January Patch Tuesday: 100+ Windows Fixes, an Active DWM Zero‑Day and Troubling Side Effects

Microsoft’s January Patch Tuesday arrived like a wake‑up call: across Windows, Office and supporting components the company shipped roughly 112–114 security fixes and several stability changes — and at least one of those flaws is already being weaponized in the wild.

The practical upshot is simple and awkward at the same time: you should plan to patch, but patching without testing could break some workflows.

What landed (and why it matters)

• Active zero‑day: CVE‑2026‑20805, an information‑disclosure bug in the Desktop Window Manager (DWM), is confirmed as actively exploited. Despite a middling CVSS score, the flaw can reveal memory layout information and be chained into more powerful attacks. U.S. authorities have added it to the Known Exploited Vulnerabilities catalog with a rapid remediation window.
• Big numbers: Microsoft addressed roughly 112–114 CVEs across Windows, Office and related products. Eight were rated critical and several were flagged as zero‑day or already exploited.
• Secure Boot certificate work: Microsoft rolled out new Secure Boot certificates to replace ones dating from 2011. If devices don’t receive the updated 2023 certificates before the older ones expire later this year, Secure Boot could stop trusting components or stop receiving future fixes.
• Driver removals: Microsoft removed legacy Agere/Motorola soft‑modem drivers (agrsm64.sys, agrsm.sys, smserl64.sys, smserial.sys) to close a long‑standing elevation‑of‑privilege vector. Systems that actually rely on those drivers will lose modem functionality after the update.
• Windows 10 ESU and KB5073724: Windows 10’s first 2026 security update (KB5073724) is available to devices enrolled in Extended Security Updates (ESU). Microsoft says ESU enrollment is open through 13 October 2026; some users can get ESU fixes at no cash cost if they sign into a Microsoft account and allow settings sync via OneDrive.
• Windows 11 cumulative (KB5074109) and side effects: the Windows 11 January rollup patches a large set of vulnerabilities and fixes — including an NPU battery‑drain bug — but reports surfaced of severe regressions. Notably, some Azure Virtual Desktop (AVD) and Windows 365 Cloud PC connections fail with authentication errors (0x8008005), and some gamers reported sizable FPS drops, especially on NVIDIA systems.

Who should rush and who should wait

If you run consumer PCs that aren’t tied to remote desktop pools or legacy modem hardware: install the updates. The risk from actively exploited bugs and dozens of elevation and RCE fixes outweighs most short‑term compatibility pain.

If you manage enterprise fleets, remote desktop farms, or gaming rigs: exercise caution.

• Prioritize Windows and Office patches first (Outlook/File Explorer Preview Pane bugs allow code execution simply by previewing a crafted message). If you can’t deploy immediately, temporarily disabling the Preview Pane is an effective mitigation.
• Test Desktop Window Manager changes aggressively. DWM updates were marked high‑risk and can affect UI rendering, themes, multi‑monitor scaling and remote session behavior.
• Audit for legacy hardware that depends on removed soft‑modem drivers before mass deployment.

Known problems and short‑term workarounds

• AVD / Cloud PC authentication failures: Microsoft is preparing an out‑of‑band fix, but in the meantime affected users should connect via the Remote Desktop client for Windows (MSRDC) or the Windows App Web Client instead of the Windows App.
• Gaming performance drop: some users report frame‑rate decreases after installing KB5074109. Gamers dependent on top performance may delay the update for a short, measured period while monitoring vendor fixes (drivers or hotfixes).
• Secure Boot certificate rollout: Microsoft is doing a phased deployment of the new 2023 certificates to avoid bricking devices. Still, when updating bootloaders or BIOS/UEFI, coordinate with OEM guidance — incorrect remediation can leave systems unbootable.

Quick action checklist

• For home users: check Windows Update and install the January bundles. If you use Outlook, make sure Office updates are applied.
• For admins: prioritize Windows and Office updates in your test ring, validate DWM/UI workflows, and test remote‑desktop connectivity. Disable Preview Pane where updates cannot be immediately deployed.
• If you rely on legacy modems or embedded devices: inventory for the removed drivers and plan alternatives before deploying the cumulative updates.
• Back up before mass rollout and stage updates through a validation ring.

Why this cycle feels different

Two things make this month stick out. First, an actively exploited DWM flaw that can enable practical exploit chains has forced organizations to treat a so‑called moderate CVE like a crisis. Second, Microsoft’s housekeeping — removing decades‑old drivers and rotating Secure Boot certificates — pushes administrators to confront long‑ignored legacy bits of their fleets. Those are fundamentally non‑technical policy choices masquerading as security work.

If you’re curious about how Windows is evolving around AI hardware (and some of the battery and UI tweaks targeting those systems), Microsoft’s push into in‑house AI tooling helps explain why NPU power management fixes showed up in this round — it’s part of a broader hardware‑software feedback loop reshaping the platform. For readers tracking Microsoft’s AI moves, you might also find context in the company’s recent in‑house image model rollout and related efforts to lean into AI silicon and services Microsoft Unveils MAI‑Image‑1.

And if your goal is to pare back unwanted features and reassert control over a patched Windows 11 machine (useful after a risky update), our pieces on cleaning up Windows 11 have hands‑on steps that will help you reclaim privacy and reduce surface area for future regressions how to declutter Windows 11 25H2.

This patch cycle is noisy and necessary. Expect more micro‑patches and driver/firmware updates over the next few weeks as Microsoft, OEMs and GPU vendors chase regressions and edge cases. Keep a measured, tested approach: urgency for security; patience for stability.