January 2026 Patch Tuesday: Security First Windows 11 and Server Updates

Microsoft’s January 2026 Patch Tuesday brings a focused, security-first cumulative update to Windows 11 and Windows Server platforms: consumer and managed devices receive fixes rather than flashy features, while server editions are updated with distinct KB identifiers and targeted enterprise changes designed to reduce attack surface and improve boot integrity. The rollout (released January 13, 2026) includes KB5074109 for Windows 11 25H2/24H2 (OS Builds 26200.7623 and 26100.7623), KB5073455 for Windows 11 23H2 (Build 22631.6491), Windows Server releases such as KB5073379 for Windows Server 2025 (Build 26100.32230) and KB5073450 for Windows Server 2023 (Build 25398.2092), and ESU updates for Windows 10 where applicable. These updates fix an array of security issues, correct a battery-draining NPU power-state bug on some devices, and begin a phased rollout to replace Secure Boot certificates ahead of expirations in mid‑2026.

---

Background​

Why January 2026 matters​

This Patch Tuesday is notable less for consumer-facing features and more for three coordinated platform moves that have operational implications for both home users and enterprise administrators:

• Security hardening across many Windows components, covering dozens (and by some counts over a hundred) of CVEs patched this month.
• Removal of legacy in‑box modem/serial drivers that have long been high‑risk and low‑usage, with the attendant compatibility fallout for exceptionally old hardware.
• A staged Secure Boot certificate replacement mechanism to head off issues when historic Microsoft-supplied firmware certificates begin to expire starting June 2026.

Independent reporting and community analysis placed the breadth of security fixes in this rollout at more than a hundred CVEs (counts vary by method of aggregation), which elevates the urgency of deployment for security-conscious administrators.

What Microsoft changed for servers​

Starting with January 2026, Windows Server 2025 gets its own KB identifiers and build numbering separate from the Windows 11 client servicing stream. Microsoft says this improves clarity for administrators while leaving installation mechanics unchanged. The Server 2025 cumulative is identified by KB5073379 (OS Build 26100.32230) and was released January 13, 2026. Similar monthly cumulative updates were published for Windows Server 2023 (KB5073450) and Windows Server 2022 (KB5073457). These server packages include the same security and quality fixes as their client counterparts where relevant, plus server-specific adjustments and servicing stack updates.

---

What’s in the January 2026 updates​

Consumer and client highlights (Windows 11 KB5074109 / KB5073455)​

The combined servicing stack + cumulative update for Windows 11 (KB5074109 for 25H2/24H2) advances systems to OS Builds 26200.7623 and 26100.7623 respectively. The 23H2 line continues to be maintained for enterprise/education SKUs via KB5073455 (Build 22631.6491). The major, verifiable headlines are:

• NPU idle-power bug fix: Devices with integrated Neural Processing Units (NPUs) that were incorrectly leaving the NPU powered while idle now have corrected power-state transitions, improving battery life on affected laptops and handhelds. This is one of the tangible quality wins for AI‑accelerated devices.
• Secure Boot certificate rollout prep: The updates carry device-targeting metadata and a telemetry-driven mechanism to safely deliver replacement Secure Boot certificates to eligible devices before older certificates expire. Microsoft gates delivery so certificates are only pushed to devices that show stable update telemetry to limit risk. This is preparatory work for expiring Microsoft certificates starting in June 2026.
• Legacy driver removals: Several legacy modem and serial drivers were removed from the Windows in‑box image (examples: agrsm64.sys, agrsm.sys, smserl64.sys, smserial.sys). Hardware that depends on these specific legacy drivers will stop working unless a vendor-supplied modern driver is available. For most modern PCs this will be a non‑event; for specialty telephony hardware or archived devices, it can be disruptive.
• WinSqlite3.dll refresh: Microsoft updated the Windows-packaged SQLite component (WinSqlite3.dll) to address detections and false-positive vulnerability reports from some security products. This reduces scanner noise and improves reliability of app behavior where the Windows-packaged SQLite is used.
• Quality and reliability fixes: A range of fixes affecting WSL mirrored networking, RemoteApp/AVD connection reliability, File Explorer improvements (e.g., expanded dark mode in dialogs, Recommended section toggles), handheld Full Screen Experience gating broadened beyond a limited set of devices, stylus haptics improvements, and keyboard backlight performance tweaks. Some UI and Copilot-era features remain server-side gated and will appear to subsets of devices gradually.

Server-specific changes (KB5073379, KB5073450, KB5073457)​

Server cumulative updates contain similar security content but with enterprise-targeted notes:

• KB identifier split: Windows Server 2025 now publishes with its own KB number (KB5073379) and build (26100.32230), clarifying support and servicing for admins. Microsoft explicitly states installation and management processes remain the same despite the KB split.
• Secure Boot CA and certificates: Server releases include the same preparatory work for Secure Boot certificate replacement and emphasize coordination with OEM firmware updates. Admins must plan firmware updates in their maintenance windows to avoid boot or update failures on affected fleets.
• Removed legacy drivers and other fixes: Server rollups also remove identified legacy modem drivers from images and patch server-targeted subsystems (HTTP.sys parsing behavior updates or servicing stack improvements may be included where relevant). KB pages list specific fixes and known issues for each server SKU.

---

Security coverage: scale and priority​

January’s rollups address a broad set of security issues across kernel, networking (SMB/HTTP.sys), display, input subsystems, and more. Independent reporting and Microsoft’s Security Update Guide indicate the month’s cumulative packages patch dozens to over one hundred vulnerabilities depending on counting methodology. Several items are notable:

• At least one fix addresses a Desktop Window Manager (DWM) vulnerability that has been observed exploited in the wild in some reports, adding urgency to deployment.
• SMB server, NTFS, and other core components received patches that mitigate elevation‑of‑privilege or remote code execution vectors.
• The updates bundle the latest Servicing Stack Update (SSU) with the cumulative (LCU) which can affect rollback behavior: combined SSU+LCU packages include an SSU portion that is persistent after installation and not removable via wusa. This has operational implications for imaging and rollback plans.

Because security wheels are spinning faster than ever, administrators should treat January’s cumulative as a high-priority security baseline—while also recognizing that some of the quality or compatibility changes (driver removals, certificate provisioning) require careful staging.

---

Strengths: what Microsoft delivered well​

• High-priority security fixes: The update addresses a wide swath of vulnerabilities and includes SSU improvements that make future updates more reliable.
• Targeted power optimization: The NPU idle‑state fix directly benefits battery life for modern AI-enabled laptops and devices.
• Proactive Secure Boot handling: Rather than waiting for certificate expirations to create mass failure scenarios, Microsoft is shipping a phased, telemetry‑driven replacement plan to minimize risk.
• Removal of legacy attack surface: Deprecating ancient in‑box drivers (PowerShell 2.0/WMIC earlier, and these modem drivers now) lowers long-term risk and maintenance complexity for the platform.

These are practical platform improvements that reduce future incident surfaces and address real-world quality pain points for a set of devices.

---

Risks, trade-offs and what to watch for​

• Legacy hardware breakage: Devices that rely on the removed modem/serial drivers will stop functioning after the update. This is an immediate, irreversible change for those endpoints unless a vendor driver is available. Claims about how many users will be affected (for example, “99.99% won’t notice”) are plausible but not independently verifiable—treat such figures as estimates and inventory vulnerable endpoints proactively. Caution: verify your fleet.
• Secure Boot certificate complexity: The certificate replacement is deliberately gated by update telemetry. That reduces risk but creates a dependency on firmware compatibility, OEM cooperation, and telemetry signals—factors that vary across OEMs and enterprise configuration (air-gapped systems, strict telemetry controls). Organizations that block telemetry or run offline images should plan manual certificate provisioning or firmware updates as needed.
• Installation/servicing regressions: Community reports following the rollout included intermittent install failures (error codes like 0x800f0922, 0x80070306, component-store/SSU sequencing errors), and occasional brief display blackouts on machines with specific NVIDIA drivers. These appear tied to driver/firmware interactions in the field and underscore the need for pilot rings. Early signals are helpful but not definitive; reproducibility depends on device/driver/firmware combinations.
• Rollback complexity: Because combined SSU+LCU packages include an SSU that cannot be removed with wusa, offline installers and rollback plans must rely on DISM image-level techniques or full-image reverts. IT teams should validate rollback procedures in lab environments before broad deployment.

---

Deployment guidance — practical, prioritized steps​

Treat this release as a security baseline with a few operational “land mines” to avoid. The suggested rollout approach:

• Inventory: Run a hardware and driver inventory specifically scanning for legacy modem/serial devices, NPU‑equipped devices, and firmware versions that may reject certificate updates.
• Pilot: Create a pilot ring (small, representative sample) that includes:
• Modern laptops and handhelds (NPU hardware)
• Devices with older peripheral hardware (modems, serial adapters)
• A sample of server roles (Domain controllers, WSUS/WSUS proxies, WDS servers)
• Test firmware updates: Coordinate with OEMs to confirm firmware compatibility for Secure Boot CA updates; schedule firmware maintenance windows where needed.
• Validate rollback: Ensure you can perform DISM-based rollback or image-level revert in case the update precipitates an unresolvable regression on a particular SKU.
• Monitor telemetry: Post-deployment, watch update and crash telemetry closely for signs of display driver regressions, WDS behavior changes, or update errors. Use the Known Issue Rollback (KIR) mechanisms or Group Policy mitigations Microsoft publishes if you encounter documented regressions.

For enterprise admins, pay extra attention to:

• WDS hands-free deployment changes: The update modifies WDS default behavior (hands-free deployment is disabled by default). Review and adopt the hardening guidance if your workflow relies on that feature.
• WSUS/Configuration Manager: Ensure your update catalogs are current and client targeting is validated; SSU sequencing matters for reliable installs.

---

How to download and install (consumer and IT paths)​

• For most users, the simplest route is: Settings > Windows Update > Check for updates. The cumulative updates should appear automatically when offered.
• If Windows Update does not present the update or you need offline installers, use the Microsoft Update Catalog and search by KB number (for example, KB5074109, KB5073455, KB5073379, KB5073450). The catalog provides .msu/.cab packages suitable for imaging or offline deployment.
• For managed environments, use Windows Update for Business, WSUS, or Configuration Manager and follow your normal ring-based deployment policy—pilot first, then broader rings.
• If you need to remove the LCU after combined SSU+LCU installation, you must use DISM /Remove-Package with the LCU package name; wusa /uninstall will not remove the SSU portion. Plan rollbacks accordingly.

Numbered quick install checklist:

• Check your Windows edition and build with winver.
• Backup critical data and ensure system images exist for rollback.
• Update critical drivers (graphics, NICs) to vendor-recommended versions before applying the OS cumulative where possible.
• Apply the update on pilot systems via Windows Update or the Microsoft Update Catalog.
• Validate key workloads, peripherals, and remote access scenarios (RDP, RemoteApp, WSL over VPN).
• Proceed to phased production deployment if no regressions are observed.

---

Notable unknowns and unverifiable claims (flagged)​

• Exact affected-device counts for legacy driver removals and the assertion that “99.99% of users won’t notice” are plausibility statements, not precise telemetry disclosed by Microsoft. Treat these as estimates and inventory your own environment.
• Microsoft’s telemetry thresholds and gating logic for Secure Boot certificate enrollment are not exhaustively documented; the vendor publishes the high-level mechanism but not the precise heuristics used for device eligibility. Admins should assume some devices will require manual intervention.

---

Short technical deep dives​

Secure Boot certificate rotation — why it matters​

Secure Boot relies on firmware-resident trust anchors (KEK/DB/DBX entries). Some Microsoft-supplied certificates issued in earlier years are scheduled to expire beginning June 2026. If replacement certificates are not provisioned in time, devices may fail to trust updated bootloader signatures or post-boot components—creating update and boot reliability risks. Microsoft’s update includes targeted data and a telemetry-gated mechanism to provision replacement certificates only to devices that show a healthy update posture, minimizing widespread failures. However, the process depends on coordinated firmware handling by OEMs and may require manual firmware updates in some fleets.

Winsqlite3.dll​

WinSqlite3.dll is the Windows-serviced SQLite runtime packaged with the OS. Security scanners and some vendors reported false positives tied to earlier SQLite CVEs; Microsoft patched and refreshed the Windows-packaged binary to reduce noisy detections and address true vulnerabilities in the packaged component. This patch is not the same as third‑party sqlite3.dll present in application folders; those must be updated by the app vendor.

---

Conclusion​

The Windows 11 January 2026 Update cycle (KB5074109 for 25H2/24H2, KB5073455 for 23H2, and the corresponding Windows Server packages KB5073379, KB5073450, KB5073457) is predominantly a security and reliability release with a handful of high-impact operational changes. It fixes a real battery-draining NPU idle-state bug, reduces long-term attack surface by removing legacy drivers, and — critically — begins the careful, telemetry-driven work of replacing Secure Boot certificates ahead of mid‑2026 expirations. For consumers, the update is broadly positive and likely unobtrusive; for enterprises the release demands careful inventory, pilot testing, and coordination with OEM firmware schedules.
Practical takeaway: prioritize deployment for security reasons, but pilot wisely—inventory legacy-modem dependencies, validate firmware/driver compatibility, and confirm rollback procedures before broad rollout. The technical changes improve long-term platform security and device reliability, but they require administrators to treat January’s updates as an operational event rather than background maintenance.

---

Source: Windows Latest Windows 11 January 2026 Update: Mostly fixes for consumers, as Windows Server KB5073379, KB5073450 ships for enterprises