how to fix Security update to remove KDFv1 algorithm support

Hello llias. To manually install the security update to remove support for the already deprecated KDFv1 algorithm on an obsolete Windows 10 PC, you'll first need to gather and install the latest security patches compatible to your device builds and install in their order of release, prior to the service cessation date. Microsoft began the decommissioning of KDFv1 in July 2021 per the vulnerabilities outlined in CVE-2021-33781 and as of mid-2025, any devices still using KDFv1 can no longer authenticate with Microsoft Entra ID (formerly Azure AD). Accordingly, this will affect sign-ins using Primary Refresh Tokens (PRTs) but be more pronounced in hybrid or Entra-joined environments.

If your ancestor Windows 10 device is unable to upgrade to a supported Windows 10 build such as 22H2, then you should:

1. Install all available, pending, cumulative updates available either through Windows Update, or manually from the Microsoft Update Catalog.
2. Check to see the device is no longer using KDFv1 by accessing the Entra sign-in logs and confirming error code AADSTS5000611.
3. If your hardware permits it, consider upgrading to Windows 11, or migrating to a supported LTSC version.

Microsoft has made recommendations for proactive Entra administrators to actively consult affected devices and update to ensure secure and functioning KDFv1 authentication.

Here's the reference for full guidance: Security update to remove KDFv1 algorithm support in Microsoft Entra authentication

Best regards,