Windows 11 KB5074109 – January 2026 Update (Build 26200.7623)

Microsoft has released Windows 11 KB5074109 as part of the January 13, 2026 Patch Tuesday rollout. This cumulative update is available for Windows 11 version 24H2 and 25H2, and it bumps systems to:

• OS Build 26200.7623
• OS Build 26100.7623

This is part of the January 2026 Patch Tuesday rollout focuses on security and quality improvements rather than big new features. Todays update improves networking reliability, fixes power and battery behavior on NPU devices, and starts a phased rollout of new Secure Boot certificates. It also changes Windows Deployment Services (WDS), updates the WinSqlite3.dll core component and refreshes several Windows AI components.

Because KB5074109 is a security cumulative update that touches core areas like networking, power and Secure Boot, it is highly recommended that you download and install it as soon as possible.

Highlights of Windows 11 KB5074109

According to Microsoft’s official release notes, this update:

• Delivers January 2026 security patches for Windows 11 24H2 and 25H2.
• Fixes networking issues affecting WSL mirrored networking and Azure Virtual Desktop (AVD) RemoteApps.
• Updates handling of certain modem drivers, which will now stop working on Windows if they depend on removed drivers.
• Introduces changes to Windows Deployment Services (WDS) behavior.
• Updates a core component, WinSqlite3.dll, to address security detections.
• started rolling out new Secure Boot certificate handling, as part of a long‑term transition before certificates expire starting June 2026.

Compatibility – legacy modem drivers removed

Under [Compatibility], KB5074109 removes specific legacy modem drivers from Windows:

• agrsm64.sys (x64)
• agrsm.sys (x86)
• smserl64.sys (x64)
• smserial.sys (x86)

Any modem hardware that depends on these exact drivers will no longer work in Windows after this update. For most modern users, this will not matter, but organizations or individuals relying on very old modem hardware should be aware of this change.

Networking – WSL mirrored networking and AVD RemoteApp fixes

Under [Networking (known issues)], KB5074109 fixes two important issues that appeared after previous updates:

• WSL mirrored networking / VPN issue fixed
  After installing KB5067036, some users saw “No route to host” errors in WSL when using mirrored networking, especially with VPN connections to corporate networks. The Windows host would remain connected, but WSL could not access those resources. KB5074109 addresses this problem.
• Azure Virtual Desktop (AVD) RemoteApp failures fixed
  After installing KB5070311, some environments experienced RemoteApp connection failures in Azure Virtual Desktop. This update fixes those RemoteApp reliability issues.

If you run WSL with mirrored networking or manage AVD deployments, this cumulative update is important.

Power & Battery – NPU devices staying on when idle

Under [Power & Battery], Microsoft fixes a power management issue:

• On devices with a Neural Processing Unit (NPU), the system could stay powered on when idle, negatively impacting power consumption. KB5074109 addresses this behavior so that idle power performance on NPU‑equipped devices is improved.

This matters for newer AI‑capable Windows 11 PCs that include a dedicated NPU.

Secure Boot – phased rollout of new certificates

Under [Secure Boot], KB5074109 starts an important background change:

• Windows quality updates will now include a subset of high‑confidence device targeting data used to identify devices that are eligible to automatically receive new Secure Boot certificates.
• Devices will receive the new certificates only after demonstrating sufficient successful update signals, ensuring a safer, phased rollout.

This ties into Microsoft’s previously announced Secure Boot certificate expiration starting June 2026. If devices aren’t updated in time, they might eventually have trouble booting securely. KB5074109 is one step in that long‑term transition.

Windows Deployment Services (WDS) – hands‑free deployment behavior change

Under [Windows Deployment Services (WDS)], there is a behavioral change important for IT admins:

• By default, WDS will stop supporting hands‑free deployment functionality.
• Microsoft has published Windows Deployment Services (WDS) Hands‑Free Deployment Hardening Guidance for administrators who need to adjust or re‑configure their deployment setup.

If you use WDS for automated deployments in enterprise environments, you should review Microsoft’s guidance and update your processes accordingly.

WinSqlite3.dll – updated core component

Under [WinSqlite3.dll], Microsoft notes:

• The WinSqlite3.dll Windows core component has been updated. Previously, some security products flagged this component as vulnerable.
• WinSqlite3.dll is not the same as sqlite3.dll that ships with individual applications. If security tools still detect sqlite3.dll as vulnerable, that’s an application‑level issue, and you should contact the app developer or install the latest version of the app (including from Microsoft Store if it’s a Microsoft app).

This update should reduce false positives in security tools related to WinSqlite3.dll.

Patch 114 vulnerabilities

The update resolves 114 vulnerabilities, including one actively exploited and two publicly disclosed zero-day vulnerabilities. It also addresses eight “Critical” vulnerabilities, 6 of which are remote code execution flaws and 2 are elevation-of-privilege flaws.

AI components updated in KB5074109

Microsoft also lists updated AI components in this release. The following components are now at version 1.2511.1224.0:

• Image Search
• Content Extraction
• Semantic Analysis
• Settings Model

These changes are largely under‑the‑hood but are part of Microsoft’s ongoing work to keep Windows 11’s AI and content understanding features up to date.

Known issue – missing password icon on the lock screen

Microsoft lists one known issue that continues to affect some users after August 2025 non‑security preview (KB5064081) and later updates:

• The password icon on the lock screen sign‑in options may be missing or invisible.
• If you hover over the empty space where it should be, the button is still there, and you can click it to reveal the password text box.
• After entering your password, sign‑in works normally.

This problem mainly affects enterprise or managed IT environments, not typical Home or Pro users on personal devices.

A Known Issue Rollback (KIR) is being used to mitigate this. For enterprise environments, IT admins can:

1. Download and configure the appropriate Group Policy for Windows 11 24H2/25H2.
2. Apply it under Computer Configuration → Administrative Templates as per Microsoft’s KIR guidance.
3. Restart devices to apply the policy.

Microsoft is working on a permanent fix in a future update.

How to Install Windows 11 KB5074109 Update

KB5074109 is available via Windows Update and Microsoft Update and should download and install automatically on Windows 11 24H2 and 25H2 devices.

If you want to check manually:

• Press the Windows key + X, then select Settings. Go to Windows Update, then hit Check for updates.
• You will see a new patch update available: 2026-01 Security update (KB5074109) (26200.7623)
• Click on the download now button to begin the process. Once done, reboot your computer to apply the changes.

• Windows 11 KB5074109 download offline installer
• Windows 11 KB5073455 download offline installer

The link above points to the Microsoft Update Catalog, a library of Windows Update offline installers.

• First, click on the ‘Download’ button next to the version of the OS installed on your machine.
• Next, run the .msu files to install the update.
• Once done, reboot your PC to apply the changes.

Press the Windows key + R, type winver, and click OK to check the Windows 11 build version.

Should you install Windows 11 KB5074109?

Yes. KB5074109 is a security cumulative update that:

• Includes the January 2026 security fixes.
• Rolls up all the non‑security improvements from KB5074109.
• Fixes issues with WSL networking, AVD RemoteApps, and power behavior on NPU devices.
• Begins the Secure Boot certificate transition ahead of the June 2026 expiration.

If you want your device to stay secure, compatible, and ready for future updates, you should install this update as soon as it becomes available.

FAQ: Windows 11 Update KB5074109

Q1: Do I need to install this update?
Yes, it’s important. This Patch Tuesday update includes essential security fixes, stability improvements, and performance enhancements.

Q2: What version will my PC show after installing?
After installing KB5074109, your Windows 11 version will be Build 26100.7623 (for 24H2) or Build 26200.7623 (for 25H2). You can confirm this by running winver.

Q3: Does this update fix any system issues?
Yes. KB5074109 resolves several problems, including:

• WSL mirrored networking errors (for example, “No route to host”).
• Azure Virtual Desktop (AVD) RemoteApp connection issues.
• NPU power and battery behavior, where devices could stay on when idle.
• Changes and fixes related to Secure Boot certificates, WDS, and WinSqlite3.dll.

Q4: Is it safe to uninstall this update?
Yes. You can uninstall it from Settings → Windows Update → Update history → Uninstall updates if you face any issues.

However, uninstalling security updates is not recommended as a long‑term solution. Use it only for troubleshooting and reinstall the update when possible.

Also read:

• Microsoft Windows 11 New features and improvements
• Windows 11 scanning and repairing drive C is stuck at 100
• Solved: Kernel Security Check Failure error In Windows 11
• Mozilla Firefox Not Responding on Windows 11 (7 Solutions)
• How do I fix Microsoft Edge’s high CPU usage on Windows 11?