Windows news you can use: January 2026

Welcome to the January 2026 Windows news you can use, including new capabilities in Windows Backup for Organizations and Windows 365.

Coming up on February 5, there will be another Secure Boot AMA, so please tune in to get answers to your questions. Then, on Mondays in March, join us for deep dives, AMAs, and more at Microsoft Technical Takeoff for Windows and Microsoft Intune. Check out the full schedule and start adding sessions to your calendar. Now, let's get started with the latest news you can use.

New in Windows update and device management

• [BACKUP] [RESTORE] – Windows Backup for Organizations is expanding to include a new restore experience at first sign-in. In early 2026, Windows 11 users will be able to restore their Windows settings and Microsoft Store app list at the very first sign-in. Even on Microsoft Entra hybrid join devices and multi-user setups.
• [UPDATES] [OOBE] – Starting with the January 2026 security update, the ability to install Windows quality updates during the out-of-box experience (OOBE) will no longer be enabled by default in Microsoft Intune.
• [WINDOWS 365] – Windows 365 is now available in the Brazil South region. Your organization can now provision Cloud PCs closer to your users in Brazil and across South America, helping reduce latency and support regional data residency requirements.
• [INTUNE] – Get insights from the experts by watching last week's Intune edition of Tech Community Live, now available on demand. Learn how to secure endpoints with policy and Microsoft Defender, manage apps, and apply Zero Trust best practices when managing devices in Intune.

New in Windows security

• [NETWORK] [ACCESS] – Windows is moving toward a more secure authentication model by phasing out New Technology LAN Manager (NTLM) in favor of stronger, Kerberos‑based alternatives. Get familiar with the phased roadmap for NTLM disablement and tools that will help prepare your organization for this change.
• [WINDOWS HELLO] – The January 2026 optional non-security update starts the gradual rollout of support for peripheral fingerprint sensors with Windows Hello Enhanced Sign-in Security (ESS).
• [SECURE BOOT] – The Secure Boot playbook has been updated to make it easier to identify the steps and tools to help you proactively update Secure Boot certificates across your estate before they start expiring in June of 2026. Have questions? Post them now then tune in for the Secure Boot AMA on February 5, 2026 at 8:00 AM PT.
• [SECURE BOOT] [INTUNE] – You can now deploy, manage, and monitor Secure Boot certificate updates using Microsoft Intune. Step-by-step guidance is now available and has been added to the Secure Boot playbook for easy reference. Additionally, a new Secure Boot status report is now available in Windows Autopatch.
• [SECURE BOOT] [WINDOWS UPDATE] – Starting with the January 2026 security update, Windows quality updates include a subset of high confidence device targeting data that identifies devices eligible to automatically receive new Secure Boot certificates. Devices will receive the new certificates only after demonstrating sufficient successful update signals, ensuring a safe and phased deployment.
• [DATA PROTECTION] – With the January 2026 optional non-security update, IT admins can now set how often Data Protection Application Programming Interface (DPAPI) domain backup keys rotate automatically. This strengthens cryptographic security and reduces reliance on older encryption algorithms.
• [VIRTUALIZATION] [CLOUD PC] – A unified, policy-driven way to control which RDP Shortpath modes (Managed, Public/STUN, Public/TURN) are enabled across Azure Virtual Desktop session hosts and Windows 365 Cloud PCs is now available. Explore RDP Shortpath configuration via Group Policy or Microsoft Intune.
• [M365] – Starting February 9, 2026, Microsoft will continue to ramp up enforcement, and users will be unable to sign in to the Microsoft 365 admin center without successfully completing multifactor authentication.
• [WDS] – Starting with the January 2026 security update, you can explicitly disable WDS hands-free deployment with the help of new Event Log alerts and registry key options. In April 2026, hands-free deployment will be disabled by default. After that date, it will no longer work unless explicitly overridden with registry settings.

New in AI

• [WINDOWS 365] – Windows 365 for Agents introduces a set of capabilities that make it possible to run autonomous AI agents securely on Cloud PCs. Enhancements will help you automate complex tasks, reduce idle costs, and ensure trust in autonomous operations.

To learn about latest capabilities for Copilot+ PCs, visit the Windows Roadmap and filter Platform by "Copilot+ PC Exclusives."

New in productivity and collaboration

Install the January 2026 security update for Windows 11, versions 25H2 and 24H2 to get these and other capabilities.

• [START MENU] – The redesigned Start menu continues its gradual rollout to Windows devices. As the rollout progresses, more Windows devices will receive the redesigned Start menu experience.

New features and improvements are coming in the February 2026 security update. You can preview them by installing the January 2026 optional non-security update for Windows 11, version 25H2 and version 24H2. This update includes the gradual rollout of:

• [MOBILE] – Cross‑Device Resume is expanding to include the ability to continue activities from your Android phone on your PC based on the apps and services you use, including resuming Spotify playback, working in Word, Excel, or PowerPoint, or continuing a browsing session.
• [NARRATOR] – Narrator now gives you more control over how it announces on‑screen controls. You can choose which details are spoken and adjust their order to match how you navigate apps.
• [VOICE ACCESS] – Voice Access setup has been streamlined to make it easier to get started. The redesigned experience helps you download a speech model for your chosen language, select your preferred input microphone, and learn what Voice Access can help you do on your Windows PC. You can also now adjust the amount of delay before a voice command runs.
• [AUDIO] – Windows now offers enhanced support for MIDI 1.0 and MIDI 2.0, including full WinMM and WinRT MIDI 1.0 support with built-in translation, shared MIDI ports across apps, custom port names, loopback, and app-to-app MIDI.
• [SETTINGS] – The Device card on the Settings home page appears when you sign in with your Microsoft account. It now shows key specifications and usage details for your PC.
• [COPILOT+ PC] – The Settings Agent now supports more languages, with expanded support for German, Portuguese, Spanish, Korean, Japanese, Hindi, Italian, and Chinese (Simplified).

New for developers

• [APPS] [TOOLS] – The Windows App Development CLI (winapp) is now available in public preview. It's a new open-source command-line tool designed to simplify the development lifecycle for Windows applications across a wide range of frameworks and toolchains.

New in Windows Server

For the latest features and improvements for Windows Server, see the Windows Server 2025 release notes and Windows Server, version 23H2 release notes.

• [ACTIVE DIRECTORY] – Guidance is now available to help mitigate potential threats to Active Directory Domain Services, including authentication relay attacks, Kerberoasting, and unconstrained delegation.
• [KERBEROS] – The first phase of protections designed to address a Kerberos information disclosure vulnerability are now available. They include new auditing and optional configuration controls that help reduce reliance on legacy encryption types such as RC4 and prepare domain controllers.
• [REMINDER] – Starting with the January 2026 security update, Windows Server 2025 updates and release notes have their own KB identifiers and build numbers. These identifiers are separate from those for Windows 11, versions 24H2 and 25H2. This change improves clarity for administrators. Installation and management processes remain the same.

Out-of-band updates

Two out-of-band updates were released in January:

• January 17, 2026 – Out-of-band update to address sign-in failures during Remote Desktop connections
• January 24, 2026 – Out-of-band update to address cloud‑backed storage application issues

Lifecycle milestones

Check out our lifecycle documentation for the latest updates on Deprecated features in the Windows client and Features removed or no longer developed starting with Windows Server 2025.

Additional resources

Looking for the latest news and previews for Windows, Copilot, Copilot+ PCs, the Windows and Windows Server Insider Programs, and more? Check out these resources:

• Windows Roadmap for new Copilot+ PCs and Windows features – filter by platform, version, status, and channel or search by feature name
• Microsoft 365 Copilot release notes for latest features and improvements
• Windows Insider Blog for what's available in the Canary, Dev, Beta, or Release Preview Channels
• Windows Server Insider for feature preview opportunities
• Understanding update history for Windows Insider preview features, fixes, and changes to learn about the types of updates for Windows Insiders

Join the conversation

If you are an IT admin with questions about managing and updating Windows, add our monthly Windows Office Hours to your calendar. We assemble a crew of Windows, Windows 365, security, and Intune experts to help answer your questions and provide tips on tools, best practices, and troubleshooting.

Finally, we are always looking to improve this monthly summary. Drop us a note in the Comments and let us know what we can do to make this more useful for you!

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.