Applies To
Windows 11 version 24H2, all editions Windows 11 version 25H2, all editions Windows Server 2025

Original publish date: September 30, 2025

KB ID: 5068222

Introduction 

This article explains recent security enhancements designed to prevent unauthorized privilege escalation during network authentication, especially in loopback scenarios. These risks often arise when cloned devices or machines with mismatched IDs are added to a domain. 

Background

On domain-joined Windows devices, the Local Security Authority Security Service (LSASS) enforces security policies, including filtering network authentication tokens. This prevents local administrators from gaining elevated privileges via remote access. Kerberos authentication, while robust, has historically been vulnerable in loopback scenarios due to inconsistent machine identity verification.

Key changes

To address these vulnerabilities, Microsoft has introduced persistent machine account security identifiers (SID). Now, the SID remains consistent across system restarts, helping maintain a stable machine identity.

Previously, Windows generated a new machine ID at each boot, which allowed attackers to bypass loopback detection by reusing authentication data. With Windows updates released on and after August 26, 2025, the machine ID now includes both per-boot and cross-boot components. This makes it easier to detect and block exploits, but may cause authentication failures between cloned Windows hosts, as their cross-boot machine IDs will match and be blocked.

Security impact

This enhancement directly addresses Kerberos loopback vulnerabilities, ensuring systems reject authentication tickets that do not match the current machine’s identity. This is especially important for environments where devices are cloned or reimaged, as outdated identity information can be exploited for privilege escalation.

By validating the machine account SID against the SID in the Kerberos ticket, LSASS can detect and reject mismatched tickets, strengthening User Account Control (UAC) protections.

Recommended actions

  • ​​​​​​​If you encounter issues such as Event ID: 6167 on a cloned device, use the System Preparation Tool (Sysprep) to generalize the device's image.

  • Review domain joins and cloning practices to align with these new security enhancements.

Conclusion

These changes enhance Kerberos authentication by binding it to a persistent, verifiable machine identity. Organizations benefit from improved protection against unauthorized access and privilege escalation, supporting Microsoft’s broader security-first initiative to strengthen identity-based security across enterprise environments.

​​​​​​​​​​​​​​

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center