Full Report
HP has pulled an HP OneAgent software update for Windows 11 that mistakenly deleted Microsoft certificates required for some organizations to log in to Microsoft Entra ID, effectively disconnecting them from their company's cloud environments. [...]
Analysis Summary
# Incident Report: HP Update Deletes Microsoft Entra ID Authentication Certificates
## Executive Summary
An HP OneAgent software update (version 1.2.50.9581) deployed silently to certain HP AI PCs contained a faulty cleanup script designed to remove remnants of HP's 1E Performance Assist software. This script mistakenly identified and deleted essential "MS-Organization-Access" certificates required for Microsoft Entra ID (Azure AD) authentication, causing affected devices to immediately lose cloud connectivity and the ability to log in. HP has since pulled the problematic update and is working with customers on manual recovery procedures.
## Incident Details
- **Discovery Date:** October 23, 2025 (Date of reporting/discovery by Rudy Ooms)
- **Incident Date:** Began around the time of the HP OneAgent silent update deployment.
- **Affected Organization:** Various organizations using HP AI PCs managed via Microsoft Entra ID/Intune.
- **Sector:** Technology/Software/General Enterprise (Impacted users across sectors utilizing HP AI PCs).
- **Geography:** Not explicitly stated, but likely global due to the nature of cloud services and device distribution.
## Timeline of Events
### Initial Access (Deployment of malicious instruction)
- **Date/Time:** Prior to October 23, 2025 (when the silent update was pushed).
- **Vector:** Legitimate software update mechanism (HP OneAgent via HP's AWS IoT infrastructure).
- **Details:** HP OneAgent version 1.2.50.9581 executed a silent, background cleanup package named SP161710 on HP AI PCs.
### Lateral Movement
- Not applicable; this was a direct configuration/certificate disruption on the endpoint, not network-based lateral movement by an external attacker.
### Data Exfiltration/Impact
- **Impact:** Immediate disruption of Microsoft Entra ID and Intune communication. Affected devices could no longer authenticate using organizational credentials as the required "MS-Organization-Access" certificate was deleted.
### Detection & Response
- **Detection:** Discovered by Rudy Ooms of Patch My PC by tracing the failed authentication back to the HP OneAgent update.
- **Response actions taken:** HP pulled the problematic update. Mitigation involves manual recovery steps for affected devices.
## Attack Methodology
- **Initial Access:** Legitimate update delivery channel (HP OneAgent/AWS IoT infrastructure).
- **Persistence:** Not applicable (This was a destructive event, not persistence).
- **Privilege Escalation:** Not applicable.
- **Defense Evasion:** The mechanism was baked into a trusted, signed update package, appearing benign to security tools initially.
- **Credential Access:** Not applicable (Credentials were not stolen; the mechanism allowing credential use was destroyed).
- **Discovery:** The cleanup script contained logic to search for certificates containing "1E" in the subject, issuer, or friendly name.
- **Lateral Movement:** Not applicable.
- **Collection:** The script specifically targeted and deleted the MS-Organization-Access certificate if its thumbprint contained "1E" (a 9.3% probability for affected devices).
- **Exfiltration:** Not applicable.
- **Impact:** Destruction of vital device trust certificates needed for Azure AD/Entra ID authentication.
## Impact Assessment
- **Financial:** Not quantified, but likely included costs associated with manual remediation efforts.
- **Data Breach:** No indication of external data exfiltration; data integrity was potentially impacted by the removal of legitimate certificates beyond the primary one.
- **Operational:** Significant disruption to workforce productivity as affected users could not log into cloud services via their affected devices.
- **Reputational:** Negative impact on HP due to a faulty software update disrupting core enterprise identity services.
## Indicators of Compromise
- **Behavioral indicators:** Devices losing Entra ID trust immediately following HP OneAgent version 1.2.50.9581 installation.
- **File indicators (Defanged):** Execution of `install.cmd` script within package SP161710.
- **Network indicators (Defanged):** Update traffic originating from HP's infrastructure (referenced as AWS IoT infrastructure).
## Response Actions
- **Containment measures:** HP pulled the problematic update, stopping further distribution.
- **Eradication steps:** Affected devices require manual removal of lingering Intune enrollment data (using a cleanup script provided by Ooms) followed by re-enrolling the device into Entra ID.
- **Recovery actions:** Rejoining affected devices to Entra ID/Intune post-cleanup; HP is working directly with impacted customers.
## Lessons Learned
- **Key takeaways:** Automated, silent cleanup scripts embedded within OEM updates carry a high risk, especially when logic relies on substring matching across system-critical artifacts like certificates.
- **What could have been done better:** Stricter validation/filtering should have been in place to ensure the cleanup script only targeted certificates explicitly related to the deprecated 1E software, rather than relying on general substring matches ("1E") that overlap with Microsoft's critical Entra ID tokens.
## Recommendations
- **Prevention measures for similar incidents:** OEMs must implement rigorous testing protocols on production update channels, specifically isolating and validating certificate management routines before silent deployment. Implement "allow-listing" versus "deny-listing" or substring blocking for certificate manipulation. Organizations should limit vendor access to configuration data that requires domain/identity-level trust management.