Windows 11 Emergency Update KB5085516: Sign-In Broken, RCE Patched

Microsoft released two separate emergency Windows 11 updates in March 2026 — and if your Teams, Outlook, or OneDrive suddenly stopped signing in after your last Windows Update, you're not imagining it.

What Just Happened: Two Emergency Updates in One Month

The March 10 Patch Tuesday update (KB5079473) was supposed to fix 79 vulnerabilities. Instead, it also introduced a regression that broke Microsoft account sign-in for millions of Windows 11 24H2 and 25H2 users. Apps showed a false "no Internet connection" error even on working networks.

Microsoft's response was KB5085516, released March 21 — two days ago — as an out-of-band emergency fix. Separately, Microsoft also pushed KB5084597 around March 15, an emergency hotpatch targeting three critical remote code execution vulnerabilities in the Windows Routing and Remote Access Service (RRAS) that the original Patch Tuesday missed for Enterprise hotpatch enrollees.

Two emergency updates in 11 days. That is not a normal month.

KB5085516: The Sign-In Fix

This is the update most users are looking for right now. After KB5079473 (March 10 Patch Tuesday), these apps started failing authentication:

• Microsoft Teams (Free tier)
• OneDrive
• Microsoft Edge
• Outlook
• Word and Excel (Microsoft account activation)
• Copilot

The bug: Windows was incorrectly reporting no internet connectivity during the Microsoft account OAuth flow, blocking token refresh. Enterprise accounts using Microsoft Entra ID (formerly Azure AD) were not affected — only personal Microsoft accounts.

To install: Settings > Windows Update > Check for Updates > look for "Optional Updates" or "View Optional Updates." KB5085516 will appear there. It requires a restart.

Affected builds: Windows 11 24H2 (Build 26100) and 25H2 (Build 26200).

KB5084597: The RRAS RCE Hotpatch (Enterprise)

This one is more serious from a security standpoint. Around March 15, Microsoft pushed an emergency hotpatch — meaning it applies in-memory without requiring a reboot — to fix three Critical-rated remote code execution vulnerabilities in the Windows Routing and Remote Access Service:

• CVE-2026-25172
• CVE-2026-25173
• CVE-2026-26111

The attack scenario: a domain-authenticated attacker tricks a domain-joined user into sending a request to a malicious server via the RRAS snap-in. One of the three bugs is an integer overflow that enables network-based code execution. None were confirmed actively exploited at time of release, but all three are rated Critical.

Who gets this update: Windows 11 24H2 and 25H2 Enterprise devices enrolled in Windows Autopatch or Microsoft's hotpatch program. Standard consumer and Pro devices already got the fix via KB5079473 on March 10.

The March 10 Patch Tuesday That Started Everything

KB5079473 was this month's cumulative update and it was one of the larger ones: 79 to 84 vulnerabilities patched depending on the source. Two were publicly disclosed zero-days:

• CVE-2026-21262 — SQL Server privilege escalation
• CVE-2026-26127 — .NET remote crash/RCE

Neither was confirmed exploited in the wild before patching. But the update itself introduced the sign-in regression that then required KB5085516 to undo. This is a recurring pattern with Microsoft Patch Tuesdays: a cumulative update that ships a fix also ships a break.

What Developers and IT Teams Need to Do Right Now

For personal or Pro Windows 11 24H2 or 25H2 machines that broke after the March 10 update:

1. Open Settings
2. Go to Windows Update
3. Click "Check for updates"
4. Look for Optional Updates or "View optional updates"
5. Select KB5085516 and install
6. Restart

For Enterprise teams managing Windows 11 fleets via Autopatch or Intune: KB5084597 may already be deployed. Verify via the update history in the Microsoft Endpoint Manager portal. If not, check enrollment status in the hotpatch program.

For developers running Microsoft 365 apps in testing or CI environments: if your pipelines authenticate via personal Microsoft accounts and broke after March 10, this is the cause. Switch to service principals (Entra ID) for any automated workflows — they were unaffected.

What Is RRAS and Who Actually Uses It

The Windows Routing and Remote Access Service handles IP routing, site-to-site VPN connections, and remote dial-up access. It sounds dated because it partially is — but RRAS remains active in thousands of enterprise environments. Any organization using Windows Server as a VPN concentrator, managing branch office routing without a dedicated appliance, or supporting remote users over legacy dial-up connections is running RRAS.

The three CVEs in KB5084597 all require a domain-authenticated attacker. That means the most dangerous scenario is an adversary who already has a foothold inside your network and wants to escalate or move laterally. CVE-2026-26111 is an integer overflow in RRAS's network packet handling — it enables arbitrary code execution on the RRAS host, which typically runs with elevated server privileges. A compromised RRAS server gives an attacker routing control over network segments.

Consumer Windows 11 machines do not typically run RRAS as a server. The client-side risk is from connecting through the RRAS snap-in to a malicious server — a more targeted attack. For enterprise IT: if you're running Windows Server 2022 or 2025 as a VPN endpoint and are not enrolled in Windows Autopatch, patch via your standard WSUS or Intune deployment cycle immediately.

How to Verify Both Updates Are Actually Installed

For KB5085516 (sign-in fix): Settings > Windows Update > Update History. Search for KB5085516. If it's not there, go to Optional Updates and install it manually.

For KB5084597 (RRAS hotpatch, Enterprise only): open an elevated PowerShell and run Get-HotFix -Id KB5084597. If the output returns a result, you're patched. If nothing returns, check your Windows Autopatch dashboard in the Microsoft Endpoint Manager portal. Enrollment in Autopatch is a prerequisite — standard Windows Update does not deliver hotpatches to non-enrolled devices.

For Windows Server administrators: the RRAS CVEs affect the snap-in and the service on both client and server sides. Apply the March cumulative server update via WSUS or Intune regardless of whether you got the client-side hotpatch.

Why Microsoft Keeps Shipping Emergency Updates

This is the third consecutive month in 2026 with at least one out-of-band Windows update. The broader pattern of attackers exploiting patching windows — the gap between a CVE going public and a patch being applied — is getting shorter: CrowdStrike's 2026 threat report found average attacker breakout time is now 29 minutes. The pattern is consistent: Patch Tuesday fixes security holes but introduces regressions that require emergency follow-ups within one to two weeks.

The underlying cause is the complexity of cumulative updates in Windows 11. Because Microsoft packages all fixes into a single cumulative update rather than discrete patches, a bug in any component can break unrelated features — in this case, the network connectivity detection logic that OAuth sign-in depends on.

The RRAS vulnerabilities are a separate issue entirely. That three Critical RCE bugs in a core networking service required an emergency hotpatch two weeks after Patch Tuesday suggests the original security review missed them, or they were discovered post-release.

Impact on the Broader Ecosystem

The sign-in breakage hit consumer users hardest — Teams Free, personal OneDrive, and Outlook.com accounts. But enterprise teams noticed it too in hybrid environments where personal Microsoft accounts are used alongside Entra ID.

The RRAS vulnerabilities matter more for enterprise IT. RRAS is used in VPN setups, site-to-site routing, and dial-up server configurations — still common in large organizations running on-premises infrastructure. A Critical RCE in RRAS with no reboot required to patch (via KB5084597 hotpatch) is exactly the right deployment model for that scenario.

Key Takeaways

• KB5085516 (March 21) fixes broken Microsoft account sign-in in Teams, Outlook, OneDrive, Edge, and Copilot caused by the March 10 Patch Tuesday
• Install via Settings > Windows Update > Optional Updates — it is not automatic
• KB5084597 patches three Critical RRAS RCE bugs (CVE-2026-25172, CVE-2026-25173, CVE-2026-26111) via hotpatch for Enterprise Autopatch devices — no reboot required
• KB5079473 (March 10 Patch Tuesday) fixed 79–84 flaws including two publicly disclosed zero-days in SQL Server and .NET
• Enterprise users on Entra ID were not affected by the sign-in bug — only personal Microsoft accounts
• This is the third consecutive month in 2026 with an out-of-band Windows emergency update
• Developers using personal Microsoft accounts in automated workflows should migrate to service principals
• March 2026 has been a heavy security month across platforms — Android also shipped 129 vulnerability fixes in its March update cycle
• More cybersecurity coverage and CVE breakdowns on abhs.in