Microsoft Windows Updates: MOTW Bypass Patch and Windows 11 Shutdown Regression
Microsoft issued security updates to remediate a Windows Remote Assistance protection-mechanism failure, CVE-2026-20824, that can allow attackers to bypass Mark of the Web (MOTW)—a key Windows control used to flag and apply additional restrictions to files originating from the internet. Reporting notes the issue is not “wormable” and requires local execution plus user interaction, but it can materially weaken common download-based defenses and be chained with other techniques to increase the likelihood of successful payload execution.
Separately, Microsoft released an out-of-band/emergency fix after a Patch Tuesday update introduced a Windows 11 23H2 regression where some systems configured with Secure Launch restart instead of shutting down (and may also fail to hibernate). A documented workaround for affected endpoints is to invoke shutdown via Command Prompt using:
shutdown /s /t 0
Other items in the set are not part of these Windows security/patch events: a PowerToys feature update, an iOS upgrade opinion piece, and a Windows 11 edition comparison.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Microsoft discloses Windows 11 shutdown bug affecting Secure Launch devices
Microsoft said some Windows 11 23H2 PCs configured with Secure Launch could no longer shut down normally after installing KB5073455, instead restarting when users selected Shut down. The company said it was investigating, advised users to save work to avoid data loss, and provided a Command Prompt shutdown workaround while noting no workaround for a related hibernation issue.
Microsoft patches Windows Remote Assistance MOTW bypass flaw
Microsoft released security updates to fix CVE-2026-20824, a Windows Remote Assistance vulnerability that could bypass Mark of the Web protections on downloaded files. The flaw could aid social-engineering attack chains by reducing security warnings and weakening controls that rely on MOTW metadata.
Microsoft releases KB5073455 Patch Tuesday update for Windows 11 23H2
Microsoft issued the Windows 11 23H2 update KB5073455 as part of Patch Tuesday. After installation, some systems later experienced a shutdown-related regression tied to Secure Launch configurations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft March Patch Tuesday Ships 83 Fixes and Windows 11 Cumulative Updates
Microsoft’s March Patch Tuesday security release shipped fixes for **83 vulnerabilities** across its enterprise software and services, and was notable for having **no actively exploited zero-days** for the first time in six months. Microsoft flagged **six** vulnerabilities as “more likely to be exploited,” and noted two issues—`CVE-2026-21262` and `CVE-2026-26127`—were **publicly known** at release. Researchers highlighted an Excel information-disclosure issue, `CVE-2026-26144`, describing a scenario where an attacker could potentially induce a *Copilot Agent* to exfiltrate data in a **zero-click** style workflow, and also pointed to Office flaws `CVE-2026-26110` and `CVE-2026-26113` (CVSS 8.4) that could enable **arbitrary code execution** via the Office preview pane. Microsoft also released **mandatory Windows 11 cumulative updates** `KB5079473` (25H2/24H2) and `KB5078883` (23H2) that incorporate the March 2026 Patch Tuesday security fixes, along with additional non-security changes. The updates advance build numbers to **26200.8037/26100.8037** (25H2/24H2) and **22631.6783** (23H2), expand “high-confidence device targeting” to increase coverage for automatic delivery of new **Secure Boot certificates**, and include reliability improvements such as better File Explorer search across drives and changes to **Windows Defender Application Control (WDAC)** behavior for COM objects (policy listing support).
Mar 30, 2026
Microsoft January Patch Tuesday Security Updates for Windows 10/11
Microsoft shipped its January Patch Tuesday security updates for **Windows 10** (including ESU/LTSC) and **Windows 11**, addressing a large set of vulnerabilities and rolling in additional platform hardening changes. Windows 10’s *KB5073724* (ESU) updates systems to build `19045.6809` (and LTSC 2021 to `19044.6809`) and includes security/bug fixes plus a phased update to handle **expiring Secure Boot certificates**; it also removes legacy **Agere modem drivers** (`agrsm64.sys`, `agrsm.sys`, `smserl64.sys`, `smserial.sys`), which can break dependent modem hardware. Windows 11 cumulative updates *KB5074109* (25H2/24H2) and *KB5073455* (23H2) are mandatory and include fixes for issues such as WSL mirrored networking failures (“No route to host”) impacting VPN access and RemoteApp connection failures in Azure Virtual Desktop environments. Third-party analysis of the same Patch Tuesday release reported **112 vulnerabilities** (with **8 marked critical**) and at least one vulnerability observed exploited in the wild: **CVE-2026-20805**. The critical issues highlighted include multiple **remote code execution** vulnerabilities across Windows components and Office applications (including **LSASS**, Word, Excel, and Office), plus **elevation of privilege** flaws such as **CVE-2026-20822** (Windows Graphics Component, use-after-free leading to potential SYSTEM privileges) and **CVE-2026-20854** (LSASS RCE over the network without requiring elevated privileges). Organizations should prioritize rapid deployment of the January Windows updates, with particular attention to exploited-in-the-wild items and critical RCE/EoP paths.
Mar 21, 2026
Microsoft Windows 11 Updates Trigger Boot Failures and Security-Driven Driver/Privilege Changes
Microsoft attributed **Windows 11 no-boot failures** seen after installing the January 2026 cumulative update `KB5074109` (Windows 11 **24H2/25H2**) to devices that had previously **failed to install the December 2025 security update** and were left in an “**improper state**” after rollback. Affected systems can crash on startup with a BSOD `UNMOUNTABLE_BOOT_VOLUME`; Microsoft said the issue appears limited to **physical devices** (no confirmed VM impact) and is working on a **partial mitigation** to prevent additional systems from entering a no-boot scenario, while continuing to investigate why some devices fail updates or end up unstable after rollback. Separately, Microsoft’s recent Windows 11 servicing and security work included **deliberately disabling legacy dial-up modem drivers** (e.g., `AGRSM64.SYS`/`AGRSM.SYS`, `SMSERL64.SYS`/`SMSERIAL.SYS`) due to reported vulnerabilities including **CVE-2023-31096** (EoP) and **CVE-2025-24052** (stack-based buffer overflow), which can present risk even if the modem hardware is unused—at the cost of breaking connectivity for niche systems relying on those drivers. Microsoft also patched **nine bypasses** reported by Google Project Zero that could undermine the new **Windows Administrator Protection** feature by enabling silent admin privilege gains via legacy Windows/UAC behaviors (including a token/Logon Sessions-related technique involving `NtQueryInformationToken` and DOS device object directory creation), ahead of broader availability beyond Insider builds.
Mar 21, 2026