Getting AADSTS501204 Malformed jwt error while logging into Microsoft apps. how to resolve this?

Durga Bhavani Chadala 45

I have changed password for my company account. since then I am facing malformed jwt error when I try to login into Microsoft apps.

I am able to login to microsoft apps through browser with new password but unable to login through installed apps.

It is no even giving me option to relogin and enter new password just throwing error right after entering mail id.

Keagan Kennedy 0 Reputation points

2024-05-23T13:25:54.6466667+00:00

Same issue here at my org, can't find any way to fix it. our issue only is happening to new users
Alex Hendowski 5 Reputation points

2024-05-23T16:56:51.28+00:00

Just adding my issue here as well - No answer. We have it happening to one user in a tenant of about 5,000. We are Hybrid, we can access web browser, but not installed apps. Windows Hello is unable to be setup as well - we have WHfB
BK 41 Reputation points

2024-05-23T18:35:50.32+00:00

We are seeing a number of these continue to trickle in as well. Seems to be Windows 11. We are mostly Hybrid, but have seen this on Joined and Registered devices as well. This error code is not listed in the table on this article: https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes Seems to coincide with password changes, but not 100% sure. Does seem to happen after latest May patches. Web apps are the main problem, though odd behaviors start happening with Teams and OneDrive as well. Does work in Chrome, just not Edge. Appears to be something with PRT after running DSRegTool.ps1 troubleshooting tool.
Dennis Knight 5 Reputation points

2024-05-28T15:02:19.64+00:00

Have you made an progress with this issue, we are still drawing blanks
Durga Bhavani Chadala 45 Reputation points

2024-05-28T16:13:12.6833333+00:00

got my laptop reimaged. That resolved the issue
Jessie Cochran 25 Reputation points

2024-05-28T16:52:15.12+00:00

We have deployed 3 new machines to people and Windows tries to reinstall the bad updates and we have the issue reoccur on the machine again.
Alex Hendowski 10 Reputation points

2024-05-28T18:44:15.6866667+00:00

@Dennis Knight Follow the Instructions below, it fixed my issue:

Go to the Registry Key: [HKEY_USERS.DEFAULT\Control Panel\International] and find the Value Locale. Mine was corrupted, and set to 0930F30C. Not sure why. I set it to the correct Locale (for US) which is 00000409, after a reboot I got an 'Updates underway' and once it rebooted, everything worked.
Dennis Knight 5 Reputation points

2024-05-29T11:51:19.3666667+00:00

Perfect, I followed Tanium's guide and sorted it, ill set a deploy ongoing to correct this if it happens again, it should then be fixed before it is even noticed.
White, Matt 0 Reputation points

2024-05-29T13:00:45.8366667+00:00

@Dennis Knight Do you have a link to that Tanium guide? would like to see their documentation if you have it.
Dennis Knight 5 Reputation points

2024-05-29T13:42:08.76+00:00

https://help.tanium.com/bundle/KB5037771/page/KA/KB5037771/KB5037771.htm

6 answers

Oguzhan Oktay 15 Reputation points

2024-05-24T07:20:47.39+00:00

Hello All,

I'm working on Turkey office of a multinational company and we also affected with this issue in many countries especially Europe region.

We have contacted with MS and create and Incident and discussed with MS engineers start of this week and they accepted the issue and said relaited with April or May updates so they're working to fix and will publish an update or hotfix for this problem.

We 're waiting them , in paralel we have stopped the deploying updates and IT team reimaging laptops which affected, clean installation fixes issue if you do not get April and May updates.
Please sign in to rate this answer.

3 people found this answer helpful.

0 comments No comments
Sign in to comment
Tino Stapelbroek 36 Reputation points

2024-05-28T15:24:12.93+00:00

We had the same issue where also windows kb5037771 keeps looping.

As a solution Microsoft advised to remove the kb, we had several complications where users weren't local admin, We could not make use of local administrator accounts configured in azure. The problem also gave us issues with tanium agent.

To solve the issue we had to modify the corrupted registry value Locale under HKEY_USERS.DEFAULT\Control Panel\International , the value had corrupted data we needed to change it to 00000413 for dutch for other os languages it will be a different value i suppose. After modifying the REG_SZ value you have to reboot.

We just applied the fix not sure if it will be stable.
Please sign in to rate this answer.

2 people found this answer helpful.
Dennis Knight 5 Reputation points

2024-05-28T15:49:33.4433333+00:00

Thanks ill have a go at this and let you know tomorrow

Alex Hendowski 10 Reputation points

2024-05-28T17:30:28.9033333+00:00

@Tino Stapelbroek Do you remember what it was set to before you changed it to 00000413? Was it set to something else?

Tino Stapelbroek 36 Reputation points

2024-05-29T07:32:58.8233333+00:00

We use tanium and they have an article about it https://help.tanium.com/bundle/KB5037771/page/KA/KB5037771/KB5037771.htm you will need a tanium account.

The value 00000413 is for country netherlands, you will need your own country code. I think you can just take a look at the value LocaleName and Locale, and if under hkcu same regkey the LocaleName is the same you can take that Locale value.

Dennis Knight 5 Reputation points

2024-05-29T11:48:34.7+00:00

Tino, Tanium link sorted me out tested and working, thanks for that.

Jessie Cochran 25 Reputation points

2024-05-29T11:54:21.3066667+00:00

@Tino Stapelbroek Would you possibly be able to screenshot the link? When I try to access it I am just prompted that it doesn't exist. I do have a tanium account and I tried to search for that KB :-(

Tino Stapelbroek 36 Reputation points

2024-05-30T14:24:04.04+00:00

Tanium article does'nt add that much you just need to set the right regkey. In recovery mode the regkey seems correct but after boot not. If you don't have a (cached) local admin you need tanium or other management tools with admin/system access. We also stopped updates in intune and tanium last friday. We did not remove the kb5037771, also have it on block now in tanium

Keagan Kennedy 0 Reputation points

2024-05-30T15:22:31.8033333+00:00

Do you have tanium? some speculate that caused this issue edit- my bad this already mentioned

Jessie Cochran 25 Reputation points

2024-05-30T15:28:06.7333333+00:00

@Keagan Kennedy I do not believe Tanium caused this issue. Only 2 of the 14 machines we have seen this on were even properly registered in Tanium. :-(
Sign in to comment
Zubair Dawood 10 Reputation points Microsoft Employee

2024-05-31T15:37:54.5133333+00:00
This is an internal issue due to a 3rd Party client installation that corrupts the registry key.

The issue is related to invalid values in the HKEY_USERS.DEFAULT\Control Panel\International\Locale registry

The workaround steps are:

start checking the current registry value for the locale registry setting

change the value to a supported value like 00000409

Reboot

Check if authentication works now

Note whether reboots or other activities besides the installation of the May 9, 2024 Windows Update are reverting the locale registry value
Please sign in to rate this answer.

2 people found this answer helpful.
Alex Hendowski 5 Reputation points

2024-05-31T17:51:28.1866667+00:00

Is this something that Microsoft needs to patch/fix or the third party client installation needs to patch/fix with an update to their software?

Zubair Dawood 10 Reputation points Microsoft Employee

2024-06-04T18:03:33.3766667+00:00

Unfortunately not. We have reports that Tanium Dev team is closely working on their side to mitigate the issue.
Sign in to comment
Jessie Cochran 25 Reputation points

2024-05-22T23:24:10.6033333+00:00

We are seeing this issue as well. We use Azure SSO with our DUO MFA for Cisco AnyConnect and have users seeing that error along with the VPN service not starting.

We have users getting that error when accessing office.com in a regular browser window, but in private mode or Chrome it works without issue. This seems to be something in Edge possibly that could have been pushed in a new update.

We have Microsoft tickets opened as well as a ticket with DUO
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Jessie Cochran 25 Reputation points

2024-05-23T17:03:03.7666667+00:00

We have 8 people affected so far all Windows 11 users. Our thoughts is that Windows Update tried to install updates to the OS and possibly Edge and they failed to install and then it corrupted something.

Everything works fine in Chrome or a Private window. But our VPn launches Edge to authenticate so these people can't work remote.
Please sign in to rate this answer.
Alex Hendowski 5 Reputation points

2024-05-23T19:00:30.8666667+00:00

Do you use Windows Hello / Windows Hello for Business? Can you successfully create a PIN? We use DUO as well but it's the same situation.

We're thinking it's part of the 05-2024 Cumulative Update, but we're running random tests to figure it out.

The 8 users, were they newer laptops or new users, or already existing users?

Someone did notice something odd - Someone mentioned they ran windows update, but when we looked at the history nothing notated a failed state or that it even ran, so I can only go off of the user and what they said, but they did say yesterday they ran it in the afternoon. I am testing my computer right now with it and waiting for the windows update to install.

We've had no issues reported with Windows 10 05-2024 Cumulative Update.

Dennis Knight 5 Reputation points

2024-05-24T12:59:19.4466667+00:00

We're encountering the same issue with SSO in Edge, resulting in the "Malformed JWT" error. At present, this problem is affecting new users on fresh Windows 11 laptops, all running the latest OS updates.

Existing devices don't seem to be impacted at the moment, but we're planning to test old users on new devices to see if the issue arises there as well.

We're still trying to pinpoint the exact cause and haven't found a solution yet. So far, we've identified three cases, but we expect this issue could potentially affect more users over time.

If MS can provide an update around this then that would be appriciated.

Alex Hendowski 5 Reputation points

2024-05-24T17:23:54.8366667+00:00

I'm thinking about possibly using an older version of Windows 11 (Something like 23H2 February) and imaging it on that version, then signing in with Azure SSO, then updating to the latest May Cumulative update. See if that will break the computer.

Also ensuring the computer is fully enrolled and functioning within Intune before updating to the latest Windows version might be a good test, I'm just trying to figure out any information

Dennis Knight 5 Reputation points

2024-05-28T15:01:31.48+00:00

how did you get on with this test, I am still at a loss?

Jessie Cochran 25 Reputation points

2024-05-28T15:42:50.37+00:00

We have not been able to find a solution on our end. It seems to be machine related as we have signed onto the problem machines with other user accts and had the same issue.

Alex Hendowski 10 Reputation points

2024-05-28T17:39:55.11+00:00

@Jessie Cochran Do you happen to use Tanium in your environment?

Also try this, another user posted this:

We had the same issue where also windows kb5037771 keeps looping. As a solution Microsoft advised to remove the kb, we had several complications where users weren't local admin, We could not make use of local administrator accounts configured in azure. The problem also gave us issues with tanium agent. To solve the issue we had to modify the corrupted registry value Locale under HKEY_USERS.DEFAULT\Control Panel\International , the value had corrupted data we needed to change it to 00000413 for dutch for other os languages it will be a different value i suppose. After modifying the REG_SZ value you have to reboot. We just applied the fix not sure if it will be stable.

I'm waiting for later today to try to test that fix out.

Jessie Cochran 25 Reputation points

2024-05-28T17:43:40.13+00:00

We do have Tanium in our environment, but the majority of the machines that we are seeing this issue on are NOT in Tanium :-(

I did try to uninstall 5037771 on one of the machines and it removed but the issue was still there :-( I am trying to install just that update alone and it's been trying for about 2 hours

We are in the US so i am not sure what I would change the REG_SZ fvalue to.

Alex Hendowski 10 Reputation points

2024-05-28T17:51:45.56+00:00

@Jessie Cochran the US one should be 00000409. We're US as well and that's what our working machines have.

Let me know what the affected machines are set to. If it's already set to 00000409, perhaps try to set it to like 00000000 and hit apply, then set it back to 00000409 and reboot. If it's a corrupted registry maybe it need sot be reset and reapplied. I'll be able to test after lunch when the user comes into work.

Jessie Cochran 25 Reputation points

2024-05-28T18:07:15.16+00:00

@Alex Hendowski When I look at the Locale value it has a bunch of letters and numbers instead of 00000409 .. changed it and I am restarting now to see if it makes any difference ...

Alex Hendowski 10 Reputation points

2024-05-28T18:19:17.4733333+00:00

Do you know what the letters were? I'm testing it right now, it showed up as 0930F30C

I set it to 00000409 and signed out, signing in and testing now. Will test a reboot in a moment.

Jessie Cochran 25 Reputation points

2024-05-28T18:30:01.5066667+00:00

I didn't write it down and now I restarted and it's just sitting at Updates Underway

Alex Hendowski 10 Reputation points

2024-05-28T18:35:30.9333333+00:00

I set my Locale from that error to 00000409, and when I restarted it showed Updates underway. Updates succeeded. After restarting, I was prompted for Windows Hello PIN creation + all SSO logins worked. Good luck! I'll continue testing to see if I can figure out what exactly broke on the machine or find a consistent way to trigger the error after a reset.

Jessie Cochran 25 Reputation points

2024-05-28T18:44:59.7933333+00:00

That is promising. The Locale was this 0a42e810 we are trying on another machine for kicks I think the one I have at my desk is toast

Jessie Cochran 25 Reputation points

2024-05-28T23:02:41.6233333+00:00

@Alex Hendowski We have discovered that changing the locale and restarting does allow people to use Edge with all of our applications including VPN but Windows still wants to install the 5037771 update and once it does that it fails again and resets the locale again.

I do have one machine that I was able to remove the corrupt update from, change the locale and then install the update manually. Restarted and it's working with our SSO apps. So its a promising fix, but we need to figure out a way to stop the update from retrying. Maybe reset the Windows Update cache??

Dennis Knight 5 Reputation points

2024-05-29T11:57:38.67+00:00

I have added that KB to the block list in tanium
Sign in to comment

Share via

Getting AADSTS501204 Malformed jwt error while logging into Microsoft apps. how to resolve this?

6 answers