From 2725fda1bbcaf68d3708a1f8f0b867c388b50812 Mon Sep 17 00:00:00 2001 From: Yoshihiro Daicho Date: Thu, 18 Sep 2025 11:35:08 +0900 Subject: [PATCH] Update KDFv1 deprecation notice for clarity Clarified the description of KDFv1 algorithm support removal and its impact on Microsoft Entra device authentication. Expanded on the note regarding authentication failures during the security update rollout. This clarification was necessary because one of my customers misunderstood the scope of the update, leading to sign-in failures on approximately 20,000 Entra registered devices. --- .../devices/deprecation-key-derivation-function-version-1.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/identity/devices/deprecation-key-derivation-function-version-1.md b/docs/identity/devices/deprecation-key-derivation-function-version-1.md index af4083d379c..c6cee1f9aff 100644 --- a/docs/identity/devices/deprecation-key-derivation-function-version-1.md +++ b/docs/identity/devices/deprecation-key-derivation-function-version-1.md @@ -14,7 +14,7 @@ ms.reviewer: sgrandhi --- # Security update to remove KDFv1 algorithm support in Microsoft Entra authentication -Microsoft is removing support for the Key Derivation Function version 1 (KDFv1) algorithm used for the authentication of Microsoft Entra joined or Microsoft Entra hybrid joined devices in builds of Windows released before July 2021. +Microsoft is removing support for the Key Derivation Function version 1 (KDFv1) algorithm used for Microsoft Entra device authentication in Windows builds released before July 2021. The KDFv1 algorithm was historically used for device authentication in earlier versions of Windows. A critical security flaw was discovered that allowed unauthorized authentication, as outlined in [CVE-2021-33781](https://www.cve.org/CVERecord?id=CVE-2021-33781). To address this vulnerability, Microsoft issued a Windows security update in July 2021. All Windows builds released after July 2021 no longer use the KDFv1 algorithm. @@ -37,7 +37,7 @@ Users on unpatched devices encounter the following error message when attempting This error message is also present in the Microsoft Entra sign-in logs, allowing administrators to identify authentication failures due to the deprecated KDFv1 algorithm. > [!NOTE] -> Due to the incremental rollout of the security update, authentication failures on unpatched Windows devices may initially appear transient or intermittent. Early in the rollout retrying authentication will likely succeed. It is important to address these issues promptly by applying Windows security updates to maintain seamless authentication experiences. +> Due to the incremental rollout of the security update, authentication failures on unpatched Windows devices may initially appear transient or intermittent. Early in the rollout retrying authentication will likely succeed. It is important to address these issues promptly by applying Windows security updates to maintain seamless authentication experiences. This applies to all Windows devices that authenticate using Microsoft Entra, including Entra joined, Entra hybrid joined, and Entra registered devices. ## Actions required