Microsoft kicked off 2026 with a massive January Patch Tuesday — 114 security vulnerabilities including one actively exploited zero-day, two publicly disclosed vulnerabilities, and eight critical flaws. Large January releases are common as vendors defer patches during the holidays, but this one came with an unwelcome bonus: the update itself broke Remote Desktop authentication and shutdown functionality for many organizations, forcing Microsoft to issue emergency out-of-band fixes four days later.
The Actively Exploited Zero-Day: CVE-2026-20805
CVE-2026-20805 is an information disclosure vulnerability in the Windows Desktop Window Manager (DWM). While it doesn't directly enable code execution, it leaks memory information that attackers can use to bypass ASLR and other security protections, making more serious exploits viable. Microsoft confirmed exploitation in the wild. Rated Important with a CVSS score of 5.5, it's the kind of vulnerability that shows up in exploit chains — patch it, because the attackers already have.
Critical Vulnerabilities Worth Prioritizing
Eight vulnerabilities received Critical severity ratings this month. The most concerning are remote code execution flaws in LSASS (the Local Security Authority Subsystem Service) and several Office applications. Elevation of privilege flaws dominated the release at 50% of all patches, followed by remote code execution at 19% and information disclosure at 19%.
WSUS received a fix for CVE-2026-20856 — a reminder that even the patch delivery infrastructure itself needs patching. Internet-facing WSUS servers should be updated first, followed by SMB servers and Office endpoints.
The Update That Broke Everything
Within days of the January 13 release, organizations began reporting two serious regressions introduced by the update itself:
Remote Desktop authentication failures: KB5074109 broke the RDP credential handshake, causing the Windows App client and other RDP clients to fail authentication. Azure Virtual Desktop and Windows 365 Cloud PC connections were disrupted. Credential prompt loops generated Event ID 4625 storms and triggered account lockout policies across enterprises.
Shutdown/hibernate regression: Windows 11 23H2 devices with System Guard Secure Launch enabled began restarting instead of shutting down or entering hibernation. Enterprise and Education SKUs were primarily affected.
Microsoft issued emergency out-of-band patches (KB5077744 and KB5077797) on January 17. However, these OOB updates must be installed manually — they are not delivered through Windows Update. Server 2016 received no OOB fix at all, leaving administrators with no option but to uninstall KB5073722 entirely.
Why This Matters for Patch Management Strategy
The January 2026 incident is a textbook case for why ring-based deployment with automated validation gates exists. Organizations that deployed the January update to their entire fleet on day one experienced widespread disruption. Organizations running pilot rings with boot verification, event log monitoring, and health signal validation caught the regression before it hit production.
The remediation path — manually installing OOB updates that aren't in WSUS or Windows Update — also highlights the limitations of relying solely on Microsoft's built-in tooling for patch delivery. When the fix for a broken patch requires manual intervention across thousands of endpoints, you need automation infrastructure that goes beyond what Intune or WSUS provide out of the box.