Table of Contents
- Why is my Remote Desktop blocking connections after the January 2026 update?
- Windows January 2026 Updates: Fixing Connection and Authentication Failures
- The Issue: Security Patches Break Remote Access
- Technical Symptoms and Diagnostics
- Root Cause: CredSSP and CVE-2025-47987
- Immediate Solutions and Workarounds
- Final Resolution: Deploy the Out-of-Band Update
Why is my Remote Desktop blocking connections after the January 2026 update?
Windows January 2026 Updates: Fixing Connection and Authentication Failures
Microsoft’s security updates released on January 13, 2026, have triggered widespread connection errors for users accessing cloud services. Administrators managing Windows clients and servers report failures when authenticating via the Windows App. Microsoft has confirmed these issues and released an out-of-band (OOB) patch to resolve them.
The Issue: Security Patches Break Remote Access
Administrators installing the January 13, 2026 security updates (such as KB5074109) are encountering severe disruptions. The update process itself is slower than usual, but the critical failure occurs post-installation. Users cannot establish remote connections to Azure Virtual Desktop (AVD) or Windows 365 environments.
The failures specifically target the Windows App client. While the local installation completes, the authentication handshake fails when the user attempts to log in to a remote session. This leaves remote workforces disconnected and IT support teams unable to access endpoints via tools that rely on internal Windows remote support mechanisms.
Technical Symptoms and Diagnostics
Your helpdesk may receive tickets describing “authentication errors” or “login loops.”
- Error Code: The most common indicator is error code 0x80080005.
- Behavior: The connection initiates but terminates immediately during the credential verification phase.
- Scope: This affects a broad range of Windows versions, including Windows 11 (25H2, 24H2, 23H2), Windows 10 (22H2 through LTSC 2016), and Windows Server (2025, 2022, 2019).
Third-party tools are also hitting walls. Management platforms like Omnissa (VMware) that utilize native Windows remote support protocols fail to connect. However, independent agents like Dameware appear unaffected because they bypass the Windows authentication stack.
Root Cause: CredSSP and CVE-2025-47987
The disruption likely stems from changes Microsoft made to the Credential Security Support Provider (CredSSP). Security researchers identified a critical vulnerability, CVE-2025-47987, involving a heap-based buffer overflow in CredSSP. This flaw allows attackers to elevate privileges locally.
Microsoft’s attempt to patch this vulnerability in the January update altered how Windows handles authentication tokens. This modification caused the “regression” that breaks the handshake between the Windows App client and the host server.
Immediate Solutions and Workarounds
If you cannot deploy the OOB fix immediately, use these proven workarounds to restore connectivity:
- Switch to the Remote Desktop Client (MSTSC): The legacy Remote Desktop Connection client handles credentials differently and is not affected by this bug. Instruct users to use the standard “Remote Desktop Connection” app instead of the “Windows App”.
- Use the Web Client: The browser-based client bypasses the local OS authentication calls that are failing. Users can log in successfully at windows.cloud.microsoft.
- Hybrid AD Connector Update: For environments using Hybrid AD/Entra ID, administrators must update their connector software to prevent synchronization issues, although this is a separate maintenance task from the remote access bug.
Final Resolution: Deploy the Out-of-Band Update
Microsoft has released an emergency Out-of-Band (OOB) update to correct this specific regression. You should prioritize deploying this OOB patch to all affected endpoints immediately. This update restores the correct CredSSP functionality without reintroducing the vulnerability, allowing the Windows App to authenticate sessions normally again.