Skip to content

Update KDFv1 deprecation notice for clarity #1764

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Update KDFv1 deprecation notice for clarity #1764

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2725fda
Update KDFv1 deprecation notice for clarity
ydaicho Sep 18, 2025
1f77845
Merge branch 'MicrosoftDocs:main' into patch-1
ydaicho Sep 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions docs/identity/devices/deprecation-key-derivation-function-version-1.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ ms.reviewer: sgrandhi
---
# Security update to remove KDFv1 algorithm support in Microsoft Entra authentication

Microsoft is removing support for the Key Derivation Function version 1 (KDFv1) algorithm used for the authentication of Microsoft Entra joined or Microsoft Entra hybrid joined devices in builds of Windows released before July 2021.
Microsoft is removing support for the Key Derivation Function version 1 (KDFv1) algorithm used for Microsoft Entra device authentication in Windows builds released before July 2021.

The KDFv1 algorithm was historically used for device authentication in earlier versions of Windows. A critical security flaw was discovered that allowed unauthorized authentication, as outlined in [CVE-2021-33781](https://www.cve.org/CVERecord?id=CVE-2021-33781). To address this vulnerability, Microsoft issued a Windows security update in July 2021. All Windows builds released after July 2021 no longer use the KDFv1 algorithm.

Expand All @@ -37,7 +37,7 @@ Users on unpatched devices encounter the following error message when attempting
This error message is also present in the Microsoft Entra sign-in logs, allowing administrators to identify authentication failures due to the deprecated KDFv1 algorithm.

> [!NOTE]
> Due to the incremental rollout of the security update, authentication failures on unpatched Windows devices may initially appear transient or intermittent. Early in the rollout retrying authentication will likely succeed. It is important to address these issues promptly by applying Windows security updates to maintain seamless authentication experiences.
> Due to the incremental rollout of the security update, authentication failures on unpatched Windows devices may initially appear transient or intermittent. Early in the rollout retrying authentication will likely succeed. It is important to address these issues promptly by applying Windows security updates to maintain seamless authentication experiences. This applies to all Windows devices that authenticate using Microsoft Entra, including Entra joined, Entra hybrid joined, and Entra registered devices.

## Actions required

Expand Down