MCS and PVS machines are created using the same local SID.  This is typical with a cloned machine using a hypervisor when the newly created device is not first sys prepped.  KB5065426 changes the system behavior by contnuing to use the local SID for some security functionality.    

"Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items." 

Each machine local SID in a Citrix MCS or PVS catalog will be identical, all machines sharing a particular vDisk or Master Image will be affected by this update.  The duplicate SID leads to this problem where new Microsoft enforcement has been applied.

Microsoft has Provided a KIR (known issue rollback) for KB5065426.

1. Download first, then Run the OS version-specific KIR MSI from (Win11/ Win2025 below)

https://download.microsoft.com/download/c6c70455-59ce-4d47-b13c-56b99d0435f1/Windows%2011%2024H2%2c%20Windows%2011%2025H2%20and%20Windows%20Server%202025%20KB5065426%20250923_06201%20Known%20Issue%20Rollback.msi

Executing the MSI installs an ADMX file in the %systemroot%\policydefinitions folder that provides insight as to the OS Version-specific KIR Group Policy Setting to configure in local or domain group policy editors

2. In the local or domain policy editor, configure the KB5065426_20250923_06201 Known Issue Rollback group policy setting to disabled ( Supported on Windows 11, version 24H2, 25H2 and Windows Server 2025)

Disabled :If you disable this policy setting, the corresponding fixes with known issues will be disabled. (Use this to Rollback a known issue)

3.Reboot the machine

Alternatives:

1. Consider deploying your print server or file share on a machine outside the catalog so that the local SIDs on the machine are different than the catalog base image.

2. The MS update can be removed from the image, this should immediately return normal machine functionality.  

*Citrix continues to investigate the matter to provide a permanent solution for PVS and MCS

After Patching Windows 11 machines with Windows Update for September 2025, KB5065426, machines may experience the following:

- You cannot RDP between VDAs running the same vDisk or between VDA machines in the same MCS/PVS catalog.

- You cannot access file or printer shares on other VDAs running the same vDisk/Master Image.