Windows 11 Boot Failures: Fixing the Jan 2026 Update

Microsoft issued an emergency update (KB5074109) for Windows 11 24H2 and 25H2 to fix boot loops and unmountable boot volume errors caused by the January 2026 security patch.

---

Hook & Who This Is For (Intro)

If you just updated your Windows 11 machine and it’s now refusing to boot—or is stuck on a black screen with a “UNMOUNTABLE_BOOT_VOLUME” error—this is a known issue you’re not alone in facing. Microsoft has acknowledged that the January 2026 security update can prevent certain PCs from starting up properly, and while emergency patches have been issued, some users may still be affected ^[1][11]. This situation can be stressful, but understanding what’s happening is the first step to resolving it.

This article is for users of Windows 11, versions 24H2 and 25H2, specifically those who may have applied the January 13, 2026, update or subsequent patches ^[14]. It is also relevant for IT professionals managing fleets of PCs. If you are running an older version like 21H2 or 23H2 and are experiencing different symptoms (like shutdown failures), the specifics will differ, though the broader theme of problematic updates applies.

If your PC is booting normally, you can likely skip the detailed fix steps, but reviewing the "Root Causes" and "Risks" sections may be prudent for future prevention. This guide does not cover issues unrelated to boot failures triggered by the January 2026 updates.

TL;DR / What This Means for You

• Microsoft has issued an emergency update, KB5074109, for Windows 11 24H2 and 23H2 to address critical boot failures ^[1]. This update targets OS builds 26200.7623 and 26100.7623, indicating the issue affects devices on these specific versions ^[1].
• Important: A separate, critical warning regarding Secure Boot certificate expiration exists, impacting devices starting in June 2026 ^[2]. While this is a future issue, it is unrelated to the immediate boot failure patch ^[1][2].
• Recommended action: If you are experiencing boot loops or startup failures after a recent update, check your Windows version. If you are on the affected builds, installing the emergency update is the primary recommended step ^[1][4].
• Be aware that the emergency update is specific to certain OS builds. If your device is on a different version, such as 22H2, you may not receive this exact patch and should follow standard troubleshooting for update-related boot issues ^[4][9].

Background / Basics

A Windows quality update is a monthly security and reliability patch released by Microsoft. These updates are mandatory for devices running supported versions of Windows to fix vulnerabilities and improve performance. It is important to understand that updates come in different types, including security updates, optional non-security preview updates, and out-of-band (OOB) updates ^[1].

Microsoft regularly issues updates for specific versions of Windows 11, including 24H2, 23H2, and 22H2. Each version has a defined service period; for example, Windows 11, version 22H2 ended servicing on October 14, 2025 ^[6][7]. When a critical issue arises—such as installation failures or boot problems—Microsoft may release an OOB update outside the standard monthly schedule to address it quickly.

Secure Boot is a security standard developed to ensure a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). Recent updates have included data to help devices automatically receive new Secure Boot certificates before the current ones expire starting in June 2026 ^[3][10]. Understanding these update mechanisms provides the context needed to analyze reports of emergency patches and boot failures.

Problem Explanation (What's Going On?)

Users are reporting that after installing recent Windows updates, some devices fail to boot correctly, leading to critical startup failures. This issue appears to be linked specifically to security updates released in January 2026, primarily affecting systems in managed enterprise environments rather than personal home computers ^[1][4]. The problem manifests as a failure to reach the normal desktop, leaving systems stuck or unusable immediately after update installation.

The practical impact is significant for affected organizations. Devices cannot be used, halting employee productivity and requiring immediate IT intervention. In enterprise settings, this translates to downtime and increased support overhead, as administrators must manually deploy workarounds to restore functionality ^[1][6]. The issue is not random; it is directly tied to the installation of specific update packages, making it predictable but widespread across deployed machines.

While the boot failure is the primary symptom, related authentication and sign-in issues have also been documented. Some users experience problems where the password icon becomes invisible on the lock screen, though the underlying button remains functional if clicked blindly ^[1][6]. Additionally, there are reports of connection and authentication failures in Azure Virtual Desktop and Windows 365 environments following these updates, specifically affecting Remote Desktop connections via the Windows App ^[1][10]. These ancillary issues compound the difficulty of recovery for remote or virtualized workspaces.

Root Causes / Analysis (Why Is This Happening?)

Based on the verified information, Microsoft has identified a specific configuration incompatibility as the primary cause of boot failures after the January 2026 security update. Other factors, such as legacy hardware drivers and certification expiration, are contributing or future risks.

1. Faulty Group Policy Application on Certain Hardware

The most documented cause is an interaction between the January 2026 security update and specific Known Issue Rollback configurations. On systems managed by IT departments using a specific Group Policy setting, the update may trigger a failure during the boot sequence ^[1]. This issue primarily affects enterprise environments where Group Policy is used to enforce security settings across multiple devices ^[5].

2. Incompatible or Removed Legacy Drivers

Windows updates often deprecate old drivers to improve security and performance. The January 2026 update removes specific modem drivers (agrsm64.sys, agrsm.sys, smserl64.sys, and smserial.sys) ^[11]. While this is typically a background process, hardware dependent on these specific drivers may fail to initialize during startup, leading to a boot hang or failure. This is common with older peripherals or specialized hardware not updated by the manufacturer.

3. Emerging Secure Boot Certificate Expiration (Future Risk)

While not the cause of the current January 2026 boot failures, a significant future risk is identified: Secure Boot certificates used by most Windows devices are set to expire starting in June 2026 ^[10]. Microsoft notes that if these certificates are not updated in time, devices may lose the ability to boot securely. The update process itself may be part of the rollout for these new certificates, introducing potential complexity during transitions ^[13].

4. Potential Interaction with Azure Virtual Desktop (AVD) Environments

A related issue documented in the same update cycle involves connection and authentication failures in Azure Virtual Desktop and Windows 365 ^[9]. While this manifests as sign-in failures rather than full boot failures, it indicates that the update modifies security protocols in ways that can interfere with remote access and authentication mechanisms. In complex virtualized environments, such changes can have cascading effects on system availability ^[11].

5. Unconfirmed Hardware or BIOS Incompatibilities (Hypothesis)

While not explicitly confirmed in the primary update documentation, industry logic suggests that updates affecting low-level system components like Secure Boot and driver signing can occasionally conflict with specific BIOS/UEFI implementations. This is particularly relevant for custom-built PCs or older systems from specific manufacturers. Rumors suggest that some motherboard firmware versions may require updates to fully align with new certificate standards, though this remains a hypothesis based on historical update patterns ^[13].

Summary of Causality

The boot failures are not random but linked to specific technical changes:

• Confirmed Cause: Conflict with Known Issue Rollback Group Policies ^[1][5].
• Confirmed Contributor: Removal of specific legacy modem drivers ^[11].
• Identified Future Risk: Secure Boot certificate expiration ^[10][13].

Key Takeaway: The issue is primarily environmental, affecting systems with specific IT management settings or older hardware dependencies, rather than a universal flaw in the update itself.

Evidence & Reality Check

Official documentation confirms that Microsoft has identified and addressed issues affecting Windows 11 boot sequences. Microsoft’s own update history and release notes verify that a security update released on January 13, 2026 (KB5074109) introduced specific compatibility changes that could impact system functionality ^[1]. This update is part of the January 2026 security cycle for Windows 11, version 24H2 and version 25H2 ^[10].

Context of Confirmed Issues Multiple official sources corroborate that the January 2026 update included a change affecting modem drivers. The update explicitly removes the agrsm64.sys, agrsm.sys, smserl64.sys, and smserial.sys drivers ^[5]. While this specific change was documented as a compatibility fix, similar large-scale update rollouts have historically been linked to boot failures in rare scenarios. Microsoft’s update history pages list this update alongside related Out-of-band releases in January 2026, indicating active patch management for system stability ^[6][10].

Microsoft’s Official Communication Channels Information regarding these updates is disseminated through Microsoft’s primary documentation, including the Windows message center and the Windows release health dashboard ^[7][9]. These platforms serve as the authoritative source for update terminology, known issues, and resolution statuses. The documentation highlights that standard update titles have been simplified for clarity, though the underlying technical changes remain detailed in the build history ^[4].

Absence of Unconfirmed Claims Based on the provided documentation, there are no mentions of boot failures being caused by non-Microsoft software or hardware in the current update cycle. The sources focus strictly on Microsoft-provided updates and driver compatibility. Rumors regarding mass boot failures affecting specific hardware brands are not present in the official technical release notes or support articles.

Self-Check / Diagnosis

If you suspect your Windows 11 PC is affected by the login issue after installing a recent update, follow these steps to diagnose the problem. These checks are based on the known symptoms associated with specific update builds.

1. Check Your Windows Build Version The issue primarily affects devices running Windows 11, version 24H2 or 25H2, and Windows Server 2025 after installing the August 2025 non-security preview update (KB5064081) or later ^[15]. To verify your version:

   • Press Windows Key + R, type winver, and press Enter.
   • Look for "Version 24H2" or "Version 25H2" in the dialog box. If you are on an earlier version like 23H2, this specific issue is less likely to affect you ^[8].

2. Verify the Specific Symptom: Missing Password Icon The primary symptom is a missing or invisible password icon on the lock screen's sign-in options ^[15].

   • Lock your PC (Windows Key + L) or restart it.
   • Look at the sign-in screen. Do you see the password icon?
   • If the icon is missing, try hovering your mouse over the empty space where the icon normally appears. If the mouse pointer changes or you can click an invisible button to open the password field, this confirms the specific UI bug ^[1][2].

3. Identify Your Environment Type This issue is significantly more common in managed enterprise or IT department environments compared to personal computers ^[2]. If you are using a personal device running Windows Home or Pro editions, the likelihood of experiencing this issue is very low. However, if your device is managed by an IT department, it is more likely to be affected.

4. Check for Additional Cloud Storage and App Issues After installing this update, some users also encounter secondary problems with cloud-based applications ^[3].

   • Open applications like OneDrive, Dropbox, or Outlook (if configured to use PST files on OneDrive).
   • Check if these apps become unresponsive when saving or opening files. Note any error messages or if the application hangs and fails to reopen.

5. Confirm the Update History Since the issue is triggered by specific updates, verify which updates are installed.

   • Go to Settings > Windows Update > Update history.
   • Look for the August 2025 non-security preview update (KB5064081) or any subsequent cumulative updates installed after that date. If this update or a later one is present, and you see the symptoms above, the issue is likely related ^[15].

6. Check for Enterprise or Azure Virtual Desktop Usage The problem is specifically noted to impact enterprise-managed devices, Azure Virtual Desktop, and Windows 365 clients ^[3][8].

   • If you use your computer primarily for work via a virtual desktop or a managed company device, the risk is higher.
   • Confirm with your IT administrator if they have received reports of similar sign-in failures following recent Windows updates.

Note: The absence of these specific symptoms does not guarantee your system is immune to other update-related issues, but it strongly suggests you are not affected by this particular login failure.

Solutions / What to Do

If your Windows 11 PC fails to boot after the January 2026 security update, there are specific workarounds available. The primary solution for enterprise-managed devices involves using a Known Issue Rollback (KIR) group policy. For personal users, the issue is considered rare, but the same policy can be applied if needed.

Short-Term Fix: Deploy Known Issue Rollback (KIR)

Microsoft provides a specific Group Policy to mitigate the boot and sign-in issues affecting managed devices. This policy temporarily disables the change causing the problem.

• For IT Administrators:

  1. Download the special Group Policy for your version of Windows. Policies are available for Windows 11 version 24H2, Windows 11 version 25H2, and Windows Server 2025 ^[6].
  2. Navigate to Computer Configuration > Administrative Templates in the Local Group Policy Editor ^[2][6].
  3. Install and configure the downloaded Group Policy ^[2].
  4. Restart the device(s) to apply the setting ^[6].

     Note: This policy is designed for enterprise-managed environments. Individuals using Windows Home or Pro editions on personal devices are very unlikely to experience this issue ^[3].

• For Personal Users:

  1. If you are experiencing the issue, you can still download and apply the same KIR Group Policy mentioned above ^[6].
  2. Follow the installation steps for your specific Windows build (24H2 or 25H2).
  3. Restart your computer after applying the policy.

Long-Term Resolution

Microsoft is working on a permanent fix to be included in a future Windows update. Until that official resolution is released, the KIR Group Policy is the recommended mitigation strategy. No other manual fixes are currently provided for this specific boot failure ^[2][6].

Risks, Limits, and When to Stop

Performing advanced recovery operations carries inherent risks. It is critical to recognize your technical limits to avoid permanent data loss or rendering the system unusable. Stop and seek professional assistance if you encounter the following scenarios.

Risks & Limitations:

• Data Loss Risk: Using command-line tools like diskpart or forcing a system restore can permanently erase all data on the selected drive. Always attempt data backup via WinRE or a bootable USB environment before attempting repairs ^[1].
• System Instability: If the system fails to boot after applying Known Issue Rollback (KIR) or Group Policy fixes, the operating system may be in a partially configured state ^[7]. In enterprise environments, misapplying KIR policies can affect domain connectivity.
• Hardware Issues: If the system fails to POST (Power-On Self-Test) or shows no display, the issue is likely hardware-related (e.g., RAM, CPU, or motherboard failure). Software fixes will not resolve these physical faults ^[13].

Stop Here If: You are uncomfortable using the Command Prompt, do not have a backup of your critical files, or if the PC fails to power on at all. Improper commands can destroy the partition table.

When to Seek Professional Help:

• Repeated Boot Failures: If the device loops through "Automatic Repair" without success, or fails to boot even after a clean reinstall attempt, internal hardware diagnostics are required.
• Physical Damage: If you notice burning smells, visible damage to the motherboard, or liquid spills.
• Enterprise Environments: For IT administrators managing fleets of devices, it is generally recommended to open a support ticket with Microsoft if standard KIR deployment fails to resolve lock screen or cloud sync issues ^[1].

FAQ

The Secure Boot certificate expiration refers to the expiration of certificates used by most Windows devices to verify boot integrity. Microsoft's documentation indicates that these certificates are set to expire starting in June 2026 ^[15]. This expiration could impact the ability of certain personal and business devices to boot securely if not updated in advance ^[15].

How do I know if my device is affected?

Devices that rely on the specific certificates expiring in June 2026 may be affected. Microsoft recommends reviewing their guidance to determine specific impact ^[15]. The best course of action is to consult the official Microsoft documentation for preparation steps to update the necessary certificates before the expiration date ^[15].

Are there updates for Microsoft Store apps in Windows updates?

Generally, standard Windows Updates do not include updates for Microsoft Store apps ^[15]. For enterprise users, management might involve tools like Microsoft Store apps - Configuration Manager ^[15]. Consumer users can typically manage updates for apps and games directly through the Microsoft Store ^[15].

Is it possible to skip Secure Boot updates without issues?

Skipping updates related to Secure Boot certificates could potentially lead to issues with booting securely after the expiration date in June 2026 ^[15]. The official guidance recommends taking action to update certificates in advance to avoid potential disruption ^[15]. Relying on the expiring certificates without updating may pose risks to the secure boot process.

Where can I find the official guidance for certificate updates?

Microsoft provides official guidance for preparing for the Secure Boot certificate expiration. The specific details and preparation steps are documented in their support pages, such as "Windows Secure Boot certificate expiration and CA updates" ^[15]. It is advisable to refer directly to this official documentation for the most accurate and current information.

Are there other significant updates or changes mentioned for Windows 11?

The provided documents detail a long list of cumulative updates for various Windows 11 versions, including 22H2, 24H2, and 25H2, but these listings typically provide build numbers and release dates rather than exhaustive lists of features or changes ^{[2][4][5][7][9][11][12][13][14]}. For detailed information on what was fixed or added in a specific update like KB5074109, referring to the full release notes on Microsoft's update history page is necessary.

Summary / Key Takeaways

• Microsoft released emergency out-of-band updates, including KB5074109 and KB5078127, to address boot failures affecting multiple Windows 11 versions ^[1][15].
• These critical patches target OS Builds 26200.7623, 26100.7623, 26200.7628, and 26100.7628, confirming the issue spans recent 24H2 and 25H2 releases ^[1][15].
• The emergency updates were distributed as out-of-band releases, indicating Microsoft determined they were necessary outside the standard monthly schedule ^[1][8].
• The rollout history shows a pattern of stability issues, with multiple preview and out-of-band updates issued for Windows 11 versions 22H2, 24H2, and 25H2 throughout late 2025 ^[1][7][9].

If your system remains unstable after applying these updates, system recovery options may be required. Ensuring you have a recent backup is always the safest precaution.

Quellen

^[1] Microsoft Support: January 13, 2026—KB5074109 (OS Builds 26200.7623 and 26100.7623)

^[2] Microsoft Learn: Windows 11, version 24H2 known issues and notifications

^[3] Microsoft Support: October 20, 2025—KB5070773 (OS Builds 26200.6901 and 26100.6901) Out-of-band

^[4] Microsoft Learn: Windows 11, version 23H2 known issues and notifications

^[5] Microsoft Learn: Windows 11, version 21H2 known issues and notifications

^[6] Microsoft Learn: Windows message center

^[7] Microsoft Support: December 9, 2025—KB5072033 (OS Builds 26200.7462 and 26100.7462)

^[8] Microsoft Support: October 14, 2025—KB5066835 (OS Builds 26200.6899 and 26100.6899)

^[9] Microsoft Official Blog: Helping our customers through the CrowdStrike outage

^[10] BleepingComputer: Microsoft investigates Windows 11 boot failures after January updates

^[11] Windows Central: Windows 11’s Patch Tuesday nightmare gets worse — Microsoft says some PCs mig...

^[12] Windows Central: Microsoft forced to issue emergency out of band updates for Windows 11 after ...

^[13] The Register: Windows 11 shutdown bug forces Microsoft into damage control

^[14] Engadget: Microsoft issues emergency fix after a security update left some Windows 11 d...

^[15] TechRadar: Microsoft rushes out emergency fix for Windows 11 bug that stops PCs recoveri...