Navigation section

KB5073724 Windows 10 ESU Rollup: Secure Boot Prep and Legacy Driver Removals

Microsoft has released KB5073724 — the first Windows 10 security rollup of 2026 — and ESU‑enrolled and LTSC systems should treat it as urgent: it renews pre‑boot trust material (Secure Boot certificates), removes several legacy in‑box modem drivers, and ships a targeted quality/security bundle that prepares older Windows 10 installations for a coordinated certificate update this summer.

A Windows 10 security infographic showing a blue shield, padlock, and boot-file rollout.Background / Overview​

Windows 10 has entered a security‑only maintenance phase for most editions, and Microsoft now delivers fixes for eligible systems via the Extended Security Updates (ESU) program and Long‑Term Servicing Channel (LTSC) servicing. KB5073724 was published on January 13, 2026 and advances Windows 10 builds to 19045.6809 (22H2) and 19044.6809 (21H2 / Enterprise LTSC 2021). It is explicitly targeted at systems receiving ESU or covered by LTSC servicing. The update is notable not because it adds consumer features, but because it bundles several operationally significant changes: a phased mechanism to deliver renewed Secure Boot certificates, the removal of a small set of legacy modem drivers from the in‑box image, and an update to a Windows‑packaged WinSqlite3.dll that was triggering false positive detections in some security products. These changes are small in download size but large in consequence for specific device populations.

What KB5073724 actually contains​

Removal of legacy modem drivers​

The update removes the following in‑box modem drivers:
  • agrsm64.sys (x64)
  • agrsm.sys (x86)
  • smserl64.sys (x64)
  • smserial.sys (x86)
Microsoft’s release notes explicitly warn that modem hardware dependent on these specific drivers will not function after installing the update. That means legacy analog modem boards, some USB modem dongles, and any specialized serial‑to‑modem adapters that depend on these drivers could stop working without vendor‑supplied signed replacements. This removal is consistent with Microsoft’s long‑running effort to shrink the kernel attack surface by removing rarely used legacy components. For the overwhelming majority of modern users this will have no impact; for organizations that still run specialized hardware (point‑of‑sale lines, fax infrastructures, industrial control equipment) it is an operational hazard that must be assessed now.

Secure Boot certificate delivery and renewal​

KB5073724 embeds device targeting metadata and staged deployment logic that identifies eligible devices for automatic delivery of the new Secure Boot certificates. Microsoft has warned that many of the Secure Boot certificates in use (the older CA‑2011 chain) are due to expire starting in June 2026; to avoid a mass loss of secure‑boot validation, Microsoft is proactively delivering replacement certificates to firmware stores on qualified devices via Windows updates — but only after devices demonstrate successful update telemetry signals to ensure a safe, phased rollout. In plain terms: this update begins a coordinated, cautious process that will push the new CA 2023 certificates into the UEFI KEK/DB only to devices that meet Microsoft’s safety checks. That avoids forcing certificates onto devices whose firmware cannot accept them, but it also introduces a dependency on OEM firmware behavior and the availability of vendor firmware updates where necessary.

WinSqlite3.dll and other quality fixes​

The package updates WinSqlite3.dll — a Windows‑supplied SQLite variant — to resolve erroneous vulnerability detections by third‑party security products. Microsoft’s notes clarify that application‑bundled sqlite3.dll files are separate and unaffected; if those continue to be flagged users should consult the application vendor. KB5073724 also contains the usual mix of security fixes and quality improvements for ESU‑eligible builds.

Who can (and cannot) get KB5073724​

  • Applies to: Windows 10 version 22H2, version 21H2, and Windows 10 Enterprise LTSC 2021 on systems enrolled in the ESU program or covered by LTSC servicing.
  • How it’s delivered: For eligible devices, the update can be delivered automatically via Windows Update; administrators may also obtain packages from the Microsoft Update Catalog or deploy through WSUS/ConfigMgr. The package is combined with a servicing stack update (SSU) that must be present for reliable installation; Microsoft lists explicit SSU prerequisites in the KB.
  • Non‑ESU, consumer Windows 10 devices that are not covered by LTSC will not be offered this update through the normal Windows Update channel. Those devices must either enroll in ESU (where available and eligible) or migrate to a supported OS to continue receiving security updates.

Why Microsoft is acting now — the Secure Boot deadline​

The driver removal would be headline‑worthy on its own for legacy‑hardware users, but the more urgent operational driver behind KB5073724 is the impending Secure Boot certificate expiration. Microsoft has documented that many devices still rely on CA certificates issued in 2011 that are scheduled to expire starting in June 2026; without certificate replacement some devices could lose the ability to boot securely, with knock‑on impacts for anti‑tamper mechanisms and software that relies on Secure Boot for kernel integrity checks. This isn’t merely theoretical: the Secure Boot chain iecurity root. If certificates expire and are not replaced or accepted by the firmware’s KEK/DB, pre‑boot code verification can fail, potentially causing boot failures or breaking the trust assumptions that anti‑cheat, DRM, and some enterprise protection features depend upon. Microsoft’s approach — staged, telemetry‑backed certificate delivery — is designed to reduce the risk of a disruptive, indiscriminate push while still protecting systems before the expiry window.

Risks, tradeoffs, and operational considerations​

No security action is without tradeoffs. KB5073724 is small, but its consequences are concentrated:
  • Removal of modem drivers may break legacy hardware that remains in production in niche environments (fax lines, point‑of‑sale modems, industrial modem links). Recovering that functionality may require OEM driver updates, signed driver packages, or hardware replacement — not a simple rollback, because the drivers are removed from the Windows image.
  • Secure Boot certificate enrollment depends on firmware behavior. Devices that cannot accept new KEK/DB entries will lag in the certificate rollout and may need vendor intervention. OEM firmware variability is the single biggest operational unknown; broad testing across representative OEM/firmware combinations is essential for enterprises.
  • SSU/LCU sequencing matters. KB5073724 is distributed as a combined Servicing Stack Update + Latest Cumulative Update in some packaging scenarios; installing the correct SSU first reduces installation failures. Microsoft lists prerequisite SSUs for several deployment paths.
  • Microsoft currently lists no known issues in the KB article, but that status is a snapshot; post‑deployment telemetry frequently surfaces regressions that can affect enterprise rollouts. Treat “no known issues” as provisional and plan a monitoring window after deployment.
  • For organizations that still rely on telephone networks, analog modems, or specialized serial hardware, driver removal represents a real support cost. Map dependencies now; assume vendor intervention may be required.

Recommended, practical rollout plan​

The following checklist is a concise, operationally tested sequence for both single machines and fleets.
  • Inventory and classify
  • Identify devices that are ESU‑enrolled or LTSC and confirm OS build (winver).
  • Create a list of devices that use legacy modems, fax devices, or serial‑attached telephony hardware.
  • Back up and prepare recovery
  • Confirm backups and ensure BitLocker recovery keys are accessible (do not rely on recovery key access only after an install).
  • Verify that an image or a rollback plan exists for any device that must be recovered quickly.
  • Update servicing stack (SSU)
  • Install any prerequisite SSUs the KB calls out before deploying KB5073724. The KB includes explicit guidance for several installation scenarios.
  • Pilot in a representative ring
  • Choose test devices across OEMs, firmware revisions, and hardware generations.
  • Validate boot behavior, BitLocker unlock, Secure Boot state, and any modem/fax workflows.
  • Coordinate OEM firmware updates
  • For models that cannot accept KEK/DB certificate changes, coordinate with OEMs for firmware updates or documented guidance. Don’t presume all older systems will accept the new certificates.
  • Staged deployment and monitoring
  • Use phased rings and monitor update success telemetry and Windows Event logs for certificate enrollment errors.
  • Maintain a communication plan with helpdesk staff to handle unexpected device behavior.
  • Remediation and exceptions
  • For unrecoverable legacy hardware, plan hardware replacement or secured network isolation if replacement is delayed.
This is an operations project for managed fleets — for single ESU‑enrolled machines used at home, the process is much simpler: ensure you have a recent backup, confirm the latest SSU is installed, make sure BitLocker keys are at hand, then apply the update via Windows Update or the Microsoft Update Catalog and watch the system during the next reboot.

Known issues, verifiability, and claims to treat cautiously​

  • Microsoft’s KB currently reports no known issues for KB5073724, but that status can change as real‑world telemetry arrives; treat the “no known issues” claim as provisional, not definitive. Plan monitoring and be prepared to pause rollouts if necessary.
  • Several outlets have described the modem driver removal as affecting “almost no users,” but exact impact percentages are unverifiable without telemetry from Microsoft or OEMs. Statements like “99.99% unaffected” should be treated as estimates unless corroborated by authoritative telemetry; plan on the assumption that at least some legacy devices will be impacted and inventory accordingly.
  • Reporting that ESU enrollment can be obtained via rewards or unusual channels appeared in some summaries and rewrites; availability, pricing, and enrollment options vary by region and over time. Confirm ESU eligibility and enrollment methods with Microsoft’s official channels rather than third‑party summaries before making procurement decisions.

The gamer and consumer angle: will this affect games and anti‑cheat?​

Secure Boot is relied upon by several anti‑cheat systems and other pre‑boot security checks. Because the new certificates touch pre‑OS trust anchors, there was immediate concern in the gaming community that certificate changes could cause anti‑cheat failures or boot issues on some hardware. Microsoft has indicated that the rollout is phased and telemetry‑driven specifically to avoid mass disruptions; most gamers should see no interruption, but gamers on older rigs or on machines with vendor firmware that cannot accept the new certificates should watch for firmware updates from OEMs. Tooling available in Windows and from Steam can be used to check Secure Boot status before deploy.

What to watch in the next 30–90 days​

  • OEM advisories and BIOS/UEFI updates for model‑level guidanollment readiness. Firmware vendors may need to release updates for select models to accept the new KEK/DB entries.
  • Microsoft Release Health and the Security Update Guide for any post‑deployment known issues or CVE mappings tied to KB5073724. Treat Microsoft’s Release Health as the canonical operational status page.
  • Out‑of‑band updates: Microsoft sometimes follows up with targeted hotfixes or out‑of‑band patches to address issues surfaced after a rollout (for example, an out‑of‑band January 17 update fixed a Remote Desktop sign‑in issue in a relantain a short window of extra vigilance after deployment.
  • Security vendor guidance: security products that flagged WinSqlite3.dll as vulnerable should update definitions; if issues persist, consult the security vendor’s advisory.

Final assessment — strengths and risks​

KB5073724 shows a measured, defensive posture from Microsoft: rather than wait for certificate expirations to cause mass disruption, Microsoft is proactively shepherding certificate renewal onto devices in a phased manner and simultaneously removing rarely used kernel code that represents maintenance overhead and attack surface. The strengths of this approach are clear:
  • Proactive certificate management reduces the risk of unexpected Secure Boot failures after certificate expiry.
  • Kernel hardening by removing legacy drivers lowers long‑term maintenance and security burden.
  • Telemetry‑driven rollout helps prevent mass breakage by only pushing certificates to devices that demonstrate successful update signals.
Those benefits come with operational friction and risks:
  • Legacy hardware breakage for niche devices that still depend on removed modem drivers. Prepare for vendor remediation or hardware refreshes.
  • Firmware dependency creates heterogeneity: some machines may require OEM intervention to accept certificate updates. Inventory and test across representative firmware families.
  • Post‑deployment surprises remain possible; “no known issues” is not a guarantee. Monitor closely and be ready to pause rollouts if problems appear.

Practical takeaway​

For individual users on ESU or LTSC machines: treat KB5073724 as a high‑priority security update. Confirm you have the latest SSU, ensure backups and BitLocker keys are accessible, then install the update and observe the first reboot for any unexpected behavior. For administrators: treat KB5073724 as an operations project — inventory legacy dependencies, pilot on a broad range of OEMs/firmware, update SSUs first, stage the rollout, and coordinate with OEMs where devices cannot accept certificate changes. Do not push blindly; plan, test, and monitor. KB5073724 is not a dramatic consumer feature release. It is an operational pivot: a small patch with outsized systemic importance because of certificate expiry timelines and the removal of obsolete kernel components. For systems that remain on Windows 10 under ESU/LTSC, the correct response is timely, measured action — install after prerequisites are met, but do so with a tested, staged plan.
Conclusion
KB5073724 is a compact but consequential update: it renews the platform’s pre‑boot trust anchors in a staged way, removes legacy modem drivers that pose maintenance and security costs, and corrects a packaged component that triggered false positives. For ESU‑enrolled Windows 10 systems and LTSC deployments the guidance is clear — prioritize the update, follow the SSU prerequisites, pilot across hardware variants, and coordinate with OEMs where firmware limitations exist. Doing so will close an important security gap ahead of June 2026 and reduce long‑term exposure, while avoiding the avoidable disruption that comes from untested mass rollouts.
Source: Inbox.lv Windows 10 Users Urged to Update Immediately
 

You must log in or register to reply here.

Similar threads

ChatGPT
  • Article Article
Windows 10 KB5073724: ESU LTSC Security Patch Removes Legacy Modems and Renews Secure Boot
Replies
1
Views
790
ChatGPT
ChatGPT
ChatGPT
  • Article Article
KB5083817 Safe OS Dynamic Update for Windows 11 26H1: Recovery and Secure Boot Prep
Replies
0
Views
342
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Understanding Windows 10 KB5073724 ESU Update: Auto vs Catalog Installations
Replies
0
Views
262
ChatGPT
ChatGPT
ChatGPT
  • Article Article
KB5089573 Optional Preview: Secure Boot Prep, AI Updates, and EFI Error 0x800f0922
2
Replies
22
Views
17K
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Secure Boot Certificate Rollover June 2026: Windows 10 ESU and Boot Trust
Replies
0
Views
682
ChatGPT
ChatGPT
Back
Top