Microsoft released its January 2026 Patch Tuesday updates for Windows 11 and 10, addressing 114 security vulnerabilities including one actively exploited zero-day and two publicly disclosed flaws. The updates — KB5074109 for Windows 11 versions 24H2/25H2 and KB5073455 for 23H2 — also delivered networking fixes for Windows Subsystem for Linux (WSL) and Azure Virtual Desktop, but the headline buried in release notes warns of a far larger disruption: Secure Boot certificates expire starting June 2026, potentially leaving millions of devices unable to receive critical security updates.
The Zero-Day Reality: CVE-2026-20805 Under Active Attack
This month’s most urgent fix addresses CVE-2026-20805, an information disclosure vulnerability in Desktop Window Manager confirmed as actively exploited in the wild. Microsoft rated it 7.8 CVSS (High severity) but provided no public details about the attack vectors or threat actors involved — standard practice when exploitation is ongoing. The vulnerability enables attackers with local access to steal sensitive information through the Windows compositing engine that handles visual effects and transparency.
The two publicly disclosed zero-days — CVE-2026-21265 (Secure Boot certificate expiration bypass) and CVE-2023-31096 (Windows Agere Soft Modem Driver privilege escalation) — weren’t actively exploited at release time but had proof-of-concept code circulating in security communities. Microsoft rated CVE-2026-21265 as “more likely” to be exploited, while CVE-2023-31096 received a “less likely” assessment. The modem driver vulnerability became irrelevant through brute force: Microsoft simply removed the legacy drivers entirely, breaking compatibility for decades-old dial-up modems that rely on agrsm64.sys, agrsm.sys, smserl64.sys, and smserial.sys.
| CVE | Severity | Component | Status | Impact |
|---|---|---|---|---|
| CVE-2026-20805 | 7.8 High | Desktop Window Manager | Actively exploited | Information disclosure |
| CVE-2026-21265 | 6.2 Medium | Secure Boot | Publicly disclosed | Certificate bypass |
| CVE-2023-31096 | 7.8 High | Agere Modem Driver | Publicly disclosed | Privilege escalation |
The June 2026 Secure Boot Certificate Apocalypse
Buried in Microsoft’s release documentation is a warning that dwarfs the monthly vulnerability fixes: Secure Boot certificates used by most Windows devices expire starting June 2026, potentially affecting every Windows PC and server manufactured since 2012. Without updated certificates, devices lose the ability to receive Secure Boot security updates, cannot trust new bootloaders signed with 2023 certificates, and won’t receive Windows Boot Manager security fixes after October 2026.
Secure Boot validates that firmware components come from trusted sources during system startup, preventing rootkits and bootkits like BlackLotus (CVE-2023-24932) from compromising systems before antivirus software loads. The technology relies on three Microsoft certificates in the Key Exchange Key (KEK) and Signature Database (DB) that have existed unchanged since Windows 8 launched in 2012. These original 2011-dated certificates expire on their 15-year anniversary, requiring replacement with 2023-dated successors.
What Actually Happens After June 2026
Contrary to fear-mongering headlines, systems won’t suddenly stop booting when certificates expire. Windows will continue starting normally with expired certificates — the boot process only requires matching certificates and boot files, which remain compatible. The real consequences manifest gradually:
June 2026: Devices with expired certificates cannot install Secure Boot security updates. Any new bootloader or Windows Boot Manager fixes released by Microsoft after this date won’t install on systems still using 2011 certificates. Third-party software signed with 2023 certificates — drivers, hardware firmware, boot components — won’t be trusted, forcing manual workarounds or security policy exceptions.
October 2026: Microsoft stops issuing Windows Boot Manager security fixes compatible with 2011 certificates. This represents the hard cutoff where devices without updated certificates become permanently vulnerable to boot-level exploits that Microsoft discovers but cannot patch through normal channels.
Affected systems: Every Windows 10, 11, and Server version released since 2012 including Long-Term Servicing Channel (LTSC) editions. Physical PCs, laptops, virtual machines in Hyper-V, VMware, Azure, AWS — anything using Secure Boot. Even macOS systems using Boot Camp fall under this umbrella, though Apple’s guidance remains separate.
How Microsoft Is (Quietly) Deploying the Fix
Starting with January 2026’s KB5074109, Windows quality updates include device targeting data identifying systems eligible for automatic certificate updates. Microsoft’s strategy uses “high-confidence” telemetry to phase new certificates only to devices that demonstrate successful update history and compatible firmware. This cautious rollout aims to prevent bricking systems with outdated UEFI implementations that might reject the 2023 certificates.
For the majority of consumer devices receiving automatic Windows Updates, no action is required — Microsoft will silently deploy updated certificates over coming months. Enterprise IT administrators managing Windows devices must take deliberate steps:
1. Inventory devices: Use PowerShell scripts or check the UEFICA2023Status registry key to identify which systems already have 2023 certificates versus those still using 2011 versions. Focus on uncommon hardware configurations Microsoft might not auto-update due to insufficient telemetry confidence.
2. Update firmware first: Contact OEMs (Dell, HP, Lenovo, etc.) for latest BIOS/UEFI firmware supporting certificate updates. Some older devices lack the firmware capability to accept new certificates, requiring hardware refresh for continued Secure Boot functionality. Dell began shipping dual 2011/2023 certificates in late 2024, enabling legacy image compatibility during transition.
3. Deploy via Group Policy or registry: IT departments can manually push 2023 certificates using Group Policy objects or registry key updates. Microsoft Intune support via Configuration Service Provider (CSP) is planned but not yet available as of January 2026. Windows Deployment Services (WDS) now disables hands-free deployment by default, requiring explicit administrator configuration.
4. Monitor with Event Viewer: Event ID 1795 in Windows Logs > System indicates certificate handoff failures to firmware. This signals OEM firmware incompatibility requiring vendor-specific updates or hardware replacement.
The Technical Details: What Actually Changed
Beyond the security fixes and Secure Boot groundwork, January 2026’s updates delivered several operational improvements. WSL users experienced “No route to host” errors after November’s KB5067036 broke mirrored networking—this patch restores VPN connectivity for corporate resources accessed through Windows Subsystem for Linux. Azure Virtual Desktop administrators saw RemoteApp connection failures resolved, eliminating a frustrating issue causing enterprise productivity loss.
The WinSqlite3.dll core component received updates after security scanners flagged it as vulnerable — Microsoft clarifies this Windows component differs from application-specific sqlite3.dll files. Power efficiency improved on NPU-equipped devices where systems remained awake during idle periods, draining battery unnecessarily. Windows Deployment Services changed default behavior to disable hands-free deployment, hardening against potential security risks in automated deployment scenarios.
Known issues persist: the password icon remains invisible on lock screens after installing August 2025’s KB5064081 or later, though the password option still functions when hovering over blank space. Microsoft deployed Known Issue Rollback (KIR) with Group Policy workarounds, but hasn’t fixed the root cause as of this release.
The Community Backlash: “Downgrade to Windows 10”
User sentiment on social media reveals frustration extending beyond security patches. Comments like “You can keep your AI garbage, might plan on downgrading to Windows 10” reflect dissatisfaction with Windows 11’s direction — forced Microsoft account requirements, integrated Copilot AI features users didn’t request, and design changes prioritizing aesthetics over workflow efficiency.
The irony: Windows 10 reached end-of-support in October 2025. Users “downgrading” must either accept Extended Security Updates (ESU) at $30/year for personal use or operate unpatched systems vulnerable to known exploits. Windows 10 ESU subscribers receive the same Secure Boot certificate expiration challenges through KB5073724, making the downgrade strategy security theater rather than genuine protection.
The deeper tension surfaces in how Microsoft communicates priorities. Secure Boot certificate expiration — affecting potentially hundreds of millions of devices — warranted a single bullet point in release notes, while December’s updates prominently featured Click to Do context menu redesigns and automatic image detection. Users perceive Microsoft prioritizing convenience features and AI integration over foundational security transparency.
What IT Administrators Should Do Now
Immediate actions (January-March 2026): Run certificate inventory scripts across enterprise devices. Identify hardware lacking 2023 certificate support through OEM documentation. Begin firmware update cycles for compatible devices, prioritizing mission-critical systems and public-facing infrastructure. Test certificate deployment on non-production systems to validate compatibility with custom images, security policies, and third-party boot components.
April-May 2026: Execute phased certificate rollout to production environments using Group Policy or manual registry updates for managed devices. Monitor Event Viewer logs for Event ID 1795 failures indicating firmware incompatibility. Budget for hardware refresh where OEMs confirm devices cannot support 2023 certificates due to aging UEFI implementations.
Post-June 2026: Verify all enterprise systems report UEFICA2023Status as “updated” through automated auditing. Establish exception processes for legacy systems that cannot receive certificate updates but remain operationally necessary—these devices require network isolation, enhanced monitoring, and documented compensating controls to maintain security posture despite expired certificates.
Deployment Resources and Installation
Windows 11 builds 26100.7623 (24H2) and 26200.7623 (25H2) install automatically through Windows Update or via Microsoft Update Catalog for offline scenarios. Version 23H2 updates to build 22631.6491 through KB5073455. SCCM administrators navigate to Software Library > Software Updates > All Software Updates, synchronize WSUS, then search KB5074109 or KB5073455 for deployment package creation.
Uninstall instructions: Settings > Windows Update > Update history > Uninstall updates, then locate KB5074109 or KB5073455. Note that uninstalling security updates leaves systems vulnerable to the three zero-day exploits and 111 additional CVEs addressed in this release—only perform rollbacks when updates cause operational failures outweighing security risks.
The Bigger Picture: Microsoft’s Security Communication Problem
January 2026’s Patch Tuesday exemplifies Microsoft’s ongoing challenge balancing routine maintenance with existential system changes. The three zero-day fixes merit immediate installation—no controversy there. But the Secure Boot certificate expiration represents the largest coordinated Windows security infrastructure change since the Windows 10 to 11 migration, yet receives minimal prominence in user-facing communications.
Microsoft’s IT Pro blog published detailed guidance, technical documentation spans dozens of pages, and PowerShell scripts exist for enterprise deployment. This information remains invisible to small businesses, prosumers, and individual users who don’t monitor Microsoft Tech Community—the audience most likely to experience boot security degradation after June without understanding why.
The contrast with consumer-facing AI feature announcements is stark. Copilot integration, Windows Studio Effects, Click to Do enhancements—these receive prominent notification banners, Start menu promotions, and mainstream press coverage. Secure Boot certificates get buried in patch notes IT professionals must actively seek. The disparity reveals Microsoft’s ongoing tension between Windows as enterprise infrastructure requiring deliberate security stewardship versus Windows as consumer platform emphasizing convenience and visible innovation.
As devices approach the June 2026 deadline without updated certificates, expect support forums and social media to flood with confused users wondering why their PCs no longer receive security updates despite appearing to function normally. Microsoft’s phased automatic deployment should mitigate most consumer impact, but edge cases—custom-built PCs, modified UEFI configurations, corporate devices managed by understaffed IT departments—will surface exceptions requiring manual intervention that typical users lack expertise to execute.
For now, install January 2026’s patches immediately for the zero-day fixes, monitor your organization’s certificate status if managing enterprise systems, and bookmark Microsoft’s Secure Boot guidance. The next five months represent a narrow window to prepare for certificate transition—waiting until June means troubleshooting boot security issues under deadline pressure rather than methodically validating compatibility today.
Follow us on Bluesky, LinkedIn, and X to Get Instant Updates
