I can confirm that this issue was resolved by the last Entra ID Connect update for me as well.
Delta import completed warnings exported-change-not-reimported - msDS-KeyCredential-Link attribute
Hello everyone
I have a hybrid setup (PHS) in which the clients are Azure Ad Join and users use WHFB with cloud trust to log in to them. In the synchronization service manager, every now and then it gets the status for Delta import completed warnings exported-change-not-reimported for some users, and when I go to the details, it shows me the msDS-KeyCredential-Link attribute. Under the event log, I get the event ID: 6951:" The export change was not confirmed by the import operation". Mention users get Kerberos TGT from DC after logging in with WHFB. This warning seems to be present only when users login to laptops via the corporate network. Anyone know why this warning is showing up, if this is a problem, and how to resolve it? I didn't find anything useful on blogs.
Thank you in advance.
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Microsoft Security | Microsoft Entra | Microsoft Entra ID
3 answers
Sort by: Most helpful
-
-
Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
2023-09-14T21:36:16.8533333+00:00 Hi @Denis Debijađi ,
The warning "exported-change-not-reimported" means that the imported object's attributes do not match with the object attribute set when it was last exported. One of the *potential *reasons this happens is the value being deleted or changed in the connected data source after being set through the export of Azure AD Connect.
Are you able to see the value that was exported in the destinated connected data source? Since you mentioned msDS-KeyCredential-Link , it sounds like there could be a permissions issue. Make sure that the following permissions are added:
- Add the AADSync account to the "Enterprise Key Admins" group
- Make sure you have added all of the permissions and prerequisites for updating this value is shown in this article.
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync#configure-permissions-for-key-synchronization
You can also try running a full sync cycle with: Start-ADSyncSyncCycle -PolicyType Initial
Let me know if this helps and if you still face this issue.
If the information helped you, please Accept the answer. This will help us and improve searchability for others in the community who may be researching similar questions.
-
Dustin Berkley 5 Reputation points
2024-02-20T17:05:38.82+00:00 I have the same issue as explained here. It started happening after we implemented WHfB. The errors never seems to have any real impact, in that users are able to authenticate to their workstation, they are authenticated to the network share, and SSO to MS365 works. The Imported Value and Export Value are always the same. The errors usually show up in the morning, and clear out throughout the day. Also, usually if I do an Initial Sync, or two Delta Syncs in a row, there usually aren't any errors. Also there's usually no errors overnight. My hunch is that it happens when someone uses WHfB to login to their computer, then on the next Delta sync, it throws the issue. It's almost as if the key is getting re-registered, (even though it's the same key) and then it tries to sync, but the update doesn't work because it's not actually an update. It seems harmless enough, but I'd love some insight on this. It seems like something isn't quite right.