Full Report
HP has pulled an HP OneAgent software update for Windows 11 that mistakenly deleted Microsoft certificates required for some organizations to log in to Microsoft Entra ID, effectively disconnecting them from their company's cloud environments. [...]
Analysis Summary
# Incident Report: HP Update Causes Microsoft Entra ID Authentication Failure
## Executive Summary
A faulty background update delivered by HP (OneAgent version 1.2.50.9581) to HP AI PCs executed a cleanup script that erroneously deleted crucial Microsoft certificates required for Microsoft Entra ID (Azure AD) authentication. This resulted in compromised devices being immediately disconnected from cloud services and rendered unable to log in via Entra ID credentials. HP has since pulled the faulty update, and response efforts focus on manual recovery steps for affected endpoints.
## Incident Details
- Discovery Date: October 23, 2025 (Implied detection shortly before this date)
- Incident Date: Upon deployment of the faulty HP OneAgent update.
- Affected Organization: End-users/organizations utilizing HP AI PCs that received the specific HP OneAgent update.
- Sector: Technology/IT Services (Impacted multiple sectors relying on Entra ID).
- Geography: Not specified, but impacts cloud-connected Windows environments globally.
## Timeline of Events
### Initial Access
- Date/Time: During the silent, background deployment of HP OneAgent version 1.2.50.9581 via HP's AWS IoT infrastructure.
- Vector: Faulty software update/patch deployment mechanism (HP OneAgent).
- Details: The update automatically executed a cleanup package (SP161710) intended to remove remnants of HP 1E Performance Assist software.
### Lateral Movement
- Not applicable. This was a configuration and access management failure on the endpoint, not a traditional network intrusion.
### Data Exfiltration/Impact
- Impact: Loss of authentication trust between Windows endpoints and Microsoft Entra ID/Azure AD for affected users. Devices could no longer log in with standard credentials.
### Detection & Response
- Detection: Discovered by third-party analysis (Rudy Ooms of Patch My PC).
- Response actions taken: HP pulled the problematic update. Remediation required manual steps (local admin login, running cleanup scripts, and rejoining Entra ID) or remote fixes via Microsoft Defender Live Response.
## Attack Methodology
- Initial Access: Deployment of malicious/faulty software update (HP OneAgent v1.2.50.9581).
- Persistence: Not applicable (The impact was immediate service disconnection).
- Privilege Escalation: Not applicable. The script ran with privileges necessary to manage system certificates.
- Defense Evasion: The script was delivered via a legitimate, silent update channel managed by HP, thus bypassing standard security monitoring for external attacks.
- Credential Access: Not applicable.
- Discovery: The script implicitly discovered certificates containing the substring "1E" in their properties.
- Lateral Movement: Not applicable.
- Collection: Not applicable.
- Exfiltration: Not applicable.
- Impact: Deletion of legitimate "MS-Organization-Access" certificates required for Entra ID trust.
## Impact Assessment
- Financial: Not specified, but includes potential costs associated with manual device recovery and IT support time.
- Data Breach: Unconfirmed; the issue primarily targeted authentication certificates, not necessarily data exfiltration, though other legitimate certificates may have also been deleted.
- Operational: Significant; endpoint devices immediately fell "out of the cloud" and could not authenticate to Entra ID resources.
- Reputational: Potential negative impact on HP's reputation regarding software update safety and supply chain integrity.
## Indicators of Compromise
- Network indicators: Update source traced to HP's AWS IoT infrastructure (specific URLs/IPs defanged).
- File indicators: Execution of `install.cmd` script within package SP161710.
- Behavioral indicators: Deletion of certificates containing the substring "1E" in subject, issuer, or friendly name (especially the "MS-Organization-Access" certificate).
## Response Actions
- Containment measures: HP pulled the faulty update, preventing further distribution.
- Eradication steps: Affected devices required endpoint-specific remediation: signing in locally, running Ooms' cleanup script to remove Intune enrollment data, and re-enrolling in Entra ID.
- Recovery actions: Devices were manually returned to proper Entra ID trust configuration.
## Lessons Learned
- Key takeaways: Aggressive cleanup scripts deployed via automated channels pose a significant risk if targeting content markers (like "1E") that are not unique to the intended target software. Supply chain integrity for automated endpoint management tools is critical.
- What could have been done better: The cleanup logic should have used highly specific identifiers (e.g., certificate issuer/thumbprint hashes) rather than a generic substring search ("1E").
## Recommendations
- Prevention measures for similar incidents: Implement stricter validation and narrow scope definitions for software cleanup scripts managed by device management platforms. Only target known, specific certificate identifiers rather than relying on common substrings. Review and audit third-party vendor update mechanisms (like HP OneAgent updates) for potential security risks before mass deployment.