[German]There appear to be significant issues with the security update released for Windows 11 22H2 on July 11, 2023. Registering in Azure Actice Directory (AAD, now EntraID) no longer seems possible in the browser. A blog reader pointed out the issue to me (thanks for that) There is a lengthy discussion at Microsoft in support including suggestions for workarounds.
Update KB5028185 for Windows 11
Cumulative update KB5028185 was released on July 11, 2023 for Windows 11 22H2 and fixes vulnerabilities (see my blog post Patchday: Windows 11/Server 2022-Updates (July 11, 2023)). In the blog post Microsoft July 2023 Patchday issues (Windows, Office, Apps) – Part I, there are hints of installation issues related to this update, but nothing serious.
Issues with AAD registry
Blog reader Raphael sent me a personal message about this discussion in the Microsoft support forum. An administrator already reported on July 12, 2023, because he could no longer get authentication on a hybrid-joined Windows 11 machine under Citrix VDI.
AADSTS501201: Unexpected claim(s) in JWT: client_id,redirect_uri.
Hello,
I have an authentication issue on a Hybrid joined Windows 11 computer.
This a Citrix VDI where users are automatically signed in Office apps and Edge.
But when authenticating to Office365 from Edge, they get that outstanding issue right before being prompted for password or anything:
Attempting to log in fails with the above login error. In the course of the thread, users confirm this error, e.g. after changing a password in Windows 11. Another user wrote the following:
We're having the same issue on a few machines. On the computers experiencing the issue, I can confirm:
- an incognito/private browser window lets the user sign in successfully
- uninstalling KB5028185 fixes it
However, at present, not every computer with KB5028185 installed appears to be affected.
Update KB5028185 is identified as the culprit and it looks like outdated OAuth tokens are involved. This may also explain why not all machines are affected for this administrator. A user of other users then figured out two solutions to this problem for themselves.
- Deleting the user profile in Edge fixed the problem.
- Removing/uninstalling update KB5028185 also fixed the error.
Another user describes his approach to solving the problem in his environment:
We have been able to remedy this after some extensive troubleshooting. We are in a Hybrid environment. We saw a correlation between devices with KB5028185 and also stuck in "Pending" registration in AAD. That led us to the Azure PRT not being able to renew. To remedy this, we unregister the device, delete the device in AAD, sync from our on-prem AD.
- We unregister the device in command prompt
dsregcmd /leave
- Delete the device in AAD
- Sync from our on-prem AD
- Wait until the device appears in AAD with the status of pending
- Restart the device
- Sign into our APP/VPN, (SSO)
- If the device does not become registered run the "Automatic Device Join" scheduled task under Microsoft>Windows>Workplace Join
- Verify the device has registered
- Run
dsregcmd /status
and check the AzureAdPRT for validity under SSO State.After completing these steps, we had no issues with KB5028185 being installed.
The steps have been described Hybrid Azure AD Joined Device Registration Pending Issue by Microsoft. Any of you affected by this bug?
A German user told me, that the issue is Edge related, and that the canary builds already contains a fix. So it will be available in the stable build within a couple of hours.
Similar articles:
Microsoft Security Update Summary (July 11, 2023)
Patchday: Windows 11/Server 2022-Updates (July 11, 2023)
Microsoft July 2023 Patchday issues (Windows, Office, Apps) – Part I
Microsoft July 2023 Patchday issues: Windows 10 22H2 Update KB5028166 – Part II