Windows Office Hours: November 16, 2023

We’ve found an edge case with how Azure AD (Entra) sets up user profiles on Windows machines. We think there's a fix, but it may need coordination from teams on both the Windows and Azure/Entra sides. Agents on our Microsoft Support tickets have acknowledged the issue but don't have a permanent solution. Hopefully you can channel this bug to the right folks or point us to a different approach?

It appears that Windows uses the Entra-supplied “DisplayName” to build the user profile folder, %USERPROFILE%, and username, %USERNAME%. For users that have apostrophes, e.g. John O’Smith, this creates a user profile folder with the name of C:\Users\JohnO’Smith, a username of JohnO'Smith, and the down-level login of azuread\johno'smith.

The apostrophe (single quote) in the folder and username cause a lot of programs to break. It’s the same underlying issue that SQL injection hacks exploit: apostrophes/single quotes wreak havoc with string construction and in sending arguments to commands. Somewhere a program is piping something that uses %USERPROFILE% in a path construction, and the string doesn’t get sanitized/escaped correctly so the command fails. The program fails silently, gracefully, or crashes. Unlike folders in My Documents, it’s impossible to fix or work around from the user end. Anything building a path from %APPDATA% also gets snared.

Alongside a long list of commercial engineering software packages, this bug also affects Powershell's right-click shell command "Open Powershell Terminal here."

Is there a way to request a fix for a future Windows build and/or Entra update? A very flexible fix would be if Azure could get a new database field called “WindowsProfileName” to build user names and profile folder names, falling back to DisplayName if it’s not set. That way it could also work for other cases where local profile folders need tighter control. For instance, TI's Code Composer Studio (and maybe other versions of Eclipse) complains about functionality when the user folder has extended ASCII characters like é, ö, etc. And sometimes Linux/Windows usernames need to be shared.

If there are technical reasons that can't work, could you at least please tweak the way Windows builds the user profile folder to remove the apostrophe from the username and user profile? Since it strips out the space when it gets DisplayName, there’s probably a string parsing section already there. We've tried renaming/remapping the user folder after deployment as a local admin, but it seems to mess up OneDrive sync. It's also a highly manual operation that requires a local admin and restricts the conditions where users with names having apostrophes can log onto domain-joined machines and expect 100% application support. I'm not sure where the line between Azure and Windows is and where the apostrophe needs special treatment.

Would using a Hybrid Entra/On-Prem system help here or suffer from the same issue? From prior experience, the on-prem Active Directory did not exhibit this problem since the administrator usually sets up a very limited character username [0-9A-Za-z] for the domain. Can that work/deploy correctly with Entra, or does Entra take over? What happens if the users already exist in Entra?

Thanks

(edited to fix line breaks)