After installing KB5028185, Registration in Azure Active Directory (AAD, now EntraID) no longer seems possible in the browser. Because of this, you could not receive authentication on a hybrid-joined Windows 11 computer under Citrix VDI. The error message is, “Sorry, but we’re having trouble signing you in. AADSTS501201: Unexpected claim(s) in JWT: client_id,redirect_uri.”
You know that users are automatically signed in to Office apps and Edge on Citrix VDI. But when this problem occurs they encounter outstanding issue right before being prompted for password or anything when authenticating to Office365 from Edge. The update KB5028185 has been identified as the cause, and it appears that outdated OAuth tokens are involved. That’s why all machines aren’t affected by this issue. See: How to Fix This sign-in option is disabled Error in Windows 10 or 11.
AADSTS501201: Unexpected claim(s) in JWT: client_id,redirect_uri Sign in Error in Windows 11 22H2
Here is how to fix AADSTS501201 Sign in Error in Windows 11 –
Delete User Profile in Microsoft Edge
Several users find that deleting User Profile in Edge browser just solves the error and allows them to sign in to Microsoft Office 365 app. However, after removing the profile you will be unable to sync devices and apps but you can wait until the bug is officially resolved. Therefore, follow the steps:
- Launch the Microsoft Edge browser.
- Click on the Profile icon and select the Settings cog.
- Click on the 3-dots icon (ellipsis) for your profile.
- Select Remove.
- A confirmation dialog will appear; click on Remove profile.
- Restart the browser and then try to log in.
Open the Office app in New InPrivate window
There are reports that after opening the app in New InPrivate window of Microsoft Edge, no issue occurs when trying to sign in to Office. So, give a try to this method:
- Click on “3-dots icon” from the top right part of the browser.
- Select New InPrivate window.
- Now try to log in.
If nothing of the above works you will have to uninstall KB5028185, the July 2023 Security update to fix AADSTS501201 Sign in Error in Windows 11 22H2. Here are the steps:
1] Using the Settings app
- Press the Windows key and I.
- Click on Windows Update on the Settings.
- Go to the right and select Update history.
- Scroll down on the next page and click on “Uninstall updates”.
- Find KB5028185 and click on Uninstall link.
- Confirm the popup.
2] Through Command Prompt
Apart from this, you can uninstall KB5028185 using cmd Command by following methods:
- Click on Search and type cmd.exe.
- Select Run as administrator.
- When User Account Control appears, click on Yes.
- On the Command prompt, type wusa /uninstall /kb:5028185 and press Enter.
- Click Yes on the warning popup.
If still KB5028185 is not uninstalled go to safe mode – Easy Ways to Reboot Windows 7 or 8 / 10 Directly in Safe Mode and then give an attempt.
Then return back to normal mode by following – How to Come Out of Safe Mode in Windows 10.
Furthermore, you can restore the system to the period when the patch was not installed – How Run System Restore Using Command Prompt (CMD) in Windows 10.
Once uninstalled the patch, pause the Windows update from Settings > Windows Update. Click on the down arrow located beside Pause updates. Select maximum days from the drop-down.
Alternatively, you choose to hide the patch – How to disable Windows 11 update permanently (7 Ways)
Bonus method to fix AADSTS501201
After conducting thorough troubleshooting, you’ll be able to resolve this issue. In a Hybrid environment, you may notice a connection between devices having the KB5028185 update and being stuck in “Pending” registration in AAD (Azure Active Directory).
This situation indicates that the Azure Primary Refresh Token (PRT) is unable to renew properly. To address this, you’ll need to follow these steps: unregister the affected device, delete it from AAD, and then perform a sync from the on-premises Active Directory. This is based on input from several users.
- Unregister the device using command prompt
- Delete the device in AAD.
- Sync from our on-prem AD.
- Wait until the device appears in AAD with the status of pending.
- Reboot the device.
- Sign in to our APP/VPN, (SSO).
- If the device does not become registered run the Automatic Device Join scheduled task under Microsoft => Windows => Workplace Join
Verify the device has been registered.
dsregcmd /statusand check the AzureAdPRT for validity under SSO State.