A recent update to HP’s OneAgent software has led to significant disruptions for users, particularly those utilizing Windows devices integrated with Microsoft Entra ID. The deployment of version 1.2.50.9581, especially on HP’s Next Gen AI systems like the EliteBook X Flip G1i, has resulted in the deletion of essential security certificates. This deletion has caused devices to lose their Entra ID join status, effectively severing their connection to corporate networks.
Incident Overview
The issue became apparent when numerous Windows 11 users encountered login screens that displayed only local LAPS (Local Administrator Password Solution) accounts, with no option to access Entra ID credentials. Diagnostic checks using the `dsregcmd /status` command confirmed the absence of cloud trust, indicating that the devices were no longer recognized as part of their organization’s Azure ecosystem.
Root Cause Analysis
Investigations pinpointed the problem to HP’s OneAgent, a telemetry and management tool designed to register devices with HP’s AWS IoT Core for automated updates. The update included SoftPaq SP161710, which executed an `install.cmd` script intended to remove the outdated HP 1E Performance Assist component. However, the script’s PowerShell commands were overly broad, targeting any certificate with 1E in its subject, issuer, or friendly name. This indiscriminate approach led to the unintentional deletion of the MS-Organization-Access certificate, a critical component for Entra ID authentication, and in some instances, the Microsoft Intune MDM Device CA certificate.
Immediate Response and Mitigation
Upon identifying the issue, HP promptly withdrew the problematic SoftPaq to prevent further distribution. However, devices already affected required manual intervention to restore functionality. Administrators were advised to log in using LAPS credentials, execute a cleanup script to remove outdated Entra and Intune registry keys located under `HKLM:\SOFTWARE\Microsoft\Enrollments`, and then re-establish the device’s connection via Settings > Accounts. For remote remediation, Microsoft Defender for Endpoint’s Live Response feature allowed the deployment of a PowerShell script to initiate a device reset, provided that Windows Recovery Environment (WinRE) was enabled.
Broader Implications
This incident highlights the potential risks associated with OEM software updates on managed devices. The silent, system-level execution of HP OneAgent’s update bypassed oversight mechanisms like Intune, transforming routine maintenance into a significant trust issue. While Intune may automatically recover MDM certificates, the loss of the MS-Organization-Access certificate necessitates a complete rejoining of the device to the network.
Recommendations for Organizations
To prevent similar incidents in the future, organizations should:
– Audit HP Agents: Regularly review and monitor the deployment and behavior of HP’s management tools to ensure they function as intended without compromising system integrity.
– Enforce Stricter Update Controls: Implement more rigorous controls over software updates, including thorough testing and validation processes before deployment, to mitigate the risk of unintended consequences.
– Enhance Monitoring Mechanisms: Utilize comprehensive monitoring tools to detect and respond to anomalies promptly, ensuring that any issues are addressed before they escalate.
By adopting these measures, organizations can safeguard against disruptions caused by software updates and maintain the trust and security of their IT environments.
