Microsoft Windows 11 Updates Trigger Boot Failures and Security-Driven Driver/Privilege Changes
Microsoft attributed Windows 11 no-boot failures seen after installing the January 2026 cumulative update KB5074109 (Windows 11 24H2/25H2) to devices that had previously failed to install the December 2025 security update and were left in an “improper state” after rollback. Affected systems can crash on startup with a BSOD UNMOUNTABLE_BOOT_VOLUME; Microsoft said the issue appears limited to physical devices (no confirmed VM impact) and is working on a partial mitigation to prevent additional systems from entering a no-boot scenario, while continuing to investigate why some devices fail updates or end up unstable after rollback.
Separately, Microsoft’s recent Windows 11 servicing and security work included deliberately disabling legacy dial-up modem drivers (e.g., AGRSM64.SYS/AGRSM.SYS, SMSERL64.SYS/SMSERIAL.SYS) due to reported vulnerabilities including CVE-2023-31096 (EoP) and CVE-2025-24052 (stack-based buffer overflow), which can present risk even if the modem hardware is unused—at the cost of breaking connectivity for niche systems relying on those drivers. Microsoft also patched nine bypasses reported by Google Project Zero that could undermine the new Windows Administrator Protection feature by enabling silent admin privilege gains via legacy Windows/UAC behaviors (including a token/Logon Sessions-related technique involving NtQueryInformationToken and DOS device object directory creation), ahead of broader availability beyond Insider builds.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Microsoft links January boot failures to failed December 2025 update
Microsoft said the Windows 11 boot failures were caused by systems left in an improper state after failed December 2025 security update installations and rollbacks. The company also said it was developing a partial mitigation to stop more devices from becoming unbootable during future update attempts.
Windows 11 cumulative updates disable legacy modem drivers
Recent Windows 11 cumulative updates intentionally decommissioned several legacy modem drivers, including Agere and Motorola soft-modem components, because of serious security vulnerabilities such as CVE-2023-31096 and CVE-2025-24052.
January 2026 cumulative update triggers Windows 11 boot failures
After installing the January 2026 cumulative update KB5074109 on Windows 11 24H2 and 25H2, some affected devices failed to boot and displayed a BSOD with the stop code UNMOUNTABLE_BOOT_VOLUME.
Administrator Protection becomes available in Windows Insider Canary builds
Earlier in January 2026, Microsoft made the new Windows Administrator Protection feature available to users in Windows Insider Canary builds, though it was not yet generally available.
Microsoft patches Administrator Protection bypass vulnerabilities
Shortly before Windows Administrator Protection became available to users earlier in January 2026, Microsoft patched multiple flaws, including a DOS device object directory issue involving shadow admin token impersonation.
Failed December 2025 Windows security update leaves some systems in improper state
During the December 2025 update cycle, some Windows 11 devices failed to install the security update and rolled back into an 'improper state.' Microsoft later said this condition set up affected systems for later boot failures.
Google Project Zero reports nine Administrator Protection bypass issues
In December 2025, Google Project Zero researcher James Forshaw reported nine vulnerabilities that could bypass Windows Administrator Protection, largely by exploiting known UAC-related behaviors to silently gain administrator privileges.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Microsoft links Windows 11 boot failures to failed December 2025 update
bleepingcomputer.com
Open sourceThe Final Hang-Up: Microsoft Disables Legacy Modem Drivers for Security
securityonline.info
Open sourceOld Windows quirks help punch through new admin defenses • The Register
go.theregister.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Windows 11 KB5077181 Patch Tuesday Update Triggers and Fixes Boot Failures
Microsoft’s February 2026 Windows 11 cumulative security update **KB5077181** (for versions **24H2** and **25H2**) was associated with significant boot reliability issues reported shortly after deployment, including systems entering **infinite restart loops** and failing to reach the desktop. Reports described login-time errors (including **System Event Notification Service (SENS)** procedure errors) and network symptoms such as **DHCP failures**, while Microsoft’s public release notes and health dashboard were reported as not listing known issues at the time. The update also shipped broad security remediation, with reporting citing **58 vulnerabilities** addressed and **six actively exploited zero-days** referenced via CISA’s **Known Exploited Vulnerabilities** catalog, including fixes for issues such as SmartScreen bypass (`CVE-2026-21510`), Desktop Window Manager EoP (`CVE-2026-21519`), Remote Desktop Services EoP (`CVE-2026-21533`), and a Notepad RCE via crafted Markdown (`CVE-2026-20841`). Separately, Microsoft stated that **KB5077181** fully resolved a specific Windows 11 boot failure condition affecting a limited set of **commercial physical devices** on **24H2/25H2** that could become unbootable (e.g., **"UNMOUNTABLE_BOOT_VOLUME"**) after installing **KB5074109** or later updates when a **December 2025** security update had previously failed and rolled back, leaving the OS in an “improper state.” Microsoft indicated an earlier mitigation shipped in the optional preview update **KB5074105** (Jan 29, 2026) to prevent additional devices from being impacted, and that the February Patch Tuesday release delivered the complete fix; the issue was not reported as affecting home users or virtual machines.
Mar 21, 2026
Windows 11 January Security Updates Trigger UNMOUNTABLE_BOOT_VOLUME Boot Failures
Microsoft is investigating and has acknowledged a limited issue where some **Windows 11** devices fail to boot after installing the **January 2026 Patch Tuesday security updates**, presenting a BSOD/black crash screen with stop code **`UNMOUNTABLE_BOOT_VOLUME`**. Impacted systems can become stuck in a restart loop and are unable to start Windows without **manual recovery efforts**, with Microsoft collecting reports from users and enterprise administrators to determine scope and root cause. Reporting indicates the problem affects **physical devices** (with no virtual machines reported as impacted so far) and is tied to specific Windows 11 builds and cumulative updates, including **Windows 11 25H2** and **Windows 11 24H2** after installing **`KB5074109`**. Microsoft has not yet confirmed the underlying cause or provided a universal remediation beyond recovery steps, and is requesting affected customers submit diagnostics via the **Feedback Hub** while it determines whether the behavior is a regression introduced by the update.
Mar 21, 2026
Windows 11 KB5094126 Triggers Boot Failures, BitLocker Recovery, and Explorer Sync Breakage
Microsoft’s Windows 11 cumulative update `KB5094126` is causing serious post-installation failures on some systems after its release with roughly 200 security fixes, including 33 critical flaws and five zero-days. Users reported freezes shortly after boot, black screens, boot loops, BSODs, and repeated BitLocker recovery prompts, including on devices where BitLocker was believed to be disabled. Reports indicate the problems are hitting some HP models particularly hard, with Secure Boot certificate changes and interactions with BIOS/UEFI settings and undersized or crowded EFI partitions emerging as likely factors. The update is also disrupting enterprise and productivity workflows by breaking File Explorer integration for OneDrive and, in some cases, Dropbox and iCloud Drive, while some affected machines reportedly lose LAN access even though internet connectivity remains available. Administrators and users have resorted to Windows Recovery Environment to remove the patch, and some systems reportedly required full Windows reinstalls after recovery complications. A widely shared workaround has been to temporarily disable Secure Boot, complete boot and update recovery, then re-enable Secure Boot after updating BIOS/UEFI firmware, though Microsoft had not formally acknowledged the full scope of the issues in the update documentation at the time of reporting.
Jun 20, 2026