Windows 11 Cannot Shut Down or Hibernate After KB5074109 Update

What is the Windows 11 shutdown/hibernate failure?

After installing the January 2026 Patch Tuesday updates (KB5073455 for 23H2, KB5074109 for 24H2/25H2), many Windows 11 PCs refuse to shut down or hibernate properly. When you click "Shut down," the screen goes black but fans keep spinning — the system either restarts back to the sign-in screen or stays in a powered limbo state indefinitely. Hibernate causes an immediate restart instead of saving state to disk.

The root cause is a regression in System Guard Secure Launch, a firmware security feature. The update caused Secure Launch to mistakenly flag shutdown and hibernate power-state transitions as unauthorized changes, forcing the system to restart instead. Enterprise and IoT editions are most affected since Secure Launch is enabled by default.

When does it occur?

• When clicking "Shut down" from the Start menu — screen goes black but PC stays powered on
• When attempting hibernate — system restarts instead of entering S4 power state
• When using sleep — system performs a full shutdown or restart instead
• On laptops overnight — battery drains because the system never reaches a low-power state
• Event Viewer shows Event ID 41 (Kernel-Power): "The system has rebooted without cleanly shutting down first"

Common causes

• KB5073455 (23H2) or KB5074109 (24H2/25H2) January 2026 security update installed
• System Guard Secure Launch enabled — the update introduced a regression where Secure Launch blocks power-state transitions
• Virtualization-Based Security (VBS) conflicts compound the issue on some configurations
• Fast Startup enabled — worsens the shutdown hang because it uses a hybrid hibernate mechanism
• Enterprise Group Policy enforcing Secure Launch — prevents manual workarounds without admin intervention
• Intel 13th/14th Gen or AMD systems with firmware-level security features active

Step-by-step fixes

1. Install the out-of-band fix KB5077797 (23H2) or KB5078127 (24H2/25H2) — Microsoft released corrective patches on January 17 and January 24, 2026. Go to Settings > Windows Update > Check for updates. If it doesn't appear, download manually from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com). Verify installation with PowerShell: Get-HotFix | Where-Object {$_.HotFixID -eq "KB5077797"}.

1. Force shutdown as immediate workaround — Open PowerShell or Command Prompt and run: shutdown /s /t 0. This bypasses the Secure Launch hang and forces an orderly shutdown. You can create a desktop shortcut to this command for repeated use.

1. Disable Secure Launch via BCDEdit (temporary workaround) — Open Command Prompt as Administrator and run: bcdedit /set {current} securelaunch Off. Verify with: bcdedit /enum | findstr -i "securelaunch". Re-enable after installing the patch with: bcdedit /set {current} securelaunch On. Note: This reduces firmware-level security protection.

1. Disable Fast Startup — Open Registry Editor and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Power. Set HiberbootEnabled to 0. Alternatively, open Control Panel > Power Options > Choose what the power buttons do > Change settings that are currently unavailable > uncheck "Turn on fast startup."

1. Check if Secure Launch is enabled on your system — Open PowerShell as Administrator and run: Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard" -Name "Enabled". If the value is 1, Secure Launch is active and you are affected.

1. Disable hibernate entirely (temporary) — If hibernate keeps restarting your PC, disable it with: powercfg /hibernate off in an elevated Command Prompt. Re-enable after patching with: powercfg /hibernate on.

1. Check Event Viewer for shutdown anomalies — Open PowerShell and run: Get-WinEvent -FilterHashtable @{LogName='System'; ID=41,1074,6008} -MaxEvents 10. Event ID 41 (Kernel-Power) entries confirm you're affected by the Secure Launch regression.

1. Uninstall the problematic update (last resort) — Go to Settings > Windows Update > Update history > Uninstall updates. Find KB5074109 (or KB5073455 for 23H2) and click Uninstall. If it fails with error 0x800f0905, use DISM instead: DISM /Online /Get-Packages to find the exact package name, then DISM /Online /Remove-Package /PackageName:<exact-name>. After uninstalling, pause updates for 1-2 weeks until the February Patch Tuesday (February 10, 2026) ships a permanent fix.

If it still doesn't work

Microsoft has acknowledged that the hibernate fix in KB5077797 did not fully resolve all scenarios, particularly on systems with Virtual Secure Mode (VSM) enabled. If you've installed the patch and still experience issues, boot into Windows Recovery Environment (force-restart 3 times) and select Troubleshoot > Advanced options > Uninstall updates > Uninstall latest quality update.

For enterprise environments, generate a Group Policy report with gpresult /h GPReport.html to identify if Secure Launch is being enforced by domain policy. If Windows Update components are corrupted and the patch won't install, reset them by stopping the wuauserv, cryptsvc, bits, and msiserver services, renaming C:\Windows\SoftwareDistribution and C:\Windows\System32\catroot2, then restarting the services.