Microsoft's latest Windows 10 update addresses three actively exploited zero-day vulnerabilities and begins the critical transition away from expiring Secure Boot certificates that could otherwise break boot protections on millions of systems.
Microsoft has released KB5073724, an extended security update for Windows 10 that patches three actively exploited zero-day vulnerabilities and begins addressing the looming expiration of Secure Boot certificates that could leave systems vulnerable to boot-level attacks.
The update, released on January 13, 2026, brings Windows 10 Enterprise LTSC installations to build 19044.6809 and standard Windows 10 systems to build 19045.6809. As Microsoft has ceased feature development for Windows 10, this update contains exclusively security fixes and patches for bugs introduced by previous updates.
Three Zero-Day Vulnerabilities Under Active Exploitation
The update addresses 114 total vulnerabilities, including three zero-days that attackers were already using in the wild. The most critical fixes include:
Elevation of Privilege via Agere Modem Drivers: A vulnerability in the built-in Agere modem drivers allowed attackers to escalate privileges on affected systems. Microsoft has removed the vulnerable driver files entirely: agrsm64.sys (x64), agrsm.sys (x86), smserl64.sys (x64), and smserial.sys (x86). This means modem hardware dependent on these specific drivers will cease functioning after the update—a necessary trade-off for security.
Third-Party WinSqlite DLL Security Flaw: The update patches a vulnerability in WinSqlite3.dll, a core Windows component. This flaw had triggered false positives in some security software since June 2025, with vendors flagging the component as potentially vulnerable. Microsoft has now updated the component to address both the security issue and the detection problems.
The Secure Boot Certificate Expiration Crisis
Perhaps the most significant long-term fix in KB5073724 addresses the impending expiration of Secure Boot certificates issued in 2011. Since June 2025, Microsoft has warned that these certificates will expire throughout 2026, potentially breaking Secure Boot protections on systems that don't receive updates.
Secure Boot relies on a chain of trust anchored by several critical certificates:
| Certificate | Expiration | New Certificate | Location | Purpose |
|---|---|---|---|---|
| Microsoft Corporation KEK CA 2011 | June 2026 | Microsoft Corporation KEK 2K CA 2023 | KEK | Signs updates to DB and DBX |
| Microsoft Windows Production PCA 2011 | October 2026 | Windows UEFI CA 2023 | DB | Signs Windows boot loader |
| Microsoft UEFI CA 2011 | June 2026 | Microsoft UEFI CA 2023 | DB | Signs third-party boot loaders |
| Microsoft UEFI CA 2011 | June 2026 | Microsoft Option ROM UEFI CA 2023 | DB | Signs third-party option ROMs |
These certificates validate Windows boot components, third-party bootloaders, and Secure Boot revocation updates. When they expire, Secure Boot may fail to function correctly, creating a window for threat actors to bypass protections and install bootkits or other persistent malware.
KB5073724 initiates a phased rollout of new certificates. Microsoft's approach uses a targeted deployment strategy: the update includes "high confidence device targeting data" that identifies systems eligible for automatic certificate updates. Devices must demonstrate "sufficient successful update signals" before receiving new certificates, ensuring a safe, gradual rollout rather than a risky mass deployment.
Who Needs This Update?
This update is specifically for:
- Windows 10 Enterprise LTSC installations
- Systems enrolled in the Extended Security Updates (ESU) program
Users can install it through the standard Windows Update mechanism by navigating to Settings > Windows Update and manually clicking "Check for Updates."
No Known Issues
Microsoft reports no known issues with KB5073724, though the removal of modem drivers represents a functional change that administrators should verify against their hardware inventory.
Broader Context
This update arrives as part of Microsoft's January 2026 Patch Tuesday, which addresses a substantial 114 vulnerabilities across the Windows ecosystem. The company has been progressively winding down Windows 10 support while encouraging migration to Windows 11, but extended security updates ensure that organizations still running Windows 10 receive critical patches.
The Secure Boot certificate transition represents one of the most significant infrastructure updates in recent Windows history. Organizations should verify that their systems receive these certificate updates before the 2026 expiration dates to maintain boot-level security protections.
For administrators managing large Windows 10 deployments, this update should be tested and deployed through normal change management processes, with particular attention to systems using the affected modem hardware.
Comments
Please log in or register to join the discussion