Microsoft Windows January Updates Trigger Shutdown/Reboot Bug on VSM-Enabled Systems
Microsoft confirmed a known issue introduced by January Windows updates that can prevent affected PCs from shutting down properly, sometimes causing an unexpected reboot when users attempt to shut down. The problem is tied to systems with Virtual Secure Mode (VSM) / Virtualization-Based Security (VBS) enabled, which uses hardware virtualization to create a protected “secure kernel” intended to isolate sensitive assets (e.g., credentials, cryptographic keys, and security tokens) and underpin features like Credential Guard, Device Guard, and Hypervisor-Protected Code Integrity.
Microsoft reports the issue affects Windows 10 22H2, Windows 10 Enterprise LTSC 2021, and Windows 10 Enterprise LTSC 2019 when VSM is enabled and the KB5078131 or KB5073724 updates are installed; it was previously observed on Windows 11 23H2 systems with KB5073455 and System Guard Secure Launch enabled. As a temporary workaround, Microsoft advises impacted users to shut down via command line using shutdown /s /t 0 while a broader fix for VSM-enabled systems is developed (with out-of-band updates already issued for the Windows 11 variant).
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Microsoft says a permanent fix will arrive in a future update
Microsoft stated it is working on a full resolution for affected Windows 10 and Windows 11 systems and plans to deliver it in a future Windows update. The company said it would share more details when available.
Microsoft confirms January shutdown bug also affects Windows 10
Microsoft said the same issue also impacts certain Windows 10 editions, including Windows 10 22H2 and LTSC releases, when updates such as KB5078131 and KB5073724 are installed on systems with VSM enabled. It advised affected users to use the same command-line shutdown workaround while a permanent fix is being prepared.
Microsoft discloses Windows 11 shutdown issue and provides workaround
Microsoft previously acknowledged the shutdown/hibernation failure affecting some Windows 11 23H2 systems and advised a temporary manual shutdown command as a workaround. The company also released out-of-band updates to address the Windows 11 variant of the problem.
January 2026 Windows security updates trigger shutdown bug on some PCs
After Windows security updates released on or after 2026-01-13, some Secure Launch-capable systems began restarting instead of shutting down or entering hibernation. The issue was tied to devices using System Guard Secure Launch, particularly where Virtual Secure Mode (VSM) or related virtualization-based security features were enabled.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Windows Shutdown Bug Spreads to Windows 10, Microsoft Confirms
techrepublic.com
Open sourceThe "Unstoppable" PC: Why Microsoft’s Latest Security Update is Refusing to Let Windows 10 Die
securityonline.info
Open sourceMicrosoft: January update shutdown bug affects more Windows PCs
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft January 2026 Windows Updates Trigger Remote Desktop Credential Failures and Secure Launch Shutdown Bug
Microsoft’s January 2026 Windows security updates introduced regressions that disrupted enterprise endpoints, including **Remote Desktop authentication failures** affecting access to *Azure Virtual Desktop* and *Windows 365*. After installing `KB5074109` on specific Windows client builds (noted as Builds **26200.7623** and **26100.7623**), users reported repeated credential prompt/sign-in failures in the **Windows App**, preventing successful remote session establishment; Microsoft acknowledged the issue and issued an **out-of-band** update intended to restore normal Remote Desktop connectivity. Separately, Microsoft confirmed another January patch-related issue on Windows 11 23H2 where some systems with **Secure Launch** enabled may **fail to shut down, restart, or hibernate**, leaving devices running and potentially draining batteries. As a workaround, Microsoft advised forcing shutdown via the command: ```cmd shutdown /s /t 0 ``` Microsoft indicated a permanent fix would be delivered in a future update, but did not provide scope/impact metrics for affected devices.
Mar 21, 2026
Microsoft Windows 11 Updates Trigger Boot Failures and Security-Driven Driver/Privilege Changes
Microsoft attributed **Windows 11 no-boot failures** seen after installing the January 2026 cumulative update `KB5074109` (Windows 11 **24H2/25H2**) to devices that had previously **failed to install the December 2025 security update** and were left in an “**improper state**” after rollback. Affected systems can crash on startup with a BSOD `UNMOUNTABLE_BOOT_VOLUME`; Microsoft said the issue appears limited to **physical devices** (no confirmed VM impact) and is working on a **partial mitigation** to prevent additional systems from entering a no-boot scenario, while continuing to investigate why some devices fail updates or end up unstable after rollback. Separately, Microsoft’s recent Windows 11 servicing and security work included **deliberately disabling legacy dial-up modem drivers** (e.g., `AGRSM64.SYS`/`AGRSM.SYS`, `SMSERL64.SYS`/`SMSERIAL.SYS`) due to reported vulnerabilities including **CVE-2023-31096** (EoP) and **CVE-2025-24052** (stack-based buffer overflow), which can present risk even if the modem hardware is unused—at the cost of breaking connectivity for niche systems relying on those drivers. Microsoft also patched **nine bypasses** reported by Google Project Zero that could undermine the new **Windows Administrator Protection** feature by enabling silent admin privilege gains via legacy Windows/UAC behaviors (including a token/Logon Sessions-related technique involving `NtQueryInformationToken` and DOS device object directory creation), ahead of broader availability beyond Insider builds.
Mar 21, 2026
Microsoft expands Secure Boot fixes as Windows updates hit install and recovery issues
Microsoft released the June cumulative update `KB5093998` for Windows 11 23H2 with security fixes, broader Secure Boot certificate rollout support, and a new Group Policy/MDM option to limit Secure Boot service data sent to Microsoft. The update also fixes a known issue that could force some devices into **BitLocker Recovery** after boot file updates, while CERT/CC and Microsoft separately published advisories on a Secure Boot bypass affecting Microsoft-signed UEFI shim bootloaders, tracked as `CVE-2026-44815`. At the same time, Microsoft warned that some PCs upgraded from Windows 10 21H2/22H2 or Windows 11 23H2 to Windows 11 24H2 or 25H2 may fail to install the June 2026 cumulative updates, showing errors `0x80073712` or `0x800f0993` because of package and component store issues. Microsoft said an automatic fix is rolling out for unmanaged enterprise and Home devices after restart, while already affected systems may require removing a problematic package with DISM or performing an in-place upgrade; separate reporting also said recent HP BIOS updates and Dell SupportAssist software caused BitLocker loops and BSODs that were initially blamed on Windows but traced to OEM firmware and utilities.
Jun 17, 2026