The first Patch Tuesday release of the new year addresses 112 CVEs across Microsoft’s product portfolio , including eight rated critical and three zero-day vulnerabilities. One of the  zero-days ( CVE-2026-20805 ), an information disclosure flaw in the Desktop Window Manager, is already under active exploitation. That prompted CISA to add it to the Known Exploited Vulnerabilities catalog with a remediation deadline of Feb. 3, 2026. Enterprise teams should prioritize Windows and Office updates this cycle (both have Patch Now recommendations), particularly since the Preview Pane attack vectors allow code execution without fully opening malicious documents. To help navigate the latest changes, the team from Readiness has provided this useful infographic detailing the risks of deploying updates to each platform.  (More information about recent Patch Tuesday releases is available here .) Known issues Microsoft published several known issues this month. Focusing on actionable issues affecting later versions (non-ESU), the following deserve attention: After installing KB5074109 , KB5073455 , or KB5073724 , users connecting to Azure Virtual Desktop or Windows 365 Cloud PCs via the Windows App could experience authentication errors and credential prompt failures. Microsoft is preparing an out-of-band fix. In the meantime, enterprise teams should direct affected users to connect via the Remote Desktop client for Windows (MSRDC) or the Windows App Web Client . A small number of users might notice that the password icon on the Windows login screen is not visible. This has been an ongoing issue since the August 2025 update . Microsoft published a Known Issue Rollback (KIR) to address Pro and Home users. Enterprise deployments should use an updated Group Policy to restore the icon. This update intentionally removes legacy Agere and Motorola soft modem drivers (agrsm64.sys, agrsm.sys, smserl64.sys, smserial.sys) to address CVE-2023-31096 , an elevation of privilege vulnerability. Notably, the mere presence of these drivers — even without a modem connected — rendered systems vulnerable . Hardware dependent on these drivers will no longer function after applying the January updates. As we noted in December , the 2011 certificates currently used by most Windows devices will begin expiring in June, with a second batch expiring this coming October. Devices that do not receive the updated 2023 certificates could fail to boot securely or stop receiving future Secure Boot security fixes. Resolved issues This is a new section to our monthly rundown. Depending on future Microsoft updates, this section may evolve or get integrated in platform specific sections. The January release resolves several issues that had been affecting enterprise environments: An issue where applications such as Outlook, Teams, Edge, Chrome, and Excel would close unexpectedly when entering text has been fixed in KB5073455 for Windows 11 23H2 users. The NPU battery drain issue affecting AI PCs — where Neural Processing Units remained powered during system idle — has been resolved in KB5074109 . WSL networking failures causing “No route to host” errors over VPN connections have been addressed in KB5074109 . RemoteApp connection failures in Azure Virtual Desktop environments have been fixed in KB5074109 . Major revisions and mitigations Microsoft has (so far) published one revision and an Office platform mitigation for this release: CVE-2023-31096 : Windows Agere Soft Modem Driver Elevation of Privilege Vulnerability. This revision addresses a vulnerability originally documented by MITRE in 2023 that remained unpatched for nearly three years. Rather than issuing a security fix, Microsoft has removed the vulnerable drivers entirely (agrsm64.sys, agrsm.sys, smserl64.sys, smserial.sys). These drivers shipped natively with Windows, meaning systems were vulnerable even without modem hardware connected. After applying the January cumulative updates, any soft modem hardware dependent on these drivers will no longer function. Administrators should audit their managed devices for legacy modem dependencies before deployment. CVE-2026-20952 , CVE-2026-20953 , CVE-2026-20944 : Microsoft Office Remote Code Execution Vulnerabilities. These critical vulnerabilities (CVSS 8.4) can be exploited via the Preview Pane in Outlook and File Explorer, allowing code execution without users fully opening malicious documents. According to the Zero Day Initiative , organizations that cannot immediately deploy Office updates should disable the Preview Pane as a temporary mitigation. Windows lifecycle and enforcement updates Microsoft Teams administrators should note that messaging safety defaults rolled out on Jan. 12. Organizations using default configurations now have three protections automatically enabled: weaponizable file type blocking , malicious URL scanning , and user reporting for false positives . The Secure Boot enforcement phase remains scheduled for “not before January 2026,” with Microsoft committing to at least six months’ advance notice. When enforcement begins, the Windows Production PCA 2011 certificate will be automatically revoked and added to the Secure Boot UEFI Forbidden (DBX) List on capable devices. This enforcement (as we noted in December ) will be programmatic with no option to disable. Looking ahead, several Windows lifecycle milestones are approaching this year. Windows Server 2012 and 2012 R2 reach the end of their third and final Extended Security Update year on July 14. Windows 10 LTSB 2016 also loses support on that date. Each month, the team at Readiness analyzes the latest Patch Tuesday updates and provides detailed, actionable testing guidance. This month’s release includes a high-risk update to the Desktop Window Manager, alongside security hardening for network file sharing and deployment services. Organizations should prioritize visual and personalization testing given the DWM changes. Graphics and display The Desktop Window Manager updates this month were marked as high risk by Microsoft and  affect how Windows renders visual elements. Apply theme changes and verify accent colors render correctly on window borders, including: Test taskbar color customization and transparency settings. Validate DirectComposition-based applications render without artifacts. Switch between light and dark modes and confirm UI consistency. Test multi-monitor configurations with different DPI scaling. Network File Sharing SMB ( Server Message Block ) components received security updates affecting both modern and legacy protocols; testing should include: Accessing SMB shares configured with mandatory signing and verified connectivity. Testing encrypted SMB connections between clients and servers. Validating SMB share access across domain trust boundaries. And, if SMBv1 is still required in your environment, testing legacy share access with signing enabled. Windows Deployment Services Security hardening changes affect unattended OS deployment scenarios. New registry controls modify default behavior. Testing should include: Performing network-based OS deployments using existing unattended configurations. Verifying that hands-free deployment workflows complete successfully. Reviewing event logs for new security-related warnings during deployment. Testing deployment scenarios with various security configurations. Window management Core window management components received updates affecting application behavior; the following need testing: Minimize, maximize, and restore applications to verify correct behavior. Move and resize windows, confirming smooth transitions. Close applications and reopen to verify window position persistence. Test window operations in Remote Desktop sessions. Office applications Security updates address vulnerabilities in Excel, Word, and SharePoint Server components. Test Scenarios: Open and edit complex Excel workbooks with formulas and macros. Test Word document formatting and embedded object handling. Validate SharePoint document library operations and co-authoring. Verify Office add-ins continue to function after patching. The Readiness team suggests you focus testing efforts on the Desktop Window Manager changes first. Secondary priority should be given to SMB testing if your environment relies heavily on network file shares with signing or encryption requirements. SQL Server 2022 and 2025 also received GDR updates. If you manage SQL Server environments, follow your standard patching and validation procedures for these cumulative updates. Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: Browsers (Microsoft IE and Edge) Microsoft Windows (both desktop and server) Microsoft Office Microsoft Exchange and SQL Server Microsoft Developer Tools (Visual Studio and .NET) Adobe (if you get this far) Browsers Microsoft Edge version 143.0.3650.139 , released Jan. 9, incorporates critical upstream Chromium security fixes. The most significant is CVE-2026-0628 , a high-severity vulnerability involving insufficient policy enforcement in the WebView tag. This flaw could allow a malicious extension to bypass security controls and inject scripts into privileged pages. Add these browser changes to your standard release calendar. Microsoft Windows Microsoft released patches for 95 Windows-specific vulnerabilities this month, including three rated critical by Microsoft. The bulk of fixes address elevation-of-privilege flaws, which account for roughly half of this month’s patches. Key affected components include: CVE-2026-20840 and CVE-2026-20922 : Windows NTFS heap-based buffer overflow RCE vulnerabilities CVE-2026-20820 : Windows Common Log File System (CLFS) Driver EoP CVE-2026-20817 : Windows Error Reporting Service EoP CVE-2026-20816 : Windows Installer EoP CVE-2026-20843 : Windows Routing and Remote Access Service (RRAS) EoP CVE-2026-20860 : Windows Ancillary Function Driver for WinSock EoP CVE-2026-20871 : Desktop Window Manager EoP The three critical-rated vulnerabilities are CVE-2026-20822 , a use-after-free in the Windows Graphics Component (CVSS 7.8); CVE-2026-20876 , a heap-based buffer overflow in Windows Virtualization-Based Security (VBS) Enclave (CVSS 6.7); and CVE-2026-20854 , a remote code execution vulnerability in Microsoft’s LSASS security authority (CVSS 7.5). This month’s actively exploited zero-day is CVE-2026-20805 , an information disclosure vulnerability in Desktop Window Manager. Despite its relatively modest CVSS score of 5.5, Microsoft and CISA confirm active exploitation in the wild with a remediation deadline of Feb 3, 2026. Add these Windows updates to your “Patch Now” schedule. Microsoft Office Microsoft addressed 16 vulnerabilities in Office products ], including five rated critical. The most urgent patches address remote code execution flaws exploitable via the Preview Pane in Outlook and (unfortunately) File Explorer. CVE-2026-20952 and CVE-2026-20953 are use-after-free vulnerabilities in Office that allow code execution without users fully opening malicious documents; simply previewing the file is sufficient. Organizations unable to deploy updates immediately should consider disabling the Preview Pane temporarily. Word gets a critical patch for CVE-2026-20944 , an out-of-bounds read vulnerability that could allow remote code execution when processing specially crafted documents. And for Excel this month, Microsoft addresses two critical ( CVE-2026-20955 and CVE-2026-20957 ) and four important vulnerabilities. The remaining Excel patches address use-after-free, out-of-bounds read, and pointer dereference issues, plus a security feature bypass ( CVE-2026-20949 ) that could allow attackers to circumvent Excel’s built-in protections. SharePoint Server administrators should note five vulnerabilities, including two remote code execution flaws via SQL injection ( CVE-2026-20947 ) and deserialization ( CVE-2026-20963 ). These require authenticated access but merit attention in multi-tenant environments. Add these updates to your “Patch Now” schedule. Microsoft Exchange and SQL Server There were no updates for Exchange Server this month. SQL Server received a single patch: CVE-2026-20803 , which addresses an elevation-of-privilege vulnerability (CVSS 7.2) caused by missing authentication for a critical function. The flaw affects SQL Server 2022 and 2025 , allowing an authenticated attacker to elevate privileges over the network. Updates are available via both GDR and CU channels. Add this SQL Server update to your standard server release calendar. Developer tools The sole desktop-relevant fix is CVE-2026-21219 , a remote code execution vulnerability in the Windows SDK’s Inbox COM Objects (Global Memory). This use-after-free flaw allows an attacker to execute code locally, earning a CVSS score of 7.0. Developers using the Windows SDK should update via the official SDK downloads page . Add this to your standard developer release schedule. Adobe (and third-party updates) There were no Adobe updates this month — and no third-party updates either. Since we  added the Resolved Issues section this month, I’m hoping we can retire this section. Let’s see what happens in February.