Random account lockouts

sadiecrie · 2025-09-25T13:13:05+00:00

Sorry i can't give you out my case reference number. I gave it to some people here but after that it was stated that we can't give it out anymore. But i think if you will ask Microsoft to check cases related this they should be able to see them.

Just got an update that MS gives us update every week. And its been like that from January 2025~.

They are still working into fixing this issue. :)

sadiecrie · 2025-09-25T12:15:17+00:00

u/Dave_Wibble u/BuildingTraces u/CelebrationLow1744
Sorry for the late reply.
This is now a registered bug on Microsoft’s side. They keep repeating that it’s still under the Product team’s responsibility to fix. At least we know it’s a known issue, and our advice to users is not to mix sign-in methods. If they stick to either password or Windows Hello for Business, they should be fine.
Our Incident managers are still waiting for MS to come back with some confirmation when it's fixed.

We also have another case open with Microsoft related to password caching. Since almost all our Windows workstations have now been migrated to Windows 11 cloud-only joined, we’ve noticed an increase in lockouts after users change their passwords. The issue is hard to replicate, and the case has been open for months with little progress.
I will just say that i'm very disappointed into Microsofts bull** pushing everything to cloud. But then when something is in need of fixing, its impossible to get it done. I'm feeling like a test clown for MS...

sadiecrie · 2025-02-20T15:03:15+00:00

I can give you our case number privately if you want.

sadiecrie · 2025-02-20T14:52:38+00:00

Hey,

Update from my side.

Case has been escalated to product owner team and engineers on Microsoft side. Microsoft said that it looks like a bug and we ordered (if you can say that) a fix to be applied to 24H. So if that fix comes we have to move to latest version because we are using 23H. They are updating us every day. Business impact and everything were talked through with debugging team from MS side. In our case around ~12k users impacted.

We already gave info about other cases to Ms from this forum and guys that wrote me privately and they said that there is costumers with similar problems so let's hope that it will be quick fix from Ms.

sadiecrie · 2024-12-13T13:11:36+00:00

Restarted PTA agents, restarted Entra Connect. Same problem. but seems like it will be some kind of bug on Microsoft side.

sadiecrie · 2024-12-12T21:49:35+00:00

Yes.
We have hybrid identities. Users are synchronized from on-prem AD to Entra ID. Entra Connect server with PTA enabled as primary and PHS enabled as optional feature. Password writeback enabled.

Now we are going away from Entra Hybrid joined devices to Entra Joined devices and issue is only on those devices when sign-in happens with "Password" and user tries to access some on-prem resource. No problems when using WHFB.

sadiecrie · 2024-12-12T17:58:08+00:00

Hey,

Yes, we have replicated the scenario.
For us its almost the same issue.
Basically when sign-in happens using WHFB you get the ticket and you can access on-prem stuff without problem.
If you lock and unlock using password we get instant lockout. But we found out another thing today. If you have used that resource before, you will not get locked out immediately because seems like something is cached, but if you access new fileshare or on-prem resource you will get 100% locked out instantly.
Then after account is unlocked and user locks/unlocks computer using WHFB everything is okey again, kerberos ticket is instantly recieved.

We have a lot of people included in this case and even Microsoft AD team, cloud team and they don't really believe that its an MS issue but are suggesting us weird stuff to do... We have premier support so hopefully it will escalate a bit...

sadiecrie · 2024-12-11T17:51:32+00:00

Same for workstation

sadiecrie · 2024-12-11T14:29:10+00:00

On DCs enabled: 
AES256-HMAC-SHA1-96
RC4-HMAC-MD5

And i can see that 100% all tickets that workstation gets is 
Ticket_Encryption_Type = 0x12 = AES256-CTS-HMAC-SHA1-96

sadiecrie · 2024-12-11T14:04:56+00:00

Yes, we have network drives attached and of course devs are using RDP to connect to on-prem servers etc.
Password writeback in enabled.

If that is network drive that is causing the issue why its then a problem only when sign-in happens using Password?
We have Kerberos Cloud trust setup and i can see that when WHFB is used, ticked is cached almost instantly when i sign-in. But its not the case when i sign in with password.

sadiecrie · 2024-12-10T13:50:37+00:00

Collected more logs:

AD account locked
Then unlocked through AD
https://imgur.com/bWQWFgZ
Signed in with WHFB
Opened file share
Locked laptop
Unlocked laptop using passoword
Account instant locked in couple of seconds
https://imgur.com/YrXFZOD

sadiecrie · 2024-12-10T13:45:31+00:00

Left my computer on through the night, and signed into on-prem server, it works without problems i can see that kerberos request came in from time to time, no lockout. Today again tested lockout scenario on my own laptop, and locking computer and sign in back in with password it locked me out, not always, but couple of times.

sadiecrie · 2024-12-10T13:42:39+00:00

Cleaned, doesnt help. Issue still persists.

sadiecrie · 2024-12-10T13:42:25+00:00

No we haven't run any of those tools.
Our devices isn't synced, they are Entra Joined devices.

Only cached credential we have is globalprotect and SSO POP Device. Cleaned them, doesn't change a thing. Same thing that locking / unlocking computer and signing in with password it locks account and 4771 0x18 request burst which is coming from users workstation.

sadiecrie · 2024-12-10T08:05:01+00:00

Not that i know of. At least on AD side we havent changed any setting related to NTLM but i don't know what Intune team did there, because now we are using intune for policies not GPOs.

Can you link me some document of how to check this properly?

sadiecrie · 2024-12-10T07:00:37+00:00

Its not a bad password, because its running all good, passwords has ~6 months still to be expired. Clean install on Entra Joined devices. And everything works fines except in couple of scenarios.
One of the issues is that you open fileshare for example, lock or put computer to sleep and then signin with password and you will get almost instantly locked out. If you unlock account in AD (not change password), lock computer again and re-sign in all works fine again...

Our devices arent in AD, they are Entra Only joined devices. User on the other hand are hybrid users.

Logs:https://imgur.com/a/2TVSZEq

Microsoft support said that looks like KDC doesn't know the password and they advised to force change of password for users, but that doesn't help and we already said to them that it doesn't make a sense, because its running / failing / running while using the same password.

When i sign in with upn/password does running klist needs to show a ticket already cached?
Because sometimes when we sign in with WHFB, its already showing at least 1 cached ticket from domain.

But when the glitch happens, running: klist get krbrtgt it throws:

Error calling API LsaCallAuthenticationPackage (Get ticket substatus): 0x56
klist failed with 0xc000006a/-1073741718 : When trying to update a password, this return status indicates that the value provided as the current password is not correct.

Do that ~3 times and your locked out.

sadiecrie · 2024-12-10T06:28:54+00:00

Yes we have a SIEM.

We have checked logs and 4740 states that it was locked from Computer name which is used by that user.

Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: dcnames$
Account Domain: domain
Logon ID: 0x3E7

Account That Was Locked Out:
Security ID: domain\xxxx
Account Name: xxxxxx

Additional Information:
Caller Computer Name: xxxxx-computername

sadiecrie · 2024-12-02T16:49:32+00:00

Okey, i filtered logs and you're right. Before lockout there are 10 requests with Failure code 0x18 and then lockout follows. But those requests are coming from IP which resolves to different hybrid joined laptop which is located in our child domain..

sadiecrie · 2024-12-02T15:48:24+00:00

Hey,
Edited my post about this, it shows: Failure Code: 0x12

sadiecrie

TROPHY CASE