Azure Virtual Desktop / Windows 365 — Credential Prompt and Sign-In Failures After January 2026 Updates on Windows 11 24H2

Indicators

• Users receive unexpected credential prompts or sign-in failures when launching Azure Virtual Desktop sessions via Windows App
• Windows 365 cloud PC connections fail at the authentication stage after January 2026 updates are applied on Windows 11 24H2 devices
• Remote connections that previously worked without re-authentication now prompt for credentials or fail silently
• Authentication-related errors in Event Viewer under Applications and Services Logs > Microsoft > Windows > AAD / WebAuthN / User Device Registration

Likely causes

• Regression in the January 2026 Windows cumulative update breaks the credential/authentication flow used by Windows App for AVD and Windows 365 connections
• Token handling or SSO integration in the remote connection stack is disrupted by changes in the January 2026 update on Windows 11 24H2

Diagnostic steps

1. Run 'winver' or navigate to Settings > System > About and confirm the device shows Windows 11 24H2.
   Confirms the device is on the affected OS version before proceeding with remediation.
2. Check Windows Update history via Settings > Windows Update > Update History, or run PowerShell: Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10
   Confirms the January 2026 cumulative update that introduced the regression is installed on the device.
3. Launch Windows App and attempt to connect to an AVD workspace or Windows 365 cloud PC. Document the exact failure — note whether the user sees a credential prompt, an error message, or a silent failure.
   Reproduces and characterises the authentication failure to distinguish from other connectivity issues.
4. Open Event Viewer (eventvwr.msc) and navigate to Applications and Services Logs > Microsoft > Windows > AAD, CloudAP, WebAuthN, and User Device Registration. Review for authentication-related errors occurring at connection time.
   Identifies logged authentication or token errors that provide additional detail about the failure mode; CloudAP logs can help distinguish client-side regression from Azure AD or backend service issues.
5. Test whether the issue affects all users on the device or only specific accounts. If possible, test from a device that has NOT received the January 2026 update to confirm update causation.
   Isolates the root cause to the January 2026 update rather than account-level or service-level issues.
6. Cross-reference the installed update KB number against the Microsoft Learn advisory to confirm the January 2026 update is the causal update and that the OOB fix KB has not already been installed.
   Prevents unnecessary remediation if the OOB fix is already deployed, and confirms root cause matches the advisory.

Resolution path

• Step 1 — Obtain the Microsoft out-of-band (OOB) fix for Windows 11 24H2 from the Microsoft Update Catalog or via Windows Update if surfaced. Reference the Microsoft Learn advisory for the specific KB number.
• Step 2 — Install the OOB update on affected Windows 11 24H2 devices. For enterprise deployment via WSUS or Intune, manually import the OOB package if it has not yet synchronised to your update management infrastructure.
• Step 3 — Reboot the device after applying the OOB fix.
• Step 4 — Relaunch Windows App and attempt to connect to AVD or Windows 365 to confirm authentication succeeds without unexpected credential prompts.
• Step 5 — Confirm the OOB KB appears as successfully installed in Settings > Windows Update > Update History on affected devices.
• Rollback option — If the OOB update cannot be immediately deployed, temporarily uninstall the January 2026 cumulative update via Settings > Windows Update > Update History > Uninstall Updates, or via DISM/wusa.exe, to restore prior authentication behaviour. Note: this removes all security and quality fixes bundled in that update.
• Re-evaluate rollback risk against security posture: isolate or restrict use of affected remote connection apps until the OOB fix can be applied to avoid leaving devices without January 2026 security patches.

Prevention

• Subscribe to Microsoft 365 / Azure service health notifications and the Windows release health dashboard to detect update-related regressions affecting AVD and Windows 365 before broad deployment.
• Stage cumulative update rollouts using update rings (e.g., pilot → broad via Intune or WSUS) so that regressions are caught on a small population before impacting all users.
• Maintain a tested rollback procedure for cumulative updates on Windows 11 endpoints, including documenting the KB number of each deployed update to enable rapid uninstall if a regression is confirmed.

Tools

• Windows App (AVD/Windows 365 client — primary affected application)
• Windows Update / Microsoft Update Catalog (obtaining and applying the OOB fix)
• Microsoft Intune / Endpoint Manager (enterprise OOB update deployment)
• WSUS (enterprise update distribution — import OOB package if not yet synchronised)
• winver (confirm OS version and build)
• Get-HotFix (PowerShell — verify installed updates)
• Event Viewer / eventvwr.msc (review authentication error logs)
• wusa.exe (Windows Update Standalone Installer — manual update install or rollback)

References

• Microsoft Learn — Azure Virtual Desktop / Windows 365 connection and authentication failures (January 2026 OOB fix)