Update 10/10/2023: Our recommendation to address CVE-2023-21709 is now changed; please see the changes below.
Update 9/12/2023: As a part of the September 2023 "Patch Tuesday" we have released a fe...
Updated Oct 10, 2023
Version 18.0
Blog Post
Haha, some developer used hard coded name "Network Service" in the latest SU installer instead of using the well known security identifier "S-1-5-20". Yes! Summer time is intern time. Also applies to MSFT. 
Edit: At least that should be really easy to fix.
Edit: The workaround actually works!
Edit: The workaround is actually missing a ")" and the end of this line!
$rule = New-Object System.Security.AccessControl.RegistryAccessRule((New-Object System.Security.Principal.SecurityIdentifier("S-1-5-20")), 983103, 3, 0, 0
should be:
$rule = New-Object System.Security.AccessControl.RegistryAccessRule((New-Object System.Security.Principal.SecurityIdentifier("S-1-5-20")), 983103, 3, 0, 0)
The wrong "Network service" ACL is also kept that registry key - should be removed manually IMHO! Beware that the correct S-1-5-20 Network Service account got Full Access while to the temporary account get special access rights to HKLM:\SOFTWARE\Microsoft\MSIPC\Server; I will check this on another server as I've already deleted the temporary acl and account. This means the script does NOT assign the same rights as the SU installer!