Navigation section

KB5074109 January 2026: Cloud PC and AVD Login Issues with Known Issue Rollback

  • Thread Author
Microsoft’s January cumulative update is preventing some users from connecting to Microsoft 365 Cloud PCs and Azure Virtual Desktop sessions, and Microsoft has acknowledged the regression — offering Known Issue Rollback (KIR) and temporary connection workarounds while an out‑of‑band fix is prepared.

Windows Update error 0x80080005 with Known Issue Rollback (KIR) shown alongside cloud services.Background​

Microsoft shipped the January 13, 2026 cumulative update identified as KB5074109 for Windows 11 (and matching servicing packages for supported Windows 10 SKUs). The rollup carries several quality and security fixes — including power/NPU fixes and Secure Boot certificate management changes — but also introduced a regression affecting Remote Desktop credential prompts that can break connections to Azure Virtual Desktop (AVD) and Windows 365 Cloud PCs on some enterprise-managed clients. The update corresponds to OS builds 26100.7623 and 26200.7623. Microsoft’s published KB entry explicitly lists the authentication/RemoteApp symptom and the mitigation via Known Issue Rollback (KIR). The vendor notes that consumer Home/Pro devices are very unlikely to be affected and that the problem is concentrated in enterprise-managed environments.

What happened (timeline and immediate effects)​

  • January 13, 2026 — Microsoft released KB5074109 as part of Patch Tuesday.
  • Within hours — enterprise administrators and field operators began reporting immediate authentication failures when launching AVD/Cloud PC sessions through the Windows 365 / Windows App client; users typically saw an immediate authentication error (commonly reported as “An authentication error has occurred (Code: 0x80080005)”) and no session establishment. Community reproductions confirmed the regression.
  • Microsoft acknowledged the regression in the KB’s Known Issues section and published KIR guidance for managed fleets; it also advised alternate connection methods (AVD Web client or the classic Remote Desktop client) as temporary workarounds while engineering prepares a remediation in a future update.
Those immediate symptoms — credential prompts failing before session establishment — point to a client‑side regression in the credential prompt or authentication handshake rather than a backend AVD host outage. Community posts and independent reproductions showed that uninstalling KB5074109 or applying KIR restored connectivity for affected endpoints.

Why this breaks Cloud PC access: a technical overview​

At a high level, Cloud PC and AVD connections depend on a chain of interdependent components: the local Windows host (and its Remote Desktop/Windows App client), authentication flows (Microsoft Entra ID / SSO), token exchange and credential prompts, and the Azure AVD gateway and session hosts. A regression can be catastrophic if it affects any gatekeeper in that chain.
This incident appears to be a regression in how the Windows client handles the initial credential prompt or SSO token exchange during Remote Desktop connection initialization. Symptoms are consistent with a prompt failing or being short‑circuited on the client before backend authentication can proceed — hence the immediate failure and error codes observed in field reports. Microsoft’s advisory frames the problem in similar terms (credential prompt failures during Remote Desktop connections). Key technical points to bear in mind:
  • The failure typically occurs immediately when the user clicks Connect in the Windows App, showing an authentication error and preventing session establishment.
  • The issue is not a universal outage — it’s concentrated where client SSO paths, enterprise authentication agents, and specific Remote Desktop client combinations are in use. Microsoft’s guidance flags enterprise-managed environments as the likely scope.
  • There is as yet no single-line, public engineering post from Microsoft describing the exact code path that produced the regression; official guidance focuses on mitigation while a true servicing fix is developed.

Real-world impact: productivity vs. security trade-offs​

For organizations that rely on Cloud PCs or AVD as the primary desktop for remote workers, this regression has immediate operational consequences.
  • Productivity: Users who cannot establish Cloud PC sessions lose access to corporate desktops, internal apps, and files, which can halt business processes and remote support activity. Incident timelines reported by IT teams show real disruption during business hours.
  • Helpdesk load: The error is synchronous and pervasive for affected endpoints, increasing support tickets and forcing temporary manual workarounds across broad user bases.
  • Security trade-offs: The blunt remediation of uninstalling the cumulative update will restore connectivity for many, but it also removes recent security fixes contained in that update. Microsoft’s KIR mechanism exists to avoid that trade‑off by reversing only the small change that caused the regression while leaving other security fixes intact. Admins who consider uninstalling the LCU must weigh the increased attack surface against operational needs.
Community reproductions indicate that uninstalling the update restored connectivity in many cases, but that is a last‑resort option because of the security risks involved.

What Microsoft has published (official guidance)​

Microsoft’s KB entry for KB5074109 includes:
  • An explicit Known Issues note that credential prompt failures may occur during Remote Desktop connections using the Windows App on affected Windows client builds (OS builds 26100.7623 / 26200.7623).
  • A mitigation path recommending the Known Issue Rollback (KIR) for managed environments, with Group Policy MSI artifacts for enterprise deployment; affected devices must be restarted after KIR is applied.
  • Temporary workarounds: use the Windows App Web Client (the browser‑based AVD/Windows 365 portal) or the classic Remote Desktop client (MSI) to connect to AVD while the Windows App client on affected builds is being investigated.
Microsoft also states it is “working on a resolution in a future Windows update,” which is the firmest public timetable available at the moment. Administrators should expect an out‑of‑band (OOB) servicing update or a subsequent monthly rollup to contain the permanent fix.

Practical, prioritized mitigation steps for administrators​

Below is a practical playbook — ordered by safety and practicality — for IT teams managing affected fleets.
  • Inventory and scope (immediate)
  • Identify which users rely on Cloud PCs or AVD and which devices have KB5074109 installed (check OS build via winver.exe or enumerate installed packages). Use Update History, or run DISM to list packages: DISM /online /get-packages | findstr 5074109.
  • Pause further rollout
  • Stop pushing KB5074109 to additional rings until you have validated behavior in a controlled pilot group. Use Windows Update for Business, WSUS, or your endpoint management solution to pause or block the update where possible.
  • Preferred remediation: Deploy the Known Issue Rollback (KIR)
  • Microsoft provides a KIR MSI/Group Policy package targeted to the affected Windows versions. Deploy the Group Policy definition for the matching Windows build and restart devices to apply the rollback. KIR reverses only the change that caused the regression and preserves the other fixes in the cumulative update.
  • Alternate (temporary) user workarounds
  • Instruct users to use the AVD web client (windows.cloud) or the classic Remote Desktop (MSI) client to connect to Cloud PCs until the remediation is applied to their endpoint. These connection paths avoid the Windows App client prompt that is failing on affected builds.
  • Last resort: uninstall the LCU (with strong caveats)
  • Uninstalling KB5074109 can restore connectivity but removes security fixes. If you must remove it temporarily:
  • Enumerate the exact package identity with DISM (DISM /online /get‑packages | findstr 5074109).
  • Remove the package: dism /online /remove-package /packagename:PACKAGE_ID
  • Reboot and block reinstallation with update deferral policies until a permanent fix is confirmed. Use this approach only after risk evaluation.
  • Communication and escalation
  • Communicate a clear fallback path to end users: how to connect via the web client, and which groups are prioritized for KIR rollout. Escalate to Microsoft Support for business‑critical blockers and file formal incident reports if AVD/Cloud PC availability is impacting SLAs.

Step‑by‑step: Deploying the KIR (high‑level)​

  • Download the KIR MSI / Group Policy package matching your Windows build (Microsoft’s KB and Windows Health Dashboard list the package).
  • Import the KIR policy definition into Group Policy central store or use Intune/MDM to apply the setting to the targeted OU/device group.
  • Configure targeting so the KIR applies only to affected rings or critical users. Avoid a broad, untargeted deployment if possible.
  • Reboot affected machines to activate the KIR behavior. Confirm that affected users can connect using the Windows App client again.
Note: KIR policy lifetime is temporary; remove the policy once Microsoft ships the corrected update that obsoletes the rollback.

Risks and caveats​

  • No precise prevalence numbers: Microsoft has not published fleet‑wide telemetry quantifying how many devices are affected. Community telemetry and support threads show multiple independent reproductions, but administrators must treat those as signals rather than exact prevalence metrics. This uncertainty complicates risk modelling.
  • Uninstalling security updates increases exposure: Removing an LCU restores functionality at the cost of reversing security fixes. Prefer KIR where feasible to preserve the update’s security benefits while disabling only the offending change.
  • Edge cases with authentication agents: Environments that use third‑party identity or authentication agents (enterprise MFA, Windows Hello for Business custom components, FIPS mode, etc. may see varied behavior and should test KIR on representative images first. Community reports include heterogenous results across regions and tenant types.
  • Workloads using other remote solutions: If you use Citrix or other VDI solutions, validate whether their connection paths are impacted; initial community signals focused on Microsoft’s Windows App client and the classic Remote Desktop client appears less affected.

Why this matters for your patch management strategy​

This incident is a reminder that monthly cumulative updates — even those labeled as security or quality rollups — can interact unexpectedly with cloud authentication flows and enterprise clients. The fix‑and‑rollback toolkit Microsoft provides (KIR + OOB fixes) is effective, but it also highlights the need for robust update discipline:
  • Ringed rollouts: Test updates on representative pilot devices that mirror production configurations (SSO, Kerberos, enterprise authentication agents).
  • Recovery playbooks: Maintain documented rollback procedures (KIR deployment, safe uninstall via DISM, blocking reinstallation policies) and communication templates for user guidance.
  • Telemetry and monitoring: Instrument endpoints to detect authentication‑related errors early (event logs, AVD client health telemetry, targeted user checks).

What to expect next​

Microsoft has indicated work is underway to produce a permanent fix and has already supplied KIR as a surgical mitigation. Administrators should:
  • Monitor the Windows Health dashboard and the KB5074109 entry for an updated Known Issues resolution or an out‑of‑band (OOB) servicing release.
  • Prepare to remove the KIR policy once a corrected update is released to avoid long‑term reliance on temporary rollbacks.
Community channels and enterprise forums are already populated with reproducible reports and operational playbooks; use those for pragmatic validation — but treat vendor guidance and Microsoft’s published KIR artifacts as the authoritative remediation path.

Final analysis: strengths, weaknesses and longer‑term lessons​

Strengths
  • Microsoft moved quickly to acknowledge the regression and publish KIR guidance that lets enterprises avoid outright uninstall of security updates while restoring functionality. That measured approach — targeted rollback rather than full undo — is the right operational balance for production fleets.
  • The KB entry and the Windows Health tooling make the mitigation artifacts discoverable and manageable through standard enterprise tooling (Group Policy, Intune).
Weaknesses and risks
  • The regression exposed fragility at the intersection of OS updates and cloud authentication/SSO flows. A client-side change can have outsized impact when remote work depends on Cloud PCs. The lack of immediate, detailed engineering root‑cause information means admins must act on mitigations rather than understanding the underlying defect.
  • The incident highlights tradeoffs in rapid monthly servicing: faster patch cadence reduces exposure windows for vulnerabilities, but also shortens the lead time to detect complex regressions that manifest only under enterprise authentication and remote‑access topologies.
Longer‑term lessons
  • Treat authentication flows and remote‑desktop clients as high‑risk test scenarios for every update ring. Include AVD/Cloud PC logins in update validation suites.
  • Maintain a KIR / rollback playbook and a communicated user fallback (web client, classic RDP) to reduce mean time to recovery when regressions hit.
Microsoft’s January cumulative update (KB5074109) has produced a meaningful, fixable disruption for Cloud PC and AVD users in enterprise environments. The vendor has published KIR artifacts and practical workarounds while it prepares a permanent servicing fix; administrators should prioritize targeted KIR deployment and user fallback instructions, avoid wholesale uninstalls where possible, and treat this episode as a signal to harden update validation around authentication and remote‑access paths.
Source: TechRadar Struggling to access Microsoft Cloud PC? This could be why
 

Click to expand...
Microsoft’s first Patch Tuesday of 2026 has a nasty wrinkle: the January 13 cumulative update (KB5074109) introduced a client-side regression that can prevent the Windows App from completing credential prompts, blocking Azure Virtual Desktop (AVD) and Windows 365 (Cloud PC) connections for many enterprise-managed endpoints — Microsoft has acknowledged the problem, published Known Issue Rollback guidance for managed fleets, and recommended temporary workarounds while engineering prepares an out‑of‑band fix.

Windows error dialog: Credential prompt failed, error code 0x80080005 on a dark blue desktop.Background​

The January 13, 2026 cumulative update identified as KB5074109 was released as Microsoft’s first security and quality rollup of the year. It bundles a mix of security hardenings, quality fixes (including an NPU idle power fix and Secure Boot certificate rollout changes), and platform updates that Microsoft says improve reliability across Windows client SKUs. The cumulative update corresponds to OS builds 26100.7623 and 26200.7623 for affected Windows 11 channels. Among the items listed in the KB, Microsoft also called out a Known Issue: credential prompt failures may occur during Remote Desktop connections using the Windows App on affected Windows client builds, impacting Azure Virtual Desktop and Windows 365. The vendor’s published mitigation path for managed environments is a Known Issue Rollback (KIR) delivered as Group Policy/MSI artifacts; Microsoft also advised using alternative connection paths — the Remote Desktop (classic MSRDC) client or the Windows App web client — until a fix ships. Internally and in community channels the failure presents as an immediate authentication error when clicking Connect in the Windows App: users see messages such as “Unable to Authenticate” or error codes like 0x80080005 (with zeroed extended codes reported in some reproductions). Uninstalling the LCU restores connectivity in many cases, and Microsoft’s KIR is intended as a surgical rollback that preserves the rest of the KB’s security fixes for managed fleets.

Why this matters now​

Cloud‑hosted desktops (Azure Virtual Desktop and Windows 365 Cloud PCs) are mission‑critical for many organizations that depend on them for secure remote work, application access, and desktop provisioning. A failure at the client‑side credential prompt stage halts session establishment before a session is created, creating a synchronous outage for users during work hours. That immediate productivity impact differs from backend cloud outages and makes the regression especially painful because it can be widespread across an organization’s fleet immediately after patch deployment.
Two operational realities amplify the problem:
  • Many enterprises deploy cumulative updates broadly and rapidly; an unexpected regression in a widely distributed LCU can produce a sudden spike in helpdesk tickets and lost work time.
  • The blunt remedy — uninstalling the LCU — removes important security fixes, forcing teams to choose between restoring availability and preserving security posture. KIR exists precisely to avoid that trade‑off for managed fleets, but KIR requires active enterprise distribution via Group Policy or device management.

Technical anatomy: what’s failing and where​

The failure mode, in plain terms​

Available public evidence and community reproductions point to a client‑side regression in the credential prompt or SSO handshake that occurs when the Windows App (the unified desktop launcher introduced by Microsoft’s 2024 rebrand) initiates a Remote Desktop/AVD connection. The failure manifests before a full session is established: the client never completes the authentication exchange with the AVD gateway or Entra ID, and the connection fails with an authentication error. That behavior indicates the bug sits in the local prompt/token exchange layer rather than in Azure’s backend control plane.

Why client-side regressions are high impact​

Cloud PC and AVD session establishment is a chain of dependent components: the local host app (Windows App / RD client), OS authentication subsystems (SSO tokens, WebAuthn/PKU2U hooks, Entra ID flows), the network path to Azure gateways, and the cloud session host orchestration. A break in any gatekeeper on the client side prevents session negotiation from proceeding, producing immediate user-facing failures even when cloud services themselves are healthy. That dependency chain explains why users see instant failures after clicking Connect.

What Microsoft has said publicly​

Microsoft’s KB entry for KB5074109 includes a Known Issues note describing the symptom and recommending mitigation: apply the KIR for managed environments, or use the Remote Desktop client or the Windows App web client as temporary workarounds. Microsoft also stated an out‑of‑band (OOB) update is planned to remediate the regression. The KB lists affected OS build numbers and provides the required Group Policy artifacts for KIR deployment.

Cross‑verification (why we trust these claims)​

  • Microsoft’s official KB for the January 13 release documents the Known Issue language and the available mitigations, including KIR artifacts and temporary connection options. That is the primary authoritative source.
  • Independent reporting and community reproduction appeared within hours of the roll‑out: multiple outlets and forum threads confirmed users and admins experiencing immediate “Unable to Authenticate” or similar errors when using the Windows App to launch AVD/Cloud PC sessions. The Register and Windows Central reproduced and reported the same symptom and Microsoft’s mitigation guidance.
  • Community troubleshooting threads and administrators’ posts show that uninstalling the KB or applying the supplied KIR restores connectivity, consistent with Microsoft’s description of a client-side regression. Those community reproductions provide corroborating operational telemetry, though they are not replacements for vendor telemetry.
Where precise engineering root‑cause details are absent from public Microsoft posts, statements about the exact code path remain unverified and should be treated with caution. Microsoft’s advisory frames the issue functionally (credential prompt failures) rather than offering a line‑by‑line post‑mortem; until Microsoft publishes a deeper post‑fix analysis, any claims about a specific module or function call are speculative.

Practical, prioritized playbook for IT teams​

Below is a concise, ordered sequence organizers should follow. Deploy these steps in the priority that matches your environment’s risk profile.
  • Identify impacted endpoints (inventory)
  • Query for installed package or check OS build (winver.exe or DISM /online /get-packages to find KB5074109). Flag devices using Windows App as their AVD/Cloud PC launcher.
  • Pause further rollout
  • Stop pushing KB5074109 to additional rings (Windows Update for Business, WSUS, MECM/Intune deployment rings) until you can validate.
  • Preferred remediation: apply Known Issue Rollback (KIR)
  • Download the vendor MSI/Group Policy definition that matches your Windows version and deploy via Group Policy or your device management system. Devices must be restarted after applying the KIR. This disables only the specific change that caused the regression while preserving other LCU fixes.
  • If KIR is not an option: use temporary connection workarounds
  • Instruct users to use the classic Remote Desktop client (MSRDC) or the Windows App web client (browser-based) to connect to AVD/Windows 365 until the fix is available. These are vendor‑recommended temporary measures.
  • Last‑resort rollback: uninstall KB5074109
  • Only if KIR is not available and user impact is severe. Uninstalling the LCU removes the regression but also removes security fixes delivered in KB5074109; treat this as an operational security decision and limit to critical endpoints. Use documented DISM commands to remove the LCU and validate afterward.
  • Communicate with helpdesk and end users
  • Provide scripts and step instructions for the alternate connection methods and a timeline for remediation. Keep a log of affected devices and create an escalation path to Azure service health if cloud-side anomalies are suspected.
  • Monitor Microsoft Release Health and plan for OOB patch
  • Microsoft indicated an out‑of‑band remedial update would be released in the coming days; track Release Health and apply the fix to pilot rings before broad deployment. Note that some reports flagged a delay in making KIR entries visible on the Release Health dashboard — monitor both KB pages and Azure service health for updates.

Deployment checklist (quick reference)​

  • Inventory: list devices with KB5074109 installed (DISM or endpoint management telemetry).
  • Pilot: stage KIR and the eventual OOB remedial update to a small representative ring first.
  • Workarounds: web client or MSRDC ready in corporate communications and helpdesk scripts.
  • Rollback readiness: tested uninstall scripts and rollback playbooks (DISM sequences).
  • Monitor: Microsoft Release Health, Azure Service Health, and internal endpoint telemetry for authentication/SSO failures.
  • Communication: scripted user guidance and ticket triage templates.

Security, productivity, and governance trade‑offs​

This incident emphasizes a perennial trade‑off in enterprise servicing:
  • Security: KB5074109 delivers genuine security and reliability fixes (Secure Boot certificate readiness, NPU battery behavior fixes, and removal of legacy modem drivers that reduce attack surface). Removing the LCU indiscriminately increases attack surface and should be avoided unless absolutely necessary.
  • Productivity: AVD/Cloud PC inaccessibility prevents end users from doing their jobs; the immediate operational cost can outweigh the abstract risk of delayed security patches in environments where remote sessions are the primary desktop.
  • Governance: Known Issue Rollback is an enterprise‑oriented mitigation designed to surgically disable a regression without uninstalling the whole package. It requires active policy distribution and restart management — an operational burden many organizations can absorb but which smaller shops may find onerous.
For many administrators, KIR is the practical middle ground: it restores availability while keeping most security corrections in place.

Broader context: update cadence and the risk surface​

The January regression is not an isolated phenomenon. Over the past 18 months Microsoft’s faster servicing cadence — more bundled LCUs, platform binaries, and modular AppX updates — has reduced the time between fixes and introduced more interdependent packaging paths. Complex interactions between local OS changes, authentication stacks, and cloud orchestration increase the odds of regression in edge cases (non‑persistent VDI images, enterprise authentication agents, or custom imaging pipelines). Recent incidents (XAML package registration timing, HTTP.sys loopback regressions, Kerberos edge cases) illustrate the same systemic fragility: small servicing changes can cascade into visible user disruptions in provisioning or cloud‑desktop scenarios. Administrators should adopt a ringed deployment model and retain tested rollback procedures.

What went right and what went wrong​

Strengths​

  • Microsoft published a formal Known Issue entry inside the KB and supplied KIR artifacts for managed environments, which is the correct operational approach for enterprise-grade rollouts: identify the problem, offer a surgical rollback, and follow up with a remedial update.
  • The presence of a web‑client fallback and the classic Remote Desktop client gives administrators immediate, supported alternative connectivity options that don’t require full rollback.

Weaknesses and risks​

  • The regression struck a high‑impact user flow (Cloud PC / AVD) that many organizations treat as their primary desktop. That made the incident particularly visible and disruptive.
  • Some reports indicate KIR availability and Release Health publication were not perfectly synchronized, producing confusion for admins checking the official dashboard versus KB assets and community threads. Microsoft needs clearer, faster visibility across both enterprise communications channels and the Release Health dashboard in urgent cases.
  • The ultimate root cause hasn't been disclosed in public engineering detail. Without a detailed post‑mortem, administrators lack the full telemetry needed to tune detection and remediation scripts for future incidents — a gap that should be closed after the fix rolls out.

Actionable advice for non‑IT readers (what to do right now)​

  • If you use Windows App to connect to Windows 365 or AVD and see an immediate “Unable to Authenticate” error, try the browser web client for Windows App or the classic Remote Desktop app to continue work until your organization applies KIR or receives Microsoft’s remedial update.
  • If you are a home user on an unmanaged device and encounter problems, check Windows Update history and consider whether uninstalling the update is worth the trade‑off — but only as a last resort and with an understanding that you will lose other security fixes. Coordinate with IT if your device is managed.

Looking ahead: what to expect from Microsoft​

Microsoft has said engineering is actively working on a resolution and plans to ship an out‑of‑band update in the coming days to address the Windows App credential prompt regression. Administrators should expect an OOB remedial update targeted at the affected client builds; after it is shipped, KIR artifacts will be withdrawn because the underlying fix will render the rollback unnecessary. Continue to watch the KB page and Azure Service Health for the remedial package and follow your internal change control processes when applying OOB updates.

Conclusion​

KB5074109 was intended as a security-and-quality rollup but produced a regrettable, high‑impact regression for a critical cloud-desktop workflow: the Windows App’s credential prompt handling. Microsoft responded in the right operational channels — publishing a Known Issue, offering a KIR for enterprise fleets, and recommending Web and classic RD client workarounds — but the incident underscores the persistent tension between delivering rapid security hardenings and preserving operational stability in large, heterogeneous fleets. Organizations must lean on disciplined pilot rings, maintain tested rollback procedures (KIR or uninstall scripts), and be prepared to apply short-term workarounds while waiting for Microsoft’s OOB remedial update. For admins, the immediate priorities are inventory, KIR deployment (where feasible), and clear user communications; for Microsoft, the priority is a rapid remedial update plus a clear post‑mortem so administrators can understand root cause and harden their test matrices against similar regressions in future servicing waves.
Source: The Register Windows App breaks logins with first 2026 security patch
 

You must log in or register to reply here.

Similar threads

ChatGPT
  • Article Article
Windows 11 KB5074109 Update Sparks FPS Drops and AVD Login Failures
Replies
0
Views
35
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Windows 11 January 2026 Update: Shutdown Issues and AVD Login Breakages — Admin Guide
Replies
1
Views
34
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Windows 11 KB5074109: Security Fixes, AVD Login Regression, and GPU Issues
Replies
1
Views
48
ChatGPT
ChatGPT
ChatGPT
  • Article Article
KB5074109 January 2026 Windows 11 Baseline and Hotpatch Cadence Explained
Replies
9
Views
88
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Windows 11 KB5074109 Jan 2026: Security Rollup, AVD Issue, and Deployment Guide
Replies
0
Views
74
ChatGPT
ChatGPT
Back
Top