Jul 27 2022 06:29 PM - edited Sep 22 2022 10:44 AM
We are in the midst of a Azure/Endpoint Manager (Intune) Migration. 300+ Endpoints and are running into deployment nightmare:
We are experiencing a very odd, completely random issue when a previously Synced Hybrid Azure AD User logs into their endpoint (which was previously working without issue for weeks/months) and then suddenly fails to load.
This issue only seems to occur when NEW endpoints are added to the Azure AD tenant/domain.
We know the issue is about to happen when you receive a call from an end-user stating their previously working credentials are "no longer working".
When the the user attempts to login via "other user"; The login will proceed, and the user will login to a black desktop/screen and flashing taskbar.
Windows Task Manager is not responsive; Safe-mode options will not produce a better end result.
Upon reviewing the logs you will see "explorer.exe" crash loop prompting urtcbase.dll.
This particular issue is happening across all different makes, models, and Window Image variations. The issue is specific to only Azure AD Profiles that attempt to login to the endpoint.
Precursors:
Incorrect password prompt. Requires uses to select "other user"
After selecting other user, user profile experiences delayed "Welcome"
Black screen appears with flashing taskbar, rending the profile useless
If we attempt a Wipe/Restore the issue will randomly reoccur on another workstation.
I believe the issue is specific in the way Windows try to load/create the profile for Azure AD users. I'm not sure if AutoPilot is attempting to configure these endpoints in Hybrid mode. However we've noticed discrepancies in the naming convention of some profiles and domains. For example:
I believe the User Profile Service is somehow bugged and causing a mismatch between the registry's SID for the user profile.
Has anyone else experienced this issue? We are desperate for answers; this is worse than any virus as its random intermittent nature will return after a fresh system restore.
I've received a call from another organization stating they are seeing the same issue occur throughout their deployment. I believe this is now a wide-spread issue.
We have a ticket opened with the Microsoft on this. Windows Performance Team is reaching out to Azure Team.
Dec 12 2022 04:48 AM
Dec 23 2022 11:59 AM
Dec 23 2022 01:32 PM - edited Dec 23 2022 01:34 PM
thanks for the info. I just reinstalled the 5 laptops in question. Microsoft (via O365/Azure support portal) provided no help. I gave them the link to this discussion, and they just closed the case after I said I reinstalled them! It appears to be related to the new Azure Cloud Sync (not AD connect). My specific tenant in question used to have AD Connect installed (but it was removed a couple of years ago), so I am unsure if this played a part in the corruption? Anyway, thanks for the workaround ...just concerned that MS won't fix the issue, so will be lumbered with more issue on some of the larger clients that I want to enable Cloud Sync ...I imagine I'll just use AD Connect on the larger clients.
Jan 09 2023 06:02 AM
Jan 09 2023 06:21 AM
It's been a few months since we had the recurrence of the problem. We ended up decommissioning our entire on-premises infrastructure and getting rid of Azure AD Connect and Azure AD Cloud Provisioning/Sync..
While Microsoft has not confirmed this, I'm almost positive the UPN mismatch issue is due to having both products installed at the same time or when transitioning from one to the other. Something about having Azure AD Connect and Azure AD Cloud Sync installed messes with Azure and prevents the endpoint from being able to choose which UPN to match the UIDSID when Win Logon is running.
Apr 12 2023 03:59 AM
Jul 24 2023 06:18 AM
Jul 24 2023 08:13 AM - edited Jul 25 2023 07:07 AM
SolutionDaniel,
We just discovered the same thing and rolled out a fix for it in our environment. For users with an email address in on-prem AD, Azure AD Connect Sync was creating the accounts in Azure online with the pre-Windows 2000 NetBIOS domain name which matches the pre-Windows 2000 NetBIOS user logon name. However, for those without an email, it was creating the account in Azure with the subdomain of the domain FQDN instead of the pre-Windows 2000 name as specified on the account or in Domains and Trusts. Azure AD Cloud Sync was trying to update all accounts to the subdomain and completely ignoring the pre-Windows 2000 names entirely.
As far as experiencing the taskbar issue, once it occurred for one account on the machine, it would then impact all accounts on the machine both pre-existing and new sign-ins. However, accounts that did not have an AD mail attribute would not experience the issue. We found the same SubPkgs key and those that were in the NetBIOS subkeys would have the taskbar, permission, and general SID mismatch errors but those that were in the subdomain subkey would not.
We shut down our Azure AD Connect and are now relying entirely on Cloud Sync. Then, to fix the machines without a reimage, we performed a full Cloud Sync and then ran the following PowerShell script on Azure AD joined machines to clean up the broken accounts. This allowed users to sign in fresh with the subdomain instead of NetBIOS prefix and the issue has not reoccurred, but it's only been about a week.
$CurrentUserSID = (C:\Windows\System32\whoami.exe /User /Fo CSV | ConvertFrom-Csv).SID
$CachedAccounts = Get-CimInstance -Classname win32_userprofile | where-object { (!$_.Special) -And ($_.SID -like 'S-1-12-1-*') -And ($_.SID -NotLike $CurrentUserSID) }
foreach ($Account in $CachedAccounts) {
$SIDtoUser = $null
$SID = New-Object System.Security.Principal.SecurityIdentifier($Account.SID)
try {
$SIDtoUser = $SID.Translate([System.Security.Principal.NTAccount])
Write-Host "Removing $SIDtoUser from list of cached accounts."
if ($SIDtoUser -ne $null) {
$CachedAccounts = @($CachedAccounts | Where-Object SID -ne $SID)
}
} catch {
Write-Host "Unable to translate SID ($SID) to user."
}
}
if ($CachedAccounts.Count -gt 0) {
Write-Host 'Accounts to be removed:'
$CachedAccounts | Select LocalPath,SID | ft
$Confirmation = Read-Host "Do you want to remove those accounts? (Yes or No)"
if ($Confirmation.ToLower() -like "y*") {
Write-Host "Removing accounts..."
$CachedAccounts | Remove-CimInstance -Verbose
} else {
Write-Host 'Accounts not removed.'
}
} else {
Write-Host 'No accounts to remove.'
}
Hopefully, this script and info helps someone else.
Rexford
Jul 28 2023 02:25 AM
Aug 29 2023 07:50 AM
@Daniel_Gatley I'm trying to take ownership of the key and I still receive the error you can't delete this key. It's frustrating that MS can't figure this out.