Microsoft acknowledges that the January 2026 security update KB5073455 causes some Windows 11 systems to restart instead of shutting down, affecting Enterprise and IoT editions with Secure Launch and VSM features.
Microsoft has confirmed a shutdown bug affecting certain Windows 11 systems following the installation of the January 13, 2026, security update KB5073455. According to the company's Windows release health dashboard, some systems fail to properly shut down or enter hibernation mode, instead restarting unexpectedly after the update is applied.
The Technical Root Cause
The issue stems from the Secure Launch feature, which leverages virtualization-based security (VBS) to protect systems from firmware-level threats during the startup process. This security mechanism, while designed to enhance system protection, appears to conflict with the shutdown sequence in specific configurations.
Microsoft has since expanded its impact assessment to include systems with Virtual Secure Mode (VSM) enabled, indicating that the bug affects a broader range of enterprise configurations than initially identified. The company notes that while a fix for the Secure Launch-only scenario was included in the January 17 out-of-band update KB5077797, the VSM-related case will require a separate resolution in a future Windows update.
Affected Systems and Scope
Notably, Microsoft specifies that KB5073455 is only offered for Enterprise and IoT editions of Windows 11 version 23H2, which significantly limits the number of consumer PCs likely to encounter this issue through normal update channels. This targeting suggests the bug primarily affects business and specialized device deployments rather than general consumer systems.
The affected platforms list is broader than just Windows 11, including:
- Windows 11, version 23H2
- Windows 10, version 22H2
- Windows 10 Enterprise LTSC 2021
- Windows 10 Enterprise LTSC 2019
This cross-version impact indicates the underlying issue relates to shared security infrastructure components across Microsoft's Windows ecosystem.
Microsoft's Mitigation Strategy
The company has outlined a two-step mitigation approach for affected devices. First, Microsoft released KB5077797 (OS Build 22631.6494) on January 17 as an out-of-band update specifically addressing the Secure Launch scenario. However, this package is only available through the Microsoft Update Catalog rather than Windows Update, requiring manual intervention for installation.
Subsequently, on January 24, Microsoft released KB5078132 (OS Build 22631.6495) via Windows Update. This cumulative update not only includes the fix from KB5077797 but also incorporates protections and improvements from the original KB5073455 update, plus additional fixes for issues including app unresponsiveness related to cloud storage workflows.
Impact on Enterprise Deployments
For enterprise IT administrators managing fleets of Windows devices, this bug presents a significant operational challenge. Systems that unexpectedly restart instead of shutting down can disrupt maintenance windows, backup schedules, and energy management protocols. The requirement to manually install KB5077797 from the Microsoft Update Catalog adds complexity to remediation efforts, particularly for organizations with large device inventories.
The selective distribution of KB5073455 to Enterprise and IoT editions suggests Microsoft's testing may have been more limited for these specialized configurations, or that the security improvements in this update were deemed particularly valuable for enterprise environments despite the associated risks.
Looking Ahead
While Microsoft has provided a path to resolution for the Secure Launch-only scenario, the acknowledgment that VSM-enabled systems require a separate fix indicates this issue may persist for certain enterprise configurations in the near term. Organizations running Windows 11 Enterprise with VSM enabled should monitor Microsoft's release health dashboard for updates regarding the dedicated VSM fix.
The incident highlights the ongoing challenges Microsoft faces in balancing security enhancements with system stability, particularly in enterprise environments where specialized security features like Secure Launch and VSM are more commonly deployed. As Windows continues to evolve its security posture through features like virtualization-based security, similar compatibility challenges may arise with future updates.
For most consumer Windows 11 users on standard editions, this bug likely remains a non-issue, as they would not receive KB5073455 through normal update channels. However, the broader lesson about the importance of monitoring release health information and having contingency plans for problematic updates applies across all Windows deployments.
Comments
Please log in or register to join the discussion