HP OneAgent Update Brokes Trust And Disconnect Devices From Entra ID

The HP OneAgent software update has disconnected Windows devices from Microsoft Entra ID. As a result, users can no longer access their corporate identities.

Version 1.2.50.9581 of the agent, pushed silently to HP’s Next Gen AI systems like the EliteBook X Flip G1i, deleted critical certificates, causing devices to drop their Entra join status overnight.

Reports surfaced last week when a wave of Windows 11 users faced login screens showing only local LAPS accounts, no Entra credentials in sight.

Diagnostics via dsregcmd /status confirmed the nightmare: the cloud trust was gone, devices isolated as if they’d never been part of the organization’s Azure ecosystem.

Patch My PC observed that the issue zeroed in on HP’s OneAgent, a telemetry and management tool that registers devices with HP’s AWS IoT Core for automated updates.

HP OneAgent Update Brokes Trust

Affected systems had all received the update in the background, while non-AI HP models running older versions escaped unscathed.

No other changes to Windows patches, policies, or drivers were in play. Digging into the package revealed it bundled SoftPaq SP161710, which executed an install.cmd script meant to purge the obsolete HP 1E Performance Assist component.

The script’s PowerShell logic turned fatal. Aimed at removing 1E-related certificates, it broadly targeted any cert with “1E” in the subject, issuer, or friendly name.

This inadvertently nuked the MS-Organization-Access certificate, the cornerstone of Entra ID authentication, and in some cases, the Microsoft Intune MDM Device CA cert.

Logs from HP OneAgent identified the cause: a “job-hponeagent-update” command from HP’s AWS IoT backend. This command downloaded and ran the package quickly, without proper testing, similar to the rushed approach seen in the CrowdStrike incident.

HP swiftly yanked the faulty SoftPaq, halting further distribution, but impacted devices demanded hands-on repair.

Locally, admins log in via LAPS, run a cleanup script to scrub stale Entra and Intune registry keys (under HKLM:\SOFTWARE\Microsoft\Enrollments and related paths), then reconnect via Settings > Accounts.

Remotely, Microsoft Defender for Endpoint’s Live Response enables uploading a PowerShell wipe script to trigger a device reset, assuming WinRE is enabled.

This incident underscores OEM update risks on managed devices. HP OneAgent’s silent, SYSTEM-level execution bypassed Intune oversight, turning routine maintenance into a trust-shattering event.

While Intune might auto-recover MDM certs, losing MS-Organization-Access demands a full rejoin. Organizations should audit HP agents and enforce stricter update controls to prevent such quiet catastrophes.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.