Windows 11 KB5074109 Remote Desktop Credential Prompt Failure

What is the KB5074109 Remote Desktop Credential Error?

After installing the January 13, 2026 Windows security update KB5074109, users on affected Windows 11 client devices experience authentication failures when attempting Remote Desktop connections. Clicking "Connect" triggers an immediate error dialog with code 0x80080005 — the session fails before any credential validation occurs. This is caused by a security hardening change in the Credential UI (CredUI) broker that unintentionally broke the authentication pipeline.

This is an enterprise-critical issue affecting Windows App, Azure Virtual Desktop (AVD), and Windows 365 Cloud PCs. Microsoft acknowledged the regression and released out-of-band fix KB5077744 on January 17, 2026, followed by cumulative fix KB5078127 on January 24, 2026.

When does it occur?

• When connecting to remote sessions via Windows App on Windows 11 client devices
• When accessing Azure Virtual Desktop (AVD) environments after installing KB5074109
• When signing into Windows 365 Cloud PCs through the Windows App
• On Windows 11 versions 24H2 (build 26100.7623) and 25H2 (build 26200.7623)
• Also affects Windows 11 23H2 via related update KB5073455
• On Windows Server 2019, 2022, and 2025 in certain configurations

Common causes

• KB5074109 CredUI broker regression — the January 2026 security update included a hardening change that broke credential prompt orchestration between the client and identity flow
• Missing out-of-band fix KB5077744 — released January 17, 2026, this is the direct fix for the RDP credential failure
• Windows 11 build 26100.7623 or 26200.7623 — these specific builds contain the broken CredUI code
• Enterprise environments using Windows App — the Windows App authentication path is specifically affected, while legacy mstsc.exe uses a different path
• Conditional Access policies — some organizations report more frequent failures when Conditional Access is enforced through the Windows App
• Delayed Windows Update deployment — organizations with deferred update policies may still be running the broken build

Step-by-step fixes

1. Install the out-of-band update KB5077744 — Go to Settings → Windows Update → Check for updates. If KB5077744 does not appear, download it manually from the Microsoft Update Catalog. This updates Windows 11 24H2 to build 26100.7627 and 25H2 to build 26200.7627. For Windows 11 23H2, install KB5077797 (build 22631.6494).

1. Or install the cumulative fix KB5078127 — Released January 24, 2026, this includes all fixes from KB5074109 and KB5077744 plus fixes for cloud storage file hangs. This updates to build 26100.7628 (24H2) or 26200.7628 (25H2).

1. Verify your build number — Press Win+R, type winver, press Enter. Confirm your OS Build is 26100.7627 or later (24H2) or 26200.7627 or later (25H2). You can also run systeminfo | findstr "OS Version" in Command Prompt.

1. Workaround: Use the web client — While waiting for the update, access your remote desktop via https://windows365.microsoft.com in a browser. This bypasses the broken client-side CredUI broker entirely while preserving Conditional Access enforcement.

1. Workaround: Use the legacy Remote Desktop client — Install the traditional Remote Desktop client (mstsc via MSI installer) instead of the Windows App. This uses a different authentication path not affected by the CredUI regression.

1. Enterprise workaround: Apply KIR Group Policy — Microsoft published a Known Issue Rollback (KIR) Group Policy package that targets only the broken CredUI change while preserving all other security fixes. Download the KIR package matching your Windows version (separate for 24H2 and 25H2), import into Group Policy, and restart affected devices.

1. Last resort: Uninstall KB5074109 — Go to Settings → Windows Update → Update history → Uninstall updates → find KB5074109 → Uninstall. Reboot and pause Windows Updates to prevent reinstallation. Note: this removes all January 2026 security patches.

If it still doesn't work

If the credential error persists after installing KB5077744 or KB5078127, verify that your organization's endpoint management solution (Intune, SCCM, WSUS) has properly deployed the update to all affected client devices. Check Windows Update history in Settings → Windows Update → Update history to confirm the KB is listed as successfully installed. For organizations using Azure Virtual Desktop, also verify that the AVD infrastructure components are updated — the fix is client-side, but stale session host configurations can interact with the issue. If you are running Windows Server 2019 or 2022 as a client, check for the equivalent server-side OOB update in the Microsoft Update Catalog. Contact Microsoft Support for persistent issues in enterprise environments, referencing the KB5074109 known issue documentation.