Microsoft's latest Patch Tuesday updates for Windows 11 introduce automated Secure Boot certificate management, harden Windows Deployment Services, and fix 114 security flaws including three zero-day vulnerabilities.
Microsoft has released the January 2026 Patch Tuesday updates for Windows 11, bringing mandatory security patches, bug fixes, and significant infrastructure changes to how devices handle Secure Boot certificates and Windows Deployment Services.
The updates affect all current Windows 11 versions: KB5074109 for 25H2 and 24H2, and KB5073455 for 23H2. These cumulative updates contain the January 2026 security patches addressing vulnerabilities discovered in previous months, along with feature improvements and compatibility fixes.
Secure Boot Certificate Automation
One of the most notable changes in this update is how Windows handles Secure Boot certificate updates. Starting with this release, Windows quality updates will include "high confidence device targeting data" that identifies devices eligible to automatically receive new Secure Boot certificates.
This represents a shift from manual certificate management to an automated, phased approach. The system will only deploy new certificates after a device demonstrates "sufficient successful update signals," ensuring stability before broad deployment. This is particularly important for enterprise environments where Secure Boot failures can prevent systems from booting.
Secure Boot is a UEFI feature that prevents unauthorized code from running during the boot process by verifying digital signatures against trusted certificates. As certificates approach expiration or become compromised, devices need updates to maintain security. The automated approach reduces administrative overhead while maintaining safety through phased rollout.
Windows Deployment Services Hardening
For IT administrators using Windows Deployment Services (WDS), this update introduces a critical security change: WDS will no longer support hands-free deployment functionality by default. This is a significant security hardening measure that affects automated deployment workflows.
Hands-free deployment allows systems to image without manual intervention, but this convenience can be exploited if WDS servers are compromised. The new default behavior forces administrators to explicitly enable this functionality, making it a conscious security decision rather than an implicit risk.
Microsoft has published detailed guidance in their Windows Deployment Services (WDS) Hands‑Free Deployment Hardening Guidance documentation. Administrators who rely on hands-free deployment will need to review this guidance and explicitly configure their servers to maintain existing workflows.
Security Fixes and Zero-Day Patches
This update addresses 114 security vulnerabilities, including three zero-day vulnerabilities that were being actively exploited before patches were available. Zero-day vulnerabilities are particularly dangerous because attackers have working exploits before defenders have patches, giving organizations no time to prepare defenses.
While Microsoft hasn't detailed the specific zero-day vulnerabilities in this announcement, the sheer number of fixes (114) indicates comprehensive security hardening across the Windows ecosystem. These patches cover the entire Windows stack, from core system components to networking features.
Critical Bug Fixes
The updates resolve several important issues affecting daily operations:
Networking Issues: The update fixes WSL (Windows Subsystem for Linux) mirroring failures that caused "No route to host" errors and blocked VPN access to corporate resources. This issue appeared after installing KB5067036 and particularly affected developers using WSL in enterprise environments.
It also resolves RemoteApp connection failures in Azure Virtual Desktop (AVD) environments that emerged after KB5070311, restoring remote desktop functionality for cloud-hosted Windows instances.
Power Management: Devices equipped with Neural Processing Units (NPUs) were experiencing an issue where they would remain powered on during idle periods, impacting battery life and power consumption. This fix is particularly relevant for newer AI-capable laptops and tablets.
Component Updates: The core Windows component WinSqlite3.dll has been updated. Previously, some security software incorrectly flagged this component as vulnerable. The update resolves these false positives while maintaining the component's functionality.
Compatibility Changes
The update removes several legacy modem drivers: agrsm64.sys (x64), agrsm.sys (x86), smserl64.sys (x64), and smserial.sys (x86). Hardware dependent on these drivers will no longer function after the update. This is part of Microsoft's ongoing effort to remove outdated drivers that lack modern security standards and maintenance.
Organizations still using dial-up modems or specific cellular modem hardware should verify driver compatibility before deploying this update.
Known Issues
Microsoft has identified one notable bug in this release: the update may hide the button that makes password fields visible. This affects the "show password" functionality in various Windows dialogs. While not a security vulnerability, it impacts user experience. Microsoft is working on a fix for a future update.
Installation and Version Information
After installing KB5074109 (25H2/24H2), the build number changes to 26200.7623 for 25H2 and 26100.7462 for 24H2. For 23H2 systems installing KB5073455, the build becomes 226x1.6050.
Since version 25H2 is based on 24H2, both versions receive identical fixes and features. This is the third Patch Tuesday release for 25H2, but no exclusive changes were needed due to the shared codebase.
Deployment Recommendations
For Enterprise Administrators:
- Review WDS configurations before deployment if using hands-free deployment
- Test Secure Boot certificate automation in pilot groups first
- Verify NPU-equipped devices have proper power management settings
- Check for legacy modem hardware compatibility
For Individual Users:
- Install updates through Windows Update (Start > Settings > Windows Update > Check for Updates)
- Alternatively, download manually from the Microsoft Update Catalog
- Be aware of the password visibility button issue if you rely on "show password" features
The updates are mandatory and should be deployed promptly due to the inclusion of critical security patches, especially the three zero-day vulnerability fixes. Organizations should follow their standard patch management procedures while accounting for the WDS and Secure Boot changes that may require additional configuration.
For detailed technical information about the Secure Boot certificate automation and WDS hardening, administrators should consult Microsoft's official documentation and the Windows Deployment Services hardening guidance referenced in the update notes.
Comments
Please log in or register to join the discussion