$valueName' = $readBack. FeatureManagement override applied."
Write-Host "[ACTION REQUIRED] A reboot is required for this override to take effect. Auth symptoms persist until restart."
Write-Host "[NOTE] This is a TEMPORARY mitigation. Permanent fix is to reimage affected machines with sysprep /generalize."

Minor (non-blocking)

  • The -NonInteractive detection uses exact match ^-NonInteractive$. PowerShell accepts abbreviated parameters (-noni, -NonI), so a relaunch using a short form would slip past it. NinjaOne passes the full flag, so this is fine in practice — -match '^-noni' (prefix) would just be more robust.
  • The inline comment says the feature "triggers the duplicate-SID behavior." More precise: the duplicate SID already exists from cloning; the fall-2025 update enforces uniqueness and blocks auth, and this override disables the enforcement check. PR body wording is fine; only the code comment is slightly off.

Refs: Windows OS Hub, Born's Tech

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

category:feature Net-new capability the customer/operator didn't have type:enhancement New work that adds or improves capability (Halo: Enhancement)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants