Virtual Administrator’s January 2026 Patch Recommendations
All new patches will be approved in our patch policy.
January 2026 Patch Tuesday brings security updates for 114 flaws with one actively exploited zero-day vulnerability.
Of the 8 “Critical” vulnerabilities, 6 are remote code execution flaws and 2 are elevation-of-privilege flaws. The zero-day (CVE-2026-20805) is a flaw in the Desktop Window Manager (DWM) which could allow information disclosure locally.
- CVE-2026-20854 is a remote code execution vulnerability in LSASS allowing an authorized attacker to execute code over a network.
- CVE-2026-21265 is a critical Security Feature Bypass vulnerability affecting Windows Secure Boot.
- A couple of concerning Known Issues this month. Credential prompt failures may occur during Remote Desktop connections using the Windows App on Windows client devices.
- Windows 11 23H2 business PCs (not consumer PCs) systems reboot rather than shut down after the January updates.
- New SSU for Windows 10 1607/Server 2016.
See “Known Issues” below for more details.
Disclosed: CVE-2026-21265
Exploited: CVE-2026-20805
Security Update Guide
[https://msrc.microsoft.com/update-guide/en-us](https://msrc.microsoft.com/update-guide/en-us)
Microsoft Security Advisories
ADV990001 | Latest Servicing Stack Updates (Published:11/13/2018 | Last Updated:1/13/2026)
Reason for Revision: A Servicing Stack Update has been released for some versions of Windows.
NOTE: The Windows 10 Security Stack Updates are included in the monthly Cumulative Updates.
Heads Up! Older Windows Secure Boot certificates expiring in 2026
Windows Secure Boot certificate expiration and CA updates
Important: When the 2011 CAs expire, Windows devices that do not have new 2023 certificates can no longer receive security fixes for pre-boot components compromising Windows boot security.
Known Issues
Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.
“Connection and authentication failures in Azure Virtual Desktop and Windows 365”
Affected platforms: Windows 11 23H2/24H2/25H2, Windows Server 2022/2025
Symptoms: After installing the January 2026 security update (KB5073379/KB5073455/KB5073457/KB5074109), released on January 13, 2026, credential prompt failures occurred during Remote Desktop connections using the Windows App on Windows client devices, impacting Azure Virtual Desktop and Windows 365. The issue affects Windows App on specific Windows builds, causing sign-in failures.
Workaround: If you are affected by this issue, use one of the following connection options as a workaround:
- Use the Remote Desktop client for Windows to connect to Azure Virtual Desktop. To download it, go to Remote Desktop client for Windows.
- Connect by using the Windows App Web Client at Windows App.
Microsoft is working to release an out-of-band update to resolve this issue in the coming days. More information will be shared when it becomes available.
Status: We are actively working on a resolution and plan to release an out-of-band (OOB) update in the coming days. Additional details will be shared as soon as they become available.
“Devices with Secure Launch might fail to shut down or hibernate”
Affected platforms: Windows 11 23H2
Symptoms: After installing the January 13, 2026, Windows security update (KB5073455) for Windows 11, version 23H2, some PCs with Secure Launch are unable to shut down or enter hibernation. Instead, the device restarts. Secure Launch uses virtualization-based security to protect the system from firmware-level threats during startup. KB5073455 is only offered for Enterprise and IoT editions of Windows 11, versions 23H2.
Workaround: To shut down your device, type cmd in the Search bar and select cmd from the search results to open a Command Prompt. In the Command Prompt window, type the following command and press Enter:
shutdown /s /t 0
There is no work around at this time for entering hibernation. Until this issue is resolved, please ensure you save all your work, and shut down when you are done working on your device to avoid the device running out of power instead of hibernating.
Status: Microsoft will release a resolution for this issue in a future update.
Additional info: Microsoft: Some Windows PCs fail to shut down after January update
This known issue affects only systems running Enterprise and IoT Windows editions with the KB5073455 cumulative update installed.
Good resource for known issues with Windows 10/11/Server patches. Find the version and click on “Known issues”.
Monthly Rollup/Security Only/Windows 10,11/Server 2016,2019,2022,2025 KBs
Links are [https://support.microsoft.com/en-us/help/#######](https://support.microsoft.com/en-us/help/#######) with the KB number only.
Security and Quality Rollup
- KB5073696 – Windows Server 2012 R2 (ESU)
- KB5073698 – Windows Server 2012 (ESU)
Cumulative Updates
Windows 10
- KB5073724 – Version 21H2 “November 2021 Update” (OS Build 19044) (ESU)
- KB5073724 – Version 22H2 “November 2022 Update” (OS Build 19045) (ESU)
(Versions 1507,1511,1607,1703,1709,1803,1809,1903,1909,2004,20H2,21H1 are no longer under support)
Windows 11
- KB5073455 – 23H2 (OS Build 22631)
- KB5074109 – 24H2 (OS Build 26100)
- KB5074109 – 25H2 (OS Build 26200)
(Version 21H2,22H2 are no longer under support)
Windows Server
- KB5073722 – Server 2016 (EOS January 2027)
- KB5073723 – Server 2019 (EOS January 2029)
- KB5073457 – Server 2022 (OS Build 20348)
- KB5073450 – Server 23H2 (OS Build 25398)
- KB5073379 – Server 2025 (OS Build 26100)
January 2026 updates for Microsoft Office
Notable CVEs
CVE-2023-31096 | MITRE: CVE-2023-31096 Windows Agere Soft Modem Driver Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)
Microsoft is aware of vulnerabilities in the third party Agere Soft Modem drivers that ship natively with supported Windows operating systems. This is an announcement of the removal of agrsm64.sys and agrsm.sys drivers. The drivers have been removed in the January 2026 cumulative update.
CVE-2026-20805 | Desktop Window Manager Information Disclosure Vulnerability (Cumulative Update/Monthly Rollup)
Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager allows an authorized attacker to disclose information locally. The type of information that could be disclosed if an attacker successfully exploited this vulnerability is a section address from a remote ALPC port which is user-mode memory.
CVE-2026-20822 | Windows Graphics Component Elevation of Privilege Vulnerability (Cumulative Update)
Use after free in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CVE-2026-20854 | Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability (Cumulative Update)
Use after free in Windows Local Security Authority Subsystem Service (LSASS) allows an authorized attacker to execute code over a network. Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges.
CVE-2026-20876 | Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability (Cumulative Update)
Heap-based buffer overflow in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to elevate privileges locally. An attacker who successfully exploited this vulnerability could gain Virtual Trust Level 2 (VTL2) privileges.
CVE-2026-20952 | Microsoft Office Remote Code Execution Vulnerability (KB5002826/Click to Run)
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. The Preview Pane is an attack vector.
CVE-2026-20953 | Microsoft Office Remote Code Execution Vulnerability (KB5002826/Click to Run)
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. The Preview Pane is an attack vector.
CVE-2026-21265 | Secure Boot Certificate Expiration Security Feature Bypass Vulnerability (Cumulative Update/Monthly Rollup)
Windows Secure Boot stores Microsoft certificates in the UEFI KEK and DB. These original certificates are approaching expiration, and devices containing affected certificate versions must update them to maintain Secure Boot functionality and avoid compromising security by losing security fixes related to Windows boot manager or Secure Boot. An attacker who successfully exploited this vulnerability could bypass Secure Boot.
