MC799637: Check your Windows clients are up to date with Security patches

Announcement ID	MC799637	Published Date	06-07-2024
Service	General	Last Updated	06-07-2024
Category	Prevent or fix issues	Expiration Date	09-30-2024
Roadmap ID		Action Required by Date	06-30-2024
Tags	Admin impact, User impact

Summary
Ensure Windows clients have security patches post-July 2021 to maintain access to Entra ID, as unpatched versions will be unsupported after an upcoming security update. Unsupported devices will experience sign-in failures with error code 'AADSTS5000611'.

More Information
We're making an important security update to Entra ID such that use of Windows without required security patches will no longer be supported. Once this update is rolled out, unsupported and unpatched Windows clients will no longer be able to sign in to Entra ID. We're making this change to mitigate the risk of an attacker using an older unpatched version of Windows to facilitate a breach of Microsoft 365 resources. You are receiving this message because our reporting indicates one or more users in your organization are using unpatched versions of Windows to sign in and will no longer be able to use these devices once this Entra security update is deployed. For Windows devices with Security Patches after July 2021 no action is required. If your Windows devices do not have security updates after July 2021, update Windows to the latest version/ build to maintain access to Entra ID. All currently supported versions of Windows have the required patch. Background: A Security Update to Windows was issued in July 2021 (CVE-2021-33781) to address a vulnerability where Primary Refresh Tokens were not stored sufficiently securely in the client. Once patched, Windows clients used the stronger KDFv2 algorithm. All versions of Windows released since that time have the update and handle the token securely. Some Windows devices have not yet been updated and are still using the older v1 key derivation function. Because those older, unpatched systems can potentially be exploited by an attacker, and having provided ample time for security updates to be applied to client devices, unpatched devices using the KDFv1 algorithm will no longer be able to sign in to Entra ID using Primary Refresh Tokens. What is the user experience on unsupported Windows devices when this change is rolled out? Users will experience sign in failures with their Entra ID user accounts on joined or hybrid joined Windows device. How to diagnose this situation once the Entra change is deployed? The error code, which will show in sign in logs, is 'AADSTS5000611: Symmetric Key Derivation Function version 'KDFV1' is invalid. Update the device for the latest updates.'

More Information

We're making an important security update to Entra ID such that use of Windows without required security patches will no longer be supported. Once this update is rolled out, unsupported and unpatched Windows clients will no longer be able to sign in to Entra ID. We're making this change to mitigate the risk of an attacker using an older unpatched version of Windows to facilitate a breach of Microsoft 365 resources.

You are receiving this message because our reporting indicates one or more users in your organization are using unpatched versions of Windows to sign in and will no longer be able to use these devices once this Entra security update is deployed.

For Windows devices with Security Patches after July 2021 no action is required.

If your Windows devices do not have security updates after July 2021, update Windows to the latest version/ build to maintain access to Entra ID.

All currently supported versions of Windows have the required patch.

Background:

A Security Update to Windows was issued in July 2021 (CVE-2021-33781) to address a vulnerability where Primary Refresh Tokens were not stored sufficiently securely in the client. Once patched, Windows clients used the stronger KDFv2 algorithm. All versions of Windows released since that time have the update and handle the token securely.

Some Windows devices have not yet been updated and are still using the older v1 key derivation function. Because those older, unpatched systems can potentially be exploited by an attacker, and having provided ample time for security updates to be applied to client devices, unpatched devices using the KDFv1 algorithm will no longer be able to sign in to Entra ID using Primary Refresh Tokens.

What is the user experience on unsupported Windows devices when this change is rolled out?

Users will experience sign in failures with their Entra ID user accounts on joined or hybrid joined Windows device.

How to diagnose this situation once the Entra change is deployed?

The error code, which will show in sign in logs, is 'AADSTS5000611: Symmetric Key Derivation Function version 'KDFV1' is invalid. Update the device for the latest updates.'

Top News

MC878427: Restricted Content Discoverability for SharePoint Sites

MC761227: Microsoft Teams Phone devices: Advanced calling and contact management on non-touch phones

MC721853: Microsoft New feedback button

MC891238: Microsoft SharePoint and Microsoft Teams: Update on new Microsoft Lists rollout

MC797119: A new Start experience

MC888034: Accept Apple's new terms and conditions to ensure Intune can communicate with Apple as expected

Removing the Default Exchange Server Database: A Step-by-Step Guide

Create and Manage Exchange Groups

Creating a Mailbox in Exchange Server 2013 Using PowerShell

MC888036: Prevent/Fix: PnP PowerShell authentication failures

MC799637: Check your Windows clients are up to date with Security patches

Contact Form

Top News

MC799637: Check your Windows clients are up to date with Security patches

You Might Like

Contact Form