If WSUS complains that machines have duplicated IDs/SIDs, running the
following on an affected client machine should generate a new random ID for
that machine:

net stop bits
net stop wuauserv
reg Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /f
reg Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /f
reg Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /f
net start bits
net start wuauserv
gpupdate /force
wuauclt.exe /resetauthorization
wuauclt.exe /detectnow
wuauclt.exe /reportnow