The HP OneAgent software update has disconnected Windows devices from Microsoft Entra ID. As a result, users can no longer access their corporate identities.<\/p>\n
Version 1.2.50.9581 of the agent, pushed silently to HP\u2019s Next Gen AI systems like the EliteBook X Flip G1i, deleted critical certificates, causing devices to drop their Entra join status overnight. <\/p>\n
Reports surfaced last week when a wave of Windows 11<\/a> users faced login screens showing only local LAPS accounts, no Entra credentials in sight.<\/p>\n Diagnostics via dsregcmd \/status confirmed the nightmare: the cloud trust was gone, devices isolated as if they\u2019d never been part of the organization\u2019s Azure ecosystem.<\/p>\n Patch My PC observed that the issue zeroed in on HP\u2019s OneAgent, a telemetry and management tool that registers devices with HP\u2019s AWS IoT Core for automated updates.<\/p>\n Affected systems had all received the update in the background, while non-AI HP models running older versions escaped unscathed. <\/p>\n No other changes to Windows patches<\/a>, policies, or drivers were in play. Digging into the package revealed it bundled SoftPaq SP161710, which executed an install.cmd script meant to purge the obsolete HP 1E Performance Assist component.<\/p>\n The script\u2019s PowerShell logic turned fatal. Aimed at removing 1E-related certificates, it broadly targeted any cert with \u201c1E\u201d in the subject, issuer, or friendly name.<\/p>\n This inadvertently nuked the MS-Organization-Access certificate, the cornerstone of Entra ID authentication<\/a>, and in some cases, the Microsoft Intune MDM Device CA cert.<\/p>\n Logs from HP OneAgent identified the cause: a \u201cjob-hponeagent-update\u201d command from HP\u2019s AWS IoT backend. This command downloaded and ran the package quickly, without proper testing, similar to the rushed approach seen in the CrowdStrike incident.<\/p>\n HP swiftly yanked the faulty SoftPaq, halting further distribution, but impacted devices demanded hands-on repair.<\/p>\n Locally, admins log in via LAPS, run a cleanup script to scrub stale Entra and Intune registry keys (under HKLM:SOFTWAREMicrosoftEnrollments and related paths), then reconnect via Settings > Accounts. <\/p>\n Remotely, Microsoft Defender<\/a> for Endpoint\u2019s Live Response enables uploading a PowerShell wipe script to trigger a device reset, assuming WinRE is enabled.<\/p>\n This incident underscores OEM update risks on managed devices. HP OneAgent\u2019s silent, SYSTEM-level execution bypassed Intune oversight, turning routine maintenance into a trust-shattering event. <\/p>\n While Intune might auto-recover MDM certs, losing MS-Organization-Access demands a full rejoin. Organizations should audit HP agents and enforce stricter update controls to prevent such quiet catastrophes.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post HP OneAgent Update Brokes Trust And Disconnect Devices From Entra ID<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nHP OneAgent Update Brokes Trust<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgUl2ba2Xl09cCD7011AZZfnfRaQTDzGqNVBZwY1uc6qo0yutkdmJCkaNphX8qdD4dAHQhnOq34ccb6gT-klkmWIVZinSU9IEbo5edw8c4eb364qo1TcZ2f37v6dR-PMLcMaF1khx3D3oc8vX91SJ5ISr9LYXUrvvlrqVdpatJG4fERQp8wAL5aywwJ9MET\/s16000\/Broken%2520script.webp?ssl=1\")