Announcement ID | MC799637 | Published Date | 06-07-2024 | |
Service | General | Last Updated | 06-07-2024 | |
Category | Prevent or fix issues | Expiration Date | 09-30-2024 | |
Roadmap ID | Action Required by Date | 06-30-2024 | ||
Tags | Admin impact, User impact |
Summary |
---|
Ensure Windows clients have security patches post-July 2021 to maintain access to Entra ID, as unpatched versions will be unsupported after an upcoming security update. Unsupported devices will experience sign-in failures with error code 'AADSTS5000611'. |
More Information |
---|
We're making an important security update to Entra ID such that use of Windows without required security patches will no longer be supported. Once this update is rolled out, unsupported and unpatched Windows clients will no longer be able to sign in to Entra ID. We're making this change to mitigate the risk of an attacker using an older unpatched version of Windows to facilitate a breach of Microsoft 365 resources. You are receiving this message because our reporting indicates one or more users in your organization are using unpatched versions of Windows to sign in and will no longer be able to use these devices once this Entra security update is deployed. For Windows devices with Security Patches after July 2021 no action is required. If your Windows devices do not have security updates after July 2021, update Windows to the latest version/ build to maintain access to Entra ID. All currently supported versions of Windows have the required patch. Background: A Security Update to Windows was issued in July 2021 (CVE-2021-33781) to address a vulnerability where Primary Refresh Tokens were not stored sufficiently securely in the client. Once patched, Windows clients used the stronger KDFv2 algorithm. All versions of Windows released since that time have the update and handle the token securely.
Some Windows devices have not yet been updated and are still using the older v1 key derivation function. Because those older, unpatched systems can potentially be exploited by an attacker, and having provided ample time for security updates to be applied to client devices, unpatched devices using the KDFv1 algorithm will no longer be able to sign in to Entra ID using Primary Refresh Tokens. What is the user experience on unsupported Windows devices when this change is rolled out? Users will experience sign in failures with their Entra ID user accounts on joined or hybrid joined Windows device. How to diagnose this situation once the Entra change is deployed? The error code, which will show in sign in logs, is 'AADSTS5000611: Symmetric Key Derivation Function version 'KDFV1' is invalid. Update the device for the latest updates.' |