Windows 2022 Servers Unexpectedly Upgrading to 2025, Aaaargh!
Posted by Fatboy40@reddit | sysadmin | View on Reddit | 443 comments
Arriving at work this morning, an "SME" sized business in the UK, something seemed a little off. Further investigation showed that all of our Windows 2022 Servers had either upgraded themselves to 2025 overnight or were about to do so. This obviously came as a shock as we're not at the point to do so for many reasons and the required licensing would not be present.
We manage the updating of clients and servers using the product Heimdal, so I would be surprised if this instigated the update, so our number one concern is why the update occured and how to prevent it.
Is 2025 being pushed out as a simple Windows update to our servers, just like "Patch Tuesday" events, have we missed something we should have set or are we just unlucky?
Is this happening to anyone else?
ColXanders@reddit
Ah crap this has happened to us too. Using Heimdal as well. Just waking up to this reality...
Fatboy40@reddit (OP)
I feel a little less crap now knowing that I'm not on my own, good luck with the remediation.
Looking on one server, under "Windows Update > Update History > Uninstall updates", there is an Uninstall option available for KB5044284. So, once an incremental backup of the server has completed I'm going to attempt the Uninstall and keep my fingers crossed that it can roll itself back (there a Windows.old folder on the C drive / volume so fingers crossed).
Joe-Cool@reddit
How did it go? Can it be uninstalled?
Randalldeflagg@reddit
I peaked at mine. Yeah.... no. Its just the user folders. There is no roll back for servers that I am aware of. Its all or nothing typically.
Dr4g0nweasel20@reddit
Yes, please keep us posted about this!
ColXanders@reddit
Please post back how it goes. I'm in the US and just getting notice of this so we are in discovery mode. Any additional info would be helpful. I have our MSSP involved which has a direct relationship with Heimdal and will post any updates I get here as well.
spetcnaz@reddit
Wowww who's bright idea at Microsoft was this?
Who wants servers to migrate to a new version, basically an in-place upgrade.
Microsoft should give serious heads up for such things.
bdam55@reddit
FWIW, Microsoft was not the cause of this automatic updating, that was due to their RMM.
As for why MS released a Feature Update for a server OS: The cloud. That is, they need a cloud-based solution to server upgrades that isn't ConfigMgr. The only solution is for the update to likewise come from the cloud, hence a Feature Update delivered via Windows Update. Not saying I like it ... but it's not like they had much of a choice.
spetcnaz@reddit
Microsoft was the one that mislabeled the update, and the RMMs picked it up. It was on Microsoft. Microsoft labeled it as a Windows 11 security update. Let's not try to whitewash their mess up.
It's also on Microsoft that this feature is even a thing now. It's like selling mini nukes on the corner of every street, but with really detailed instructions on how to not make them explode when you don't want to. Then when one inadvertently explodes, you start looking for who is to blame.
The first question would be, why the fuck are we selling mini nukes on the corner of the street, not who messed up the instructions. This was never an option before and it should not be in the future, because we see how easily things can go wrong. Sever OS upgrades can't be left to simple human errors!
Yes they have a choice, by creating tools, that you run deliberately to make server version upgrades deliberate, not because someone at MS or at an RMM company made an oopsie.
bdam55@reddit
But ... they didn't mislabel anything. If they had, all hell would have broken loose far beyond just a handful of RMMs. MS's own tools would have gleefully installed this if that were the case.
That not just a theory either, the update metadata itself found on devices being offered the FU: https://www.reddit.com/r/sysadmin/comments/1gl6jsw/comment/lvyps27/
spetcnaz@reddit
They did mislabel it, it was shown as a Windows 11 update.
andrea_ci@reddit
in-place upgrades are ok in the last two versions.
not optimal, but they works.
spetcnaz@reddit
Until they don't.
That's not the point, the point is so many things can go wrong, this is absolutely insane.
andrea_ci@reddit
just do backups.
MBILC@reddit
Yes, because IT wants to spend days or weeks restoring backups because MS decided a new OS install can be done via Windows Updates. Not sure how many Windows systems you manage, but when you get into the 100s to several hundreds this could cause major issues.
While Server 2025 is not far off from 2022, there still needs to be proper testing and validation done against 3rd party apps and such.
We have seen MS force OS upgrades on end users before, so it could happen with server versions as we know MS QA process is not always the best.
This does though bring the question, are there not GPO / Configuration policies that can be used to decline these that most should already have in place, but I guess is MS has categorised it...may not work
andrea_ci@reddit
It doesn't want to spend day rebuilding servers at each update.. so.. create the procedures you want, depending on the service you're updating, and act following those.
While most of the servers are clean reinstalls, I did my fair share of in place updates when that's the best course of actions
MBILC@reddit
Not against in place upgrades, as those are planned and have proper outages defined and the company communicated with where applicable.
The fact MS would allow this update to go out, can break so many things. Unplanned outages are never good when you are just expecting a normal windows patch cycle, not an entire OS upgrade.
Just the OS version change could break so many applications like AV or what ever else 3rd party apps that look for specific OS versions to run on.
andrea_ci@reddit
Hold on... Obviously even inplace upgrades must be scheduled and tested...
Launching them (or just forcing them like in this case) and praying is just a disaster waiting to happen.
spetcnaz@reddit
That's what we are saying.
Server version upgrades should take more steps than "oops you didn't tick/untick this one box". It should be very deliberate, multi step process.
MBILC@reddit
Exactly.
MBILC@reddit
Exactly.
spetcnaz@reddit
That's an abhorrent excuse, if we can even call it that.
lordcochise@reddit
Have done in-place upgrades since the 2003 days, mostly they've gone pretty ok (albeit on a very specific schedule and we have pretty vanilla setups). But it's sounding like those that have tried this have broken activation, also not sure if the default optional feature / update AD blocks would catch this or not...
spetcnaz@reddit
Yeah, there is a huge difference between a planned n place upgrade, and getting one through auto update.
lordcochise@reddit
it looks like for the one that appears in the LTSC optional update area you still have to positively affirm download / update but yeah if it's auto-applying via normal update paths for the AC folks, particularly for those not on perpetual licensing, BIG oof
dustojnikhummer@reddit
Even ignoring compatibility, what about licensing??
spetcnaz@reddit
Exactly
babywhiz@reddit
Go buy one now, sucka!
dustojnikhummer@reddit
One? Server itself is one thing but you need a whole new set of CALs.
babywhiz@reddit
Ohh good point!
Hopeful_Day782@reddit
"Oh shucks, guess you'll have to pay us more money, this is so sad"
I'm sure they really care.
cloudAhead@reddit
I manually checked Windows update and was not unexpectedly upgraded to 2025. There is a separate section in the UI to upgrade to 2025 if you choose to do so. The experience is similar to what Microsoft did client side with Windows 11.
My guess is that OP may have auto approved all packages, or a similar option, in their patching tool.
Fatboy40@reddit (OP)
It looks like you've made a pretty accurate guess :(
RandomLukerX@reddit
Can you clarify for my sanity, this was caused by a third party patch management tool in your environment?
bdam55@reddit
FWIW, it was the RMM. Microsoft published the update properly: https://www.reddit.com/r/sysadmin/comments/1gl6jsw/comment/lvyps27
This was a Feature Update released to the Windows Update channel (not the Update Catalog) that is properly classified as an Upgrade (Feature Update). As much crap as MS deserves for screwing up updates, this is one of the rare times where they are not to blame.
Fatboy40@reddit (OP)
The simple answer is "yes", however it's a little more nuanced that that in that KB5044284 is a Security Update from Microsoft but our RMM tool classed it as an OS Update.
It seems that for others their RMM may also be potentially miss-classifying it, and even some Microsoft tools cannot be trusted 100% to not install the upgrade to 2025.
cloudAhead@reddit
KB5044284 is an OS update - a servicing stack update, but not an upgrade to 2025. I wouldn't be surprised if it delivered the code to offer the in place upgrade, though.
SonicDart@reddit
Does anyone know if the same issue could happen in other patch management systems? We're using SCCM for the bulk of our windows servers
soccer362001@reddit
We got a notice from an RMM we are trialing that we should block it because it was causing 2022 to update to 2025. This is likely a global issue.
Randalldeflagg@reddit
Our RMM showed it as a critical patch witha CVSS off 8.8. Which triggered our security manager to start yelling about it needs to be installed on every system. Talked him down to installing it on one non critical server that is IT facing only. Yeah... now its a unlicensed server, and the backup teams (me) hadn't added it to the backup jobs yet. So, I guess I am rebuilding that server and reconfiguring our VeeamOne install. I hate my job this week
RandomLukerX@reddit
That's disgusting and warrants a policy review on security being able to dictate with authority. Security should be the goal, compliance is a must. (Licensing)
Randalldeflagg@reddit
anything 7 and above we have to address ASAP. The fact this update is listed as a Security Update in the Update Catalog and not a Feature Update is what drove this move.
RandomLukerX@reddit
Firm policies need exception clauses. Clearly it wasn't classified right meaning it should have been negated.
zz9plural@reddit
Yes, same here. Looks like Heimdal is at least partly at fault for OPs problem. The exact reason for the miss-classification remains to be determined.
YnysYBarri@reddit
What's worrying me more than the "who's fault is it anyway?" is this delightful piece of advice from Heimdal:
Sorry, what century are we in? We no longer play the "my server has an uptime of 2.3 squilion years!" game. You don't encourage disabling automatica updates, you encourage managing them in a controlled fashion.
YnysYBarri@reddit
And Heimdal are doing their best to look dodgy. This blog ppst went from mild Microsoft bashing to 404 in about an hour
YnysYBarri@reddit
YnysYBarri@reddit
Sufficient-West-5456@reddit
But here he is op is complaining and blaming it on msft
My1xT@reddit
Even then this shouldn't just be a 1 click thing as unlike with win11, ws2025 iirc ISNT a free upgrade
Andrei_Hinodache@reddit
Hi u/Fatboy40
Andrei from Heimdal here, man, I'm really sorry for the havoc that was created with this update, our team (thanks for raising this with them - I have a feeling you were the first to bring it up to our Customer Success team) managed to pinpoint this and blocked this update across all server policies to avoid any further upgrades from 2022 to 2025
I also notice another point in the chat where you're asking how to apply a granular approach to updates - if you'd like, we can set a call up tomorrow and we can look at this one together.
Here's the official com. that just went out a while ago:
On 5th Nov 12.16UTC, Heimdal was notified by a customer about unexpected upgrades related to Windows Server 2025 in their environment. Due to the limited initial footprint, identifying the root cause took some time. By 18:05 UTC, we traced the issue to the Windows Update API, where Microsoft had mistakenly labelled the Windows Server 2025 upgrade as KB5044284.
Our Analysis and Fix:
Our team discovered this discrepancy in our patching repository, as the GUID for the Windows Server 2025 upgrade does not match the usual entries for KB5044284 associated with Windows 11. This appears to be an error on Microsoft's side, affecting both the speed of release and the classification of the update. After cross-checking with Microsoft’s KB repository, we confirmed that the KB number indeed references Windows 11, not Windows Server 2025.
Currently, we can see that approximately 7% of our customers have been impacted by this upgrade. To prevent further unintended upgrades, we have immediately blocked KB5044284 across all server group policies.
If you would like to address this patch on your servers, we recommend manually removing it or reaching out to our support team for assistance.
bdam55@reddit
FWIW, this was not Microsoft's fault. They published the update properly: https://www.reddit.com/r/sysadmin/comments/1gl6jsw/comment/lvyps27
I think you are also misunderstanding how KBs related to updates and the fact that there's ... unfortunately ... no actual source of truth for any of it.
This was a Feature Update released to the Windows Update channel (not the Update Catalog) that is properly classified as an Upgrade (Feature Update). As much crap as MS deserves for screwing up updates, this is one of the rare times where they are not to blame.
Lando_uk@reddit
I'm confused by your analysis, how did the KB5044284, which is an standard update for Win11/Server 24H2, even manage to get approved and installed on Server 2019 and 2022 clients?
If you ran KB5044284 on a Server 2022 manually, surely it would stop, saying its the wrong OS. None of this makes any sense to me.
Clear_Key5135@reddit
KB5044284 is for the October CU for all os's on the current production branch of windows.
Lando_uk@reddit
No it isn't. The Oct CU for Server 2019 is KB5044277 and the Oct CU for Server 2022 is KB5044281.
Clear_Key5135@reddit
that is not the current production branch of windows
nont0xicentity@reddit
It happened outside of Heimdal so it is not limited to them and their analysis may be correct. Say you have KB5044285 meant to be able to upgrade 2019/2022 to 2025. But for some reason, MS labeled it as KB5044284 everywhere and made KB5044284 applicable to 2019 and 2022. Now you have a patch showing under KB5044284 that was never supposed to but since the installer is actually KB5044285, it can be installed on 2019/2022. For a simple explanation, download Teams, and rename it to OneDrive, it will install Teams because that is what is under the hood. If you check the catalog it has 3 entries, one being for server OS and from what I understand, that was never supposed to be there. The other 2 entries are for Win11 24H2 and lasted updated 10/8, whereas the server one was last updated 10/31, which is unusual. If you look at the KB, it only list Windows 11 under the Applies To section.
Deadmeat5@reddit
Well, that is interesting and all BUT. Let's just check this out together:
https://www.catalog.update.microsoft.com/Search.aspx?q=KB5044284
This is what you are referring to, right? Heimdall and now you basically saying this KB should only show the two Windows11 rows. Is that right? That the Server entry there is wrong?
If so, how about this one:
https://www.catalog.update.microsoft.com/Search.aspx?q=KB5043080
This is last months patch. This one ALSO has three entries. Windows Server 2025 and Windows11. This one ALSO has two different "Last Update" dates.
So, what is the deal here? Was the September patch there also wrong to show up for non Windows11 systems? Was this also a Windows2025 upgrade package?
I am just as confused as Lando is. Nothing makes sense. It sounds like people say "KB5044284 is only for Windows11. It should have never show up on Windows Server" when to me it looks more like "KB5044284 is supposed to show up on Windows Server as that holds the monthly update for October. But for some reason it not only shows up on Windows Server 2025 but also on Windows Server 2022 and that this binary is simply not just a regular update but more of an 'upgrade to 2025 and update' kind of thing"
Lando_uk@reddit
So if I downloaded and ran the msi of this KB5044284 manually on a 2019/2022 server, you think it would work and reboot into Server 2025? There would be no system check in place?
Fatboy40@reddit (OP)
Hi Andrei,
The real problem here is that from what I can see, and I know this is not Heimdal's fault, is that there's no way to "rollback" the upgrade to Windows Server 2025 unless you know otherwise?
We've now a selection of 2019 servers that we either need to bare metal restore, try to rebuild, or purchase 2025 licensing that we have not budgeted for.
So, do we now assume that Microsoft must be held liable for this mistake, and somehow hope that they provide a method to get back to Windows Server 2019? (which I'm assuming is not possible, and I've no doubt that they'll not own up to it and cover customers for the required 2025 server and CAL licensing).
Thank you.
dreieckli@reddit
As this is Microsofts fault, I think they need to pay.
For your work to rollback (compensation for damage).
Or for the new license.
They should not get away with it
Andrei_Hinodache@reddit
You're spot on with your analysis - I hope our Founder doesn't kill me for quoting him, but "it's like upgrading a tesla OS and saying, now to drive your car, insert your credit card."
We're doing all that we can internally to see if anything can be done - even the roll-back is a b..... since it's a new version of the OS...
Narrow_Ruin@reddit
That sounds like a free upgrade customer satisfaction situation to me. To stick with that car analogy, there are all kinds of small issues that car companies fix under customer satisfaction that are not serious enough to be a recall, but fixing the problem for free helps keep a customer coming back. I am not saying this because I want some free upgrades, my employer already pays for on-going upgrades in an EA. I am saying that because it is the right thing to do.
randonamexyz@reddit
Do you know the relevant KB for Server 2019? Thanks
ajunne@reddit
While I appreciate the actual work done here, I stopped reading the post after the words "our Customer Success team".
SquashNo7817@reddit
The corporate is whole world of BS team titles.
Secret_Account07@reddit
As opposed to what?
Customer failure team?
sarkie@reddit
Don't be a twat
UseMstr_DropDatabase@reddit
Does it remain activated after the upgrade?
Fatboy40@reddit (OP)
Nope :(
CluelessPentester@reddit
Sorry, but this is kinda hilarious.
"Oh, here, let us upgrade your server to the newest version automatically! Oopsie, it looks like you don't have a license. Get fucked!"
How can a company be so out of touch with the real world
bdam55@reddit
FWIW, this was not Microsoft's fault. They published the update properly and it's the RMMs who goofed: https://www.reddit.com/r/sysadmin/comments/1gl6jsw/comment/lvyps27
This was a Feature Update released to the Windows Update channel (not the Update Catalog) that is properly classified as an Upgrade (Feature Update). As much crap as MS deserves for screwing up updates, this is one of the rare times where they are not to blame.
ourlastchancefortea@reddit
That's why Microsoft, like any responsible company, alpha tests their updates. They simply do it in production. YOUR production, not theirs. They aren't stupid.
ApprehensiveBowl5091@reddit
exactly what i've been saying for 20 years.
Every other release of windows is basicly a beta test that we as consumers even pay for, then a year or two after they release a functional OS on the same premise/principle as the "beta"
Examples: Windows 2000/ME = It's a wonder I decided to make IT a career.
Windows XP = Good stuff
Windows Vista = Good lord...
Windows 7 = Good stuff
Windows 8 = ⛥ K̷͎̖̄̎Ǹ̷̹͎̠̌͌͑͘Ḛ̵͛̃͋̌͂E̶͔̰̜̓Ë̶͈͓L̵̯͑ ̸̥̬͕̹́͋B̴̺͖̞̙͐͊̅Ẻ̸̟̠̳̰̒͜F̴̣̪̫̔̋́̚͝Ŏ̵̢͖ͅŘ̸̘̀̋̍̊E̸̗̓̓̊̕ ̶̡̳͉̈́̂̄̕͝M̸͔̗̙͉͑Ȩ̶̗͓̺̺̀ ̶̛͈̎̍͘͝P̴̨̜̺̥͎͂͆Ẹ̵̛̜̗̳̐̓̓̄A̵̞̣͑S̵̙̦͆̇Á̴͓̒̋N̸̻̺̂̐Ţ̵͍̖͛̑͘S̵̹̩̘̮̃͋͌̃!̶͕͈̬̲͊̎̋ ⛥
Windows 10 = Back on track
Windows 11 = lEtS tRy SoMeThInG nEw!?!
Consumers: Are you asking or telling windows 11?
Windows 11 = I have no fecken clue boi!
renegadecanuck@reddit
The alternating thing does require you to blend 8/8.1 together, and ignore the initial launch of Windows 10.
Windows 10 was a big improvement over 8 and 8.1, but it was still a bit of a tire fire at first. There's a reason so many people held on to Windows 7 until it was ripped away from them (and there's still an entire subreddit of people using it, in affront to all that is secure and righteous).
fish312@reddit
What sub
Old-Olive-4233@reddit
XP was also pretty awful until at least SP1 and at the time I'm pretty sure I disliked it until SP2.
renegadecanuck@reddit
I also don't remember 2000 being particularly bad, but it also was already end of life when my career started, so my exposure to it has been limited.
BlackV@reddit
2000 was amazing
BlackV@reddit
it requires you "ignoring" quite a few things
autogyrophilia@reddit
This feels right but is wrong.
Windows ME was an attempt to modernize 95 with NT components, keeping the system on MS-DOS to try to keep it light. It didn't work well.
2000 (NT 5.0) did. Not without it's issues because it's Windows software.
Windows XP was most of NT 5.0 released to the general public. Built upon 2000, as 2003
Windows Vista (NT 6.0) was poorly handled but it was always going to be painful as it was a huge overhaul with many changes that allow windows graphical session to be pretty secure ( the graphical session, we are still dealing with NTML1, nevermind 3rd party apps...) we are talking features such as the protected screen, running the graphics in user mode and not in kernel mode... As well as improving the support for the modern graphics Put this in perspective. It's what the Unix world is trying to do with Wayland and you see how that is going.
All other versions of Windows build on NT 6.0, with a disappointing lack of additions versus changes. With some of these changes being baffling resulting in Windows 8 in particular
Joe-Cool@reddit
2000 still only needed up to Service Pack 4 during almost 5 years compared to 6a+post 6a security rollup on NT4.
Windows ME was mostly software/hardware issues though. As an office machine a supported Compaq Armada 1500c had almost zero issues. It would run DOS games worse than Win98 and Windows programs worse than XP. And it would crash with many USB devices. But for just the right combination it'd run well. And faster than XP on that clunker (no EDO + a Celeron 300MHz).
baw3000@reddit
Windows 2000 was great, possibly even peak Microsoft. Windows ME was a shitshow.
MeanE@reddit
I used W2K until some small programs stopped supporting it even before it was EOL. Sad day.
BlackV@reddit
ditto, once sthings started moving to direct x, er.. 8? 10?, then I had to move cause me games stopped working
Electric_Ken@reddit
Exact, back in the days I renamed Windows ME, in French : "Windows Merdique Edition".....
ajicles@reddit
I was 6 years old when Windows 2000 came out.
RedShift9@reddit
Can you, idk, NOT say those kinds of things? For me 2003 is still 10 years ago.
ajicles@reddit
We are closer to 2040 than 2000. 1980 was 44 years ago
chaoslord@reddit
Friends I knew at the time working on ME called it "the dark time"
BlackV@reddit
ah the old "every 2nd release" fud, glosses over some many details to fit that pattern
Fantastic_Estate_303@reddit
Beta testing in production is the latest craze! Bonus points if you also do it on a Friday afternoon
hihcadore@reddit
You’re not living until you deploy untested changes to production.
matt95110@reddit
They’re out of touch because they stopped caring about what users want. Now they’ve stopped caring about what businesses want, which is where they make all of their money.
joeytwobastards@reddit
They only ever cared about what shareholders wanted.
bassgoonist@reddit
that's basically the definition of a publicly traded company existing in capitalism
joeytwobastards@reddit
Yes.
AlexIsPlaying@reddit
They want Azure right? Because we will shove this automatically on your server!
brother_yam@reddit
This is straight up Mafia shit right here
BloodyIron@reddit
Because we as a collective industry do not push back enough on application vendors demanding they offer support for alternatives like Linux.
We need to ring the bell loudly that this is not okay and that we need app vendors to do better.
Japjer@reddit
I imagine, if this is found to truly be a fuck up on Microsoft's end, a class action lawsuit will get you refunded if you end up buying a license.
It'd be pretty fucked up if they automatically upgrade you and force you to purchase a new license.
lordcochise@reddit
I can totally believe MS wants to deliver server upgrade paths as they do on clients, but if it's not a free update for 2022 installations GOOD GOD who approved this without any kind of licensing warning
Bazstad@reddit
No - you need a new license
skipITjob@reddit
Activated and licensed are two different things. It's the license Microsoft cares about...
Remarkable_Cook_5100@reddit
In this case it is neither activated or licensed after the 2025 upgrade.
Hi_Kate@reddit
Unless you use licencing channel which lets you upgrade, like with SA or SPLA. Then it is licenced, but not activated.
skipITjob@reddit
Woohoo!
TNTGav@reddit
We are tracking this elsewhere - the running *theory* at the moment is https://www.catalog.update.microsoft.com/Search.aspx?q=KB5044284 this, published as a security update, is actually an update to 2025. Not validated yet.
0h_P1ease@reddit
Dude what is going on here? how could THAT possibly slip by? wow MS. wow!
bdam55@reddit
FWIW, it wasn't classified as a security update: https://www.reddit.com/r/sysadmin/comments/1gl6jsw/comment/lvyps27
This was a Feature Update released to the Windows Update channel (not the Update Catalog) that is properly classified as an Upgrade (Feature Update). As much crap as MS deserves for screwing up updates, this is one of the rare times where they are not to blame.
Fatboy40@reddit (OP)
I think this may be the smoking gun, and if it is then this is terrible! (and thank you for adding your helpful reply).
I can see that KB 5044284 was the only update installed onto servers recently that's not a Defender definition, so it must be this. In our Heimdal patch management system client it lists this KB under the category "Upgrades", not under "Security Updates" or "Update Rollups", so something stinks here.
bdam55@reddit
FWIW, the smoking gun is here: https://www.reddit.com/r/sysadmin/comments/1gl6jsw/comment/lvyps27
This was a Feature Update released to the Windows Update channel (not the Update Catalog) that is properly classified as an Upgrade (Feature Update). As much crap as MS deserves for screwing up updates, this is one of the rare times where they are not to blame.
CircuitSprinter@reddit
What’s interesting is my WSUS environment doesn’t even have KB5044284 in its catalog for Server OS, only for Win10.
yukee2018@reddit
I can not find it either, I am checking now Azure update manager if anything got installed there, but it does not seem like it.
bdam55@reddit
There's another layer here that I think could add some clarity for anyone else reading along.
Always important to remember that KB articles (ex. KB5044284) are just that: knowledge base articles. Their relationship to actual updates isn't always straight-forward. This is further complicated by the fact that there's multiple update streams (WSUS/WU/Catalog/Offline-Catalog) that contain different sets of updates.
The server update listed in the catalog that u/TNTGav points to is almost certainly not a FU, that's almost certainly exactly what it says: the monthly cumulative update for the 24H2 server release.
MS has _also_ started publishing to WU/WSUS FUs that are updated with the latest monthly CU. These FUs will, appropriately, be given the same KB as their CU counterparts. I don't believe these monthly updated FUs are published to the catalog though, which is why they don't appear in the search above.
TNTGav@reddit
Still not verified but we are seeing certain Server 2022 (seemingly 21h2 versions of 2022) see this as a Security Update and others (24h2) list it as a Feature Update.
Mackerdaymia@reddit
Can confirm. Running Server 2022 21H2 and only seeing it as a Security Update for Win11 24H2. Nothing about a Server 2022 Feature Update.
u/OP - Is your WSUS Server on 24H2?
Fatboy40@reddit (OP)
I think I've enough evidence now to know that our third-party patch management tool, Heimdal, is classing it as an "Operating System Update" and triggered the update to be pushed to our servers based upon its policies.
So a lesson for me / my employer is to go through Heimdal top to bottom and refine any and all Server update policies.
Also the upgraded server were on 21H2.
ratman99uk@reddit
Heimdall settings to block on servers
https://i.imgur.com/Fp2YO4p.png
ESXI8@reddit
How do I setup this glorious program??
Fatboy40@reddit (OP)
I added it as an exclusion about 30 minutes ago in Heimdal.
I'm now struggling to see how in Heimdal we can be a little more granular in approving updates, but it looks like it may be only "on" or "off"? :(
ratman99uk@reddit
we use one policy for servers and one for workstations. iv only blocked it on the server one for now
PCRefurbrAbq@reddit
Wait, there's a Windows Server 2025, version 21H2 in existence?
Yikes.
nascentt@reddit
You should update your main post with this info
Fatboy40@reddit (OP)
Done.
ratman99uk@reddit
I cant find KB5044284 in our Heimdal consol. is it listed as that in yours?
ratman99uk@reddit
to answer my own question, it doesnt have the KB at the start, its just 5044284
DeejayCa@reddit
I see KB5044281 just installed on my Server 2022 LTS 21H2, not the KB5044284 so I quickly went and blocked KB5044284 across my Syncro patch management software for server policies just in case.
lordcochise@reddit
We're up to date on all our Server 2022 patching (WSUS server is also 2022), absolutely no sign of a 2025 upgrade, nor have the 2024-10 cumulatives caused any issues, BUT when 'checking online for updates' guess what DOES appear:
annatarlg@reddit
Came here to post this….its just an update, click!
dustojnikhummer@reddit
Okay, stupid question. Are you saying that there is a version of Server22 that is build number 24H2? I thought 24H2 was Server 25? That Windows Servers stayed on their major releases, ie Server19 was 1909?
TNTGav@reddit
No sorry it was poor initial wording. 24H2 is 2025.
dustojnikhummer@reddit
Okay thanks, I was confused. Everything 2022 I could check was 21h2
neko_whippet@reddit
How do you know if your 2022 is a 21h2 or 24h2?
24h2 is pretty new so,it must be windows 2022 that’s been installed not long ago ?
CircuitSprinter@reddit
Go to Settings, System, About. Towards the bottom you’ll see Version info.
neko_whippet@reddit
Ok thanks but 24h2 is pretty recent build no?
I though servers couldn’t upgrade build number like that unless you install a new OS version
So could you go from windows 2022 21h2 to 24h2 just from windows update or you need a specific windows 22 iso to get 24h2 build ?
CircuitSprinter@reddit
I’m under the assumption that 24H2 is the version for 2025 LTSC. That’s what this thread is meant to investigate, what update causes this to happen
lordcochise@reddit
I believe that is the case; you can get physical ISOs for Server 2025 std/dc as of this week now and their version will be essentially 24H2. I don't see anything in WSUS yet that would look like 'Server 2025 hotpatch category' but 'Microsoft Server operating system, version 24H2' have been for several weeks and would apply here.
neko_whippet@reddit
So it could happen on any version of 2022 then
what-the-puck@reddit
Yes I'd say so. If you run the 2025 upgrade you're going to get 2025
Lukage@reddit
To simply address the question, the 2*H2 builds on Server OS can't be upgraded from one to the next any more. You'd have to deploy a new ISO. That said, they all get the same updates.
mistakesmade2024@reddit
Or just type 'winver' in a cmdline or the start menu. :-)
Fatboy40@reddit (OP)
Or run "winver".
dagamore12@reddit
Winver should still work on svr22, dont have at home so cant test it, but it works on my 2019, it reports your version.
TNTGav@reddit
Update -> Take the 24h2 part of this with a grain of salt
dustojnikhummer@reddit
24H2 Server 2022? What?
ajicles@reddit
It won't install until you accept and license it.
ajicles@reddit
Just going to send it.
ajicles@reddit
Upgraded no problem.
nsfwhola@reddit
does the upgrade remain activated after a restart? did you buy a win server 2025 key?
ajicles@reddit
Lol no. There is no upgrade rights unless you have software assurance.
Deadmeat5@reddit
Okay. BUT, let's assume this is an upgrade package. Check out the Column "Products" on the page you linked. It says "Microsoft Server Operating System-24H2"
That is MS Speak for "Windows Server 2025", is it not?
So, the real question then should be, why is this KB showing up as a missing patch on Windows Server 2022 systems?
As others have pointed out, the correct October patch for Windows Server 2022 is KB5044281. Why would the KB5044284 show up for Windows Server 2022? As far as I know, the MS Speak for that System is "Microsoft Server Operating System-22H2"
Xetrill@reddit
Just ran wumgr on a Server 2022 VM, it right now. It reported KB5044284 with category "Upgrades" and curiously and likely incorrect, it also says it's a 180 GB download.
pivotman319@reddit
That 180 GB estimate is the entire size of every installable component and language combination MS published onto Windows Update infrastructure for WS2025 upgrades + Server Insider flights, including base OS images.
digitaltransmutation@reddit
The 180GB estimate appears for a lot of routine updates, you cant really rely on that.
PianistIcy7445@reddit
Interesting NG, was using pswindowsupdate untill recently
ParticularAccount894@reddit
I think we may another update to look at. After installing KB504428 you get the option to install 2025
but it does not auto install. Does the KB5044284 Auto install?
mancmagic@reddit
My worry with this is, is that just going to sit there for the next few years? Ie just waiting for somebody to accidentally click it if doing manual updates etc.
EveningFig7820@reddit
there's another warning after this screen, so unless you have a seizure and just start spaz clicking everywhere, you should be ok
Bazstad@reddit
I spaz clicked, luckily it was a test VM.
mancmagic@reddit
Ah that's good. Was just imaging one of those tired afternoons clicking through before a dreaded "shit, what have I just done" moments before the server goes offline.
SoonerMedic72@reddit
manual reboot script, run on one machine, go. {panic rising as you see hundreds of targeted machines} NOOOOO!!!!!
EncomCEO@reddit
Anyone got the relevant GPO to prevent this from being able to happen?
Gummyrabbit@reddit
I think I'll call in sick....
Fersww@reddit
Same here ..
babywhiz@reddit
On our servers, it's just a separate option to Download and Update.
sccmjd@reddit
Also seeing that here.
vanillatom@reddit
Same here
Enxer@reddit
Wow. Just wow
krodders@reddit
We're looking at the method that we used to block Windows 11.
Would be something like this:
HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\TargetReleaseVersion set to DWORD value: 1
HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\TargetReleaseVersionInfo set to STRING value: 2022
Is there anyone that can test and confirm?
RikiWardOG@reddit
HAHA jfc that's wild. reminds me, why and the world does Mac manage to always fuck up their OS updates. We block them with Jamf but it never works 100% there's always a dozen machines or so that get the update and ofc it's execs that end up being our pilot users.
After_Working@reddit
Have Ninja blocked that update from rolling out for the time being?
Lukage@reddit
That would be up to you to manage it. They don't choose what you apply.
After_Working@reddit
Fair enough, i just wondered if one update certainly is known to cause an issue like this, i wondered if they step in and hold it back.
nont0xicentity@reddit
They are using Windows Update API via the machine, they don't have a catalog on their own to pull patches, so it sees what the machine sees. ATM blocking feature updates shows it blocked on our 2022 21H2 systems, but I have some that don't see it and need a reboot, so hopefully it shows blocked there as well.
bm74@reddit
No - I've just selectively blocked it - even though we're not running 2019. Ninja have put a yellow warning at the top of all their pages with instructions etc.
TNTGav@reddit
u/Fatboy40 We have still not verified yet that this is listed as a security update and it possibly could JUST be an Optional Feature Update. If you could update the main post that would be great.
Fatboy40@reddit (OP)
I've removed your name from my update to "protect the innocent" ;) (and altered the text)
nsfwhola@reddit
strange
DoctorETrill@reddit
8AM
FrancescoMasala@reddit
I had this problem even on windows server 2019!
External_Gain2380@reddit
It's reasons like these where I have blocked all URLs to Download Windows Updates. This way nothing network wide can check for download or install updates. WSUS can deploy them.
PhantomWang@reddit
I'm also worried about this because our servers are managed by Azure Update Manager and I noticed this evening they're starting to show Server 2025 as a pending update. Luckily it appears the current classification for it is "Unsupported" so I don't believe it will automatically install, but at this point I have to actively monitor it because I can't trust Microsoft.
Electrical_Arm7411@reddit
Make sure you exclude the KB ID in each of your maintenance configurations in Azure Update Manager.
maikel87@reddit
Just checking, we sure this is the correct way of excluding the update? or should it just be only "5044284"
Electrical_Arm7411@reddit
I just did the KB5044284; my servers do not show it as a pending update on AUM. Probably doesn't hurt to do it both ways just incase? Not 100%.
severnd@reddit
ok, seen an issue with 2 Dell T30 servers that are non-bootable after the "upgrade".
also ; servers running Hyper-V; in 50% of cases so far, the VMS are not bootable - error connecting to the storage. I guess its permissions but not had chance to dig around - the "fix" is to remove hyper-v, reboot; reinstall hyper-v, reboot and should be good.
Any server that was using LBFOAdmin for NIC Teaming will have an issue; you will need to use SET TEAM to create that team: example: New-VMSwitch -Name "SET Team" -NetAdapterName "NIC1","NIC2"
Also; anyone using ThinStuff; make sure you have installed the latest patch otherwise only a few people can login - so update; reboot and should be ok.
Darkk_Knight@reddit
As Biff said in Back To The Future, "There's something very familiar about all this" with third party controlled systems like Crowdstrike.
Now this isn't Heimdall's fault or any other 3rd party patching system that Microsoft screwed up the classification of update instead of upgrade. It begs the question why you let it update it so early vs wait a few days to shake out the bugs?
Substantial-Reach986@reddit
A handful of our servers got upgraded, including our Veeam server. Thankfully, none of the Veeam services seemed particularly bothered by the unexpected in-place upgrade, so we could quickly restore the single mission-critical server that got completely borked by the upgrade.
What an absolute shitshow.
Fatboy40@reddit (OP)
I feel your pain.
How are you dealing with licensing for what's being left on 2025? (or maybe you're planning on moving them back to their previous state when you have the time?).
Substantial-Reach986@reddit
We're fortunate enough to have a volume license agreement for Windows Server Datacenter, that, as I understand it, works as a subscription license that covers unlimited Windows Server VMs on all our servers. This also means that as long as we keep paying the yearly bill, we are allowed to use any supported version of Windows Server on licensed hardware. I might be butchering this as I don't normally deal with or understand licensing terms, but that is how it's practically has worked for the last 5 or so years I've worked here.
The problem was just that, we had not prepared for this. We had not checked that everyone could access our Windows Server 2025 MAK keys, and we had not automation or AD activation in place. And of course it turned out that something was fucked with regards to who could see our 2025 MAK keys.
After a lot of panic it turned out that there was one, single person who could see our (paid for!) 2025 MAK keys, and that was my manager. He doesn't know why no-one else sees it, our reseller rep doesn't know, Microsoft probably doesn't know either. But our manager, after finding the blessed MAK key, manually installed it on all our unexpected 2025 servers. So now we're good. And I'm cashing out time off and am currently pretty drunk.
CyberCrud@reddit
If you're in IT and not running your own WSUS server to approve and deny updates, then you're really just a glorified Best Buy employee.
severnd@reddit
umm, FYI; WSUS has been depreciated. https://techcommunity.microsoft.com/blog/windows-itpro-blog/windows-server-update-services-wsus-deprecation/4250436
BlackV@reddit
depreciated does not mean do not use or unsupported, mean no changes going forward
CyberCrud@reddit
Umm, still works to block and approve updates. Guess who didn't have this problem today? My enterprise.
nont0xicentity@reddit
We are an MSP and I use an RMM and had previously blocked this KB, so no issue here. Same results, different tool, doesn't mean I'm a BB employee. What an uneducated comment.
OinkyConfidence@reddit
Quiet, Best Buy; Circuit City is talking ;P
nont0xicentity@reddit
:D Would have had more credibility if the guy said use Windows Update for Business or else, but he chose WSUS...
CyberCrud@reddit
WSUS worked to block this update. 🤔
How can it be?!? 🙄
nont0xicentity@reddit
Because you can use multiple tools to achieve the same results, doesn't mean one is inferior to the other, so to try and call everyone out for not using a deprecated tool is wild. Most tools out there can block by KB and be effective.
In certain environments, high security is required, which means companies have to patch ASAP to stay compliant. This is generally not an issue on servers but since MS classified this as a security update for certain versions, this either got auto-approved or was manually approved after seeing it was as security update. Not every OS version showed it was a Feature Update.
Keep in mind, this is not Patch Tuesday, so it was released OOB, and Server has not seen a patch that can upgrade major versions before, surprise! As I said though, no issues here, it was previously blocked for other reasons (Same KB as Win 11 24H2 upgrade) and we patch on a delay.
You kind of missed the point of this thread, wasn't about the tool that's being used, this was about Microsoft's antics, this is much broader than what is in your environment.
CyberCrud@reddit
And yet you're trying to belittle me for what is in my environment... which worked flawlessly btw. Okay.
CyberCrud@reddit
You had the problem, but I'm the uneducated one. Okay...
nont0xicentity@reddit
And can't read either, as I said "no issue here"...
CyberCrud@reddit
Can you point me to the car stereo section, young man?
Training-Swan-6379@reddit
I use a third-party utility to prevent windows from updating
BlackV@reddit
I mean this was caused by the specific 3rd party, but OK
Lando_uk@reddit
ok, so this is a Heimdal issue not a general WU issue everyone should be aware of?
nont0xicentity@reddit
No, you should be aware because other tools sees it as varying things, some as Security Updates, some as Feature Updates, and other classifications. In Ninja, it is showing up as a Feature Update on our 2019 and 2022. If someone had Feature Updates auto approved, it would upgrade. I had globally blocked it because it is also the same KB that upgrades Windows 11 to 24H2 and we're staying away from that for a while.
ChrisDnz82@reddit
Even as a Feature Update it will still catch a lot out who will think its just going up another version of 2022 and not actually 22 to 25. This happened to so many people with Win 10 to Win 11 when MSFT recently made that upgrade exactly the same as the normal FU
Lando_uk@reddit
Correct me if I’m wrong but server OSs stay on the same version for their lifespan, there aren’t two different versions of 2022 for example ?
ChrisDnz82@reddit
sorry i didn't catch this yest, the build versions change with new upgrades, build versions will impact the patches that are installed and detected as needed. Often causing confusion. A lot will update the build of an OS then cant find the KB number of the patch, thats because once on that build it doesnt show the patch, it only shows the patches that are installed or needed on that new build
nont0xicentity@reddit
Luckily, we had rejected the KB to prevent Windows 11 to upgrade to 24H2 (why use the same KB?!), but we did go through the 10 to 11 upgrade by accident. Luckily all worked out, but this is much worst. MS also released the October patch for Windows 11 22H2 and 21H2 which automatically upgrades them to 23H2. I'm seeing a bad pattern here...
OinkyConfidence@reddit
Have a screenshot of your WSUS setting (if you use it) ?
ChrisDnz82@reddit
yeah, they reuse/use the same KB a lot, more than most will be aware of. Its the underlying GUID that changes and agan that can catch a lot out depending on how they block them
Lando_uk@reddit
But why would a Win11/2025 update show up as any sort of update for 2019/2022?
On WSUS that KB5044284 shows as not applicable to any of 2019/2022 servers. How comes WSUS and WU works fine with the update but 3rd Party tools are having trouble?
VinzentValentyn@reddit
It shows as available for server OS 2019 and up.
Whether it installs or not is down to your policy. It's not a Heimdal issue
Fatboy40@reddit (OP)
I wouldn't be so sure of that as there's enough doubt / lack of clarity in that it could also affect other RMM tools.
jeetah@reddit
So what I've gathered from this, is that this unintended upgrade is only occuring when using Heimdal. That's something that should really be mentioned close to the top or in the title.
raffey_goode@reddit
if we are using SCCM and WSUS is there any action we need to take?
RCTID1975@reddit
Just don't blindly auto approve any patches like good policy dictates and you're fine.
Capital-Insurance581@reddit
https://www.catalog.update.microsoft.com/Search.aspx?q=KB5044284 Microsoft has still this kb also for server You can still see this at this manual download page.
mahsab@reddit
So this settles the "upgrade vs migrate" debate
raiksaa@reddit
Spilled my fucking coffee thank you
spittlbm@reddit
Definitely does not 🙂
andrea_ci@reddit
hahaahah
techosarusrex@reddit
My lab environment somehow had the upgrade target gpo set as 24H2, not once did I set anything like that up.
That might be why.
tehcheez@reddit
So we didn't update to 2025, but I can confirm the 4 2022 VMs I have updated this morning (not automatically, that's just the update schedule we have) and now have an option under Windows Update to update to 2025. Have never seen that until today.
horamon@reddit
Are you also using Heimdal? Some of our customers running Windows Server VMs reported the same but we've been unable to reproduce the issue internally on fresh or existing installations (we don't use Heimdal ourselves).
spittlbm@reddit
Confirmed. Just did a manual "check for new updates" abd the upgrade option appeared.
AdWerd1981@reddit
Had the option in Windows Updates on a 2022 VM yesterday, but today that option has vanished. I'll check my other VMs to see if it's the same, but it feels like M$ pulled the feature update part.
ChrisDnz82@reddit
I’m not convinced this is solely a Microsoft issue, aside from the fact that they’ve made the patching process incredibly confusing for most users.
For one, KB numbers are not unique—they’re often reused across different types of patches. One unique identifier is the GUID, which most people don’t see but is included in the metadata used by patching engines. When searching for a KB in the Microsoft catalog, it’s common to expect a full OS upgrade or Feature Update but instead find a Cumulative Update (CU). This reuse of KBs across different operating systems has become standard practice.
Microsoft has also been presenting upgrades to new OS versions under the guise of standard Feature Updates for the current OS.
For example, Windows 10 devices receive 23H2 or 24H2 Feature Updates (FUs) for both Windows 10 and Windows 11, all using the same KB number as the latest CU. If you install the Windows 10 update, you get the latest version of Windows 10; if you install the Windows 11 update, it upgrades you to Windows 11. These patches look nearly identical, with the only distinction being a reference to "10" or "11" in the title. As a result, they often pass through approval systems automatically unless specific keywords, aside from the KB number, are used. Many admins auto-decline upgrades initially and then re-evaluate later for this very reason.
You might wonder why the Feature Update has a KB number when online sources often say they don’t. The explanation is that the WUA API assigns a KB number to Feature Updates, and WSUS also packages Feature Updates with a KB. As previously mentioned, the KB number aligns with the latest CU.
thecalstanley@reddit
Had the option on a test VM yesterday, the option to upgrade to Server 2025 has now gone. Odd.
aowdnmp@reddit
same here, I guess MS has fixed something...
ChrisDnz82@reddit
I don't believe this is a MSFT issue other than it might catch some people out that you can upgrade from 2022 to 2025. KB's are not unique, they are re-used all the time. KB's for the latest CU and latest FU are also shared, the FU changes monthly inline with the CU. Searching the KB and finding a CU in the catalogue is normal, that doesn;t mean it wasn't also the KB number for an FU "Upgrade". Whats really going to catch people out is those that auto approve upgrades without any keyword filtering, who will assume its like the old service packs.
As far as I can tell only Heimdal have this issue, none of the RMM tools im in sync with seem to have it including our own
cuddlyclara@reddit
On my German Windows Server 2022 21H2 there is no button to upgrade. All updates including KB5044281 are installed. But I can't see the KB5044284 update.
VRDRF@reddit
Not seeing anything weird on our side, the kb article not even required by any servers in SCCM.
greenstarthree@reddit
I knew I made the right decision to stick with WSUS for server patching for now and not go with 3rd party solutions.
Might be the only opportunity I get to say that.
mrfame@reddit
WSUS can’t ever be the right decision to anything. It is a clusterfuck of overcomplicated decisions and low quality code that barely does what it says it does.
God I hate it with a passion.
/rant
terrybradford@reddit
We don't have that issue when rocking 2003 server - someone before who I dismissed as an idiot clearly saw this coming 👏
aowdnmp@reddit
Yesterday it was shown also on my 2019/2022 servers.. this morning I run a check for updates again and disappeared... maybe MS fixed something...
konikpk@reddit
So as i read its Heimdal problem. We have MECM + WSUS and no servers updating.
KB5044284 is not required in any of 2022 servers.
Odd_Letterhead9371@reddit
RemindMe! 2 days
CptCptLuxx@reddit
Just make a gpo (windows update for business), target version 21H2 and the update is no longer offered to any Server
Odd_Letterhead9371@reddit
I'm using RMM for patch management and am curious whether it will suppress the misclassified update if we apply the GPO.
ITStril@reddit
I can confirm: GPO with target version 1809 for Windows 2019 and 21H2 for Windows 2022 seems to suppress the upgrade notification
cubic_sq@reddit
So far the only servers we have that presented the win2025 update are 2 recently deployed 2019 servers in azure. Even then, they presented as optional updates yesterday.
This morning both servers don’t show 2025 as an available optional updates on both hosts at all.
Both servers only have update management as deployed and managed by azure.
brink668@reddit
Yes 2025 can be upgraded via Windows Update just like workstations now
Fatboy40@reddit (OP)
Thank you.
So you'd be leaning more towards Windows Update having instigated the in-place upgrade that the third-party tool? (or I suppose the third-party tool may have just instantly pushed it out).
It looks like we need to understand where the logs are for Windows Update and why the update was triggered so soon with 2025 being only available for a few days.
Sufficient-West-5456@reddit
Just restore then man
brink668@reddit
WSUS or Windows Update appears to allow it
zz9plural@reddit
WTF? Even my DCs are offering inplace upgrades to 2025. Are inplace upgrades of DCs supported now?
_theonlynomiss_@reddit
Yes its kind of supported. The Domain Forest will Remain without the 2025 Features until every dc is Updated
_theonlynomiss_@reddit
Most importantly here is: MS ALLOWS(!) the upgrade but doesnt Support it
NoSelf5869@reddit
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/upgrade-domain-controllers#prerequisites
In my understanding, in-place upgrade of DC's has been supported, but not recommended, for long time.
zz9plural@reddit
Thanks, I actually did read that article and remember being annoyed by the typcial vague language of MS documentation.
The article mentions that inplace upgrades (may, or do always?) need manual preparations, which in this case would mean what exactly?
DCs not getting automagically upgraded because conditions aren't met, or (given MSs track records definitely a possibility) DCs trying to upgrade anyways and messing up AD?
NoSelf5869@reddit
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/upgrade-domain-controllers#adprep---forestprep-and-domainprep
Please read the link carefully, its written there.
zz9plural@reddit
I did, and I may be blind, but where exactly do they say what happens if you don't run the preparations?
dcdiagfix@reddit
then you can't update... domainprep and forestprep are required for the first DC of that type in an environment, the IPU upgrade for a DC works pretty seamlessly out of of the 100 or so i've done had near zero issues.
PkRavix@reddit
In particular you should not in-place upgrade to 2025, the new 32k mode is only supported on new installs. 2025 can run in 8k compatability mode until all your DCs are 2025.
PMental@reddit
I doubt many organizations actually have a use for 32k though, so likely not a major factor for most.
That said I'd never bother with in-place of a DC anyway since it's so easy to set up new ones and decommission the old.
brink668@reddit
Yes in-place upgrades have been around but via Windows Update for Server that is new.
Justsomedudeonthenet@reddit
It's been supported for a long time. Few recommend it since it's trivially easy to spin up a new DC, but it's supported.
EncomCEO@reddit
"set settings to prevent auto inplace upgrade" and how does one do that?
pressresetnow@reddit
What? Ngl I wasn’t aware of that
FutureSafeMSSP@reddit
Here is the Heimdal CPO reply explaining how the misclassification in the Microsoft API caused the curfuffle.
small_horse@reddit
Yep, our RMM tool is set to hold any new updates for review, this morning got 40\~ packages all nicely named "Server 2025" - jesus mary and joseph Microsoft what are you THINKING?!
what-the-puck@reddit
Wouldn't that be a good thing? That your RMM clearly identified and labeled and held them?
small_horse@reddit
yes it (for once) actually did its job properly! it was more that MS are deciding to issue an update package to entirely change the underlying OS, which seems really dumb
what-the-puck@reddit
I suppose, it's nothing new though.
Since the Internet on average has been able to "handle" service packs or OS updates, they've been moving over the wire.
Windows 8.0 to 8.1, 8.1 to 10, various major updates to versions of 10, 10 to 11... Those were all update available through Windows Update.
And likewise on the Server side (2012 -> R2 -> 2016 -> 2019 -> 2022). Those could be done in-place as well through downloads that happen while Windows is up and running (and restarting) via files downloaded over the Internet.
spetcnaz@reddit
The issue isn't between inplace vs wipe upgrade. The issue is that a server OS, now has the same, relatively easy way of getting upgraded in place while in production. That's an absolute insanity. Server isn't a desktop, it can break so many things.
No version of the server before had this toes to auto updates, and that was good.
spetcnaz@reddit
And on a server, that's the stupid and scary part.
ourlastchancefortea@reddit
Office 2025 Dictionary: Unknown word, do you want to add it?
65_Shelby@reddit
I just finished building a new server T550, Silver, 64gb, RAID1 and RAID5 and went (had to) with Server 2019. After updates and starting my pre-build of the server it gave me the upgrade to 2025 option also. I didn't do it as we haven't even licensed the machine due to a possible RAID issue. I'm rebuilding the RAID as we speak and if it fails I'll push the 2025 upgrade just to see what happens because that means the card or backplane is bad. If it's successful then I will be tearing it down anyway, again for the correct install of 2022.
Vexser@reddit
Maybe it's time to block MS at the company DNS. Only let trusted/secured hosts contact them. Otherwise you might turn up to a room full of bricks.
TrueStoriesIpromise@reddit
In WSUS/SCCM, KB5044284 shows as 0 required/0 installed for 24H2.
Seems like Heimdal is the problem, not Microsoft.
KlaasKaakschaats@reddit
Thanks for checking, I was wondering what would happen in MECM.
BrooklynEagle98@reddit
This seems like the issue. OP should update the post
damnedbrit@reddit
Testing on W2K22 and I see that there is the option under Windows Update in the GUI below pending normal updates and below the Install Now an area that says the next version is here and a "Download and install" link. Running:
Install-WindowsUpdate -WindowsUpdate
does not offer the upgrade to W2K25. It does look like from the descriptions elsewhere in this thread that it's a Heimdal setting that is enabled to 'upgrade to Windows 11' that is being misused to upgrade to W2k25 as well.
EncomCEO@reddit
We do not use Heimdal, we have automatic WU disabled, and we still get the option to install Server 2025 if we run a manual Windows Update on certain WS2022 boxes.
Tried:
Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate. Create a new DWORD (32-bit) Value named DisableOSUpgrade and set its value to 1.
Still getting asked if we want to install, even after a reboot.
whetu@reddit
You might like to check out the keys I've listed here:
https://www.reddit.com/r/sysadmin/comments/1gk2yly/how_to_block_the_upgrade_of_windows_servers_2022/lvkz3gh/
EncomCEO@reddit
Thank you
damnedbrit@reddit
Yep, not saying that it's not offered, I am saying it's not automatically installed if you do a normal manual update of Windows, nor if you use a power shell script to install Windows update.
VinzentValentyn@reddit
2019 affected also, if anyone is running that
randonamexyz@reddit
Do you know the relevant KB for Server 2019? Thanks
Mitchell_90@reddit
Seeing the same on Server 2022 instances, both in an environment with WSUS and another with GPO controlled Windows Updates where Server 2025 is being offered via UI.
This doesn’t look like anything to do with a KB being pushed as both environments have been updated with last month’s patches since mid-late October and are only just showing this now.
Microsoft did introduce “Flighting” in Server 2025, essentially the same thing that’s been present in Windows 10 and 11 builds for years now as part of the Insider program so it might be something to do with it.
I’m pretty sure that section in the UI is pulled down by via a number MS CDNs - potentially the same used for client. A network trace might show what’s being fetched.
Weird_Lawfulness_298@reddit
I looked at a 2022 server and one of the options it had in Windows update was to download and install Server 2025.
what-the-puck@reddit
Microsoft did the same for 8.0 -> 8.1 -> 10 -> 11 for example, as well as minor OS versions. Just click a button in Windows updates to bring the system to the newer OS.
Servers could do it but it wasn't generally so easy from what I saw.
renegadecanuck@reddit
Difference being that owning a license for Windows 8/8.1/10 gave you upgrade rights to the next version.
what-the-puck@reddit
Certainly, that's true. A lot of Enterprises licence Windows Server in the same way.
bdam55@reddit
It's an optional update though right? There's nothing in place that's going to automatically install it?
In the OP's case it was due to his 3rd party patching tool, not Windows Update itself YOLO'ing it.
TkachukMitts@reddit
Also seeing this on 2019 servers.
mustang__1@reddit
Wonder if that implies the server can handle the upgrade? (like w10 -> 11)?
Hi_Kate@reddit
Any currently supported server is supported for inplace upgrade to 2025. So 2012R2 boys in the comments, show you have balls.
mustang__1@reddit
I didn't see it listed on my r2 server (ht you call me out like that lol).... But apparently it also hasn't been patched in several months so we'll see if it shows up after a reboot lol
p90rushb@reddit
Not seeing it on my NT 4.0 servers
TkachukMitts@reddit
Well to be fair the CRTs must be so dim at this point that it would be hard to see.
spittlbm@reddit
It's how I maintain my tan
Weird_Lawfulness_298@reddit
Yeah, I just checked and it was on 2019 servers.
neko_whippet@reddit
Where was it im checking on some 2022 and some 2019 and I dont see an upgrade option to 2025
cubic_sq@reddit
CALs implications?
lazyweb not looked into this yet myself…. Just assumed it costs more…
Randalldeflagg@reddit
if you don't have 2025 CALs and OS licenses, you are fucked. Hope your backups are working correctly and its not a production machine
cubic_sq@reddit
Is what i had thought
Also saw on another post tonight there are licensing guilt screens that are presented to be accepted and clicked through
Randalldeflagg@reddit
There is if you manually log into your servers to run updates. We use a RMM (Kaseya) to handle patching. So no prompts.
AnomalyNexus@reddit
The combination of a silent & non-optional with license no longer valid is absurd.
Guessing MS fucked something up & will backtrack this
TheProle@reddit
Look at me. I’m joshtaco now
Lughnasadh32@reddit
After reading this post, I checked the servers at an NPO that I manage. Both are 2022 (21H2) and both have the upgrade to 2025 option. My main question here is....is there a cost? If so, I am not a fan of this 'marketing tactic'. Someone with less experience could click download and install and then they would be on the hook for whatever the licensing costs at that point.
sweetrobna@reddit
Normally for a non profit purchasing through techsoup or azure for non profits windows server licenses/CALs have software assurance. Your 2019/2022 cals work for server 2025 at no additional cost.
Lughnasadh32@reddit
That’s my experience in the past, but it’s not the cows. I’m worried about is more the main surfer license.
Catsrules@reddit
You are still managing cows in 2024? We were able to migrate our cows to the local farmers about 80 years back.
Lughnasadh32@reddit
We actually sold our last ones a few years ago when my step father's health started to decline.
I need to proofread voice to text more often, just been a busy day at the office.
Catsrules@reddit
Ahh it is Reddit, we get what we pay for :)
sweetrobna@reddit
Software assurance covers the base windows server license too
Fatboy40@reddit (OP)
100% there is, in Windows Server licensing for the CPU cores and also CAL's.
daniejam@reddit
It’s the same in 2022 though….
Jeeper08JK@reddit
Lughnasadh32@reddit
TY - I can see this biting people in the butt. Most people don't read these warnings. They will install the update then wonder why the server stopped working 180 days later.
dcdiagfix@reddit
at least it won't auto updated on DCs as it will need domainprep and forestprep :D
Jeeper08JK@reddit
Remarkable_Cook_5100@reddit
If you click the Download and Install you get this, which indicates it is not a FREE upgrade!!
lordcochise@reddit
AH, ok so at least there IS a warning then
Randalldeflagg@reddit
fun fact, if you use an RMM tool, you dont get this popup warning, it just happens. And then you are screwed when you find out it upgraded your SQL servers and you can't get an outage to take those DB offline to restore the OS to 2022 and then restore those DBs back to production.
lordcochise@reddit
1Original1@reddit
Wat,that's ridiculous
Jeeper08JK@reddit
Micro$oft strikes again
Fatboy40@reddit (OP)
Good spot!
BarsoomianAmbassador@reddit
It's amazing that Microsoft continues to do ridiculous things like this to the IT people who are their advocates. Making this an update to production servers, which requires the purchase of licensing for functionality and compliance, is not only abusive to clients, but it is indicative of the power of monopoly. Imagine that, through no fault of your own, and following best practices for security, this "update" was applied to your server farm and you had to restore them all from backup? I'd be brushing up my Linux skills and ripping out Microsoft Server wherever I could.
moonwolf3533@reddit
We have a separate section in the UI to upgrade our server. This should never be an option unless they are giving the upgrade away for free and even then it shouldn't be there.
Gmoseley@reddit
Awarded just because the constant stream of updates. Ty for sharing the knowledge
ConfectionCommon3518@reddit
Why do I sense this is the idea of the MS marketing dept to show massive uptake figures?
Servers are quite often delicate creatures playing home to licensing services and other stuff that may take one look at the server and knowing things have changed just decide to not play taking down the entire production line and then the fun starts both at the practical level and the point where they start waking up the lawyers.
bdam55@reddit
I don't blame you for that conclusion, but I would argue this is more about moving updates 'to the cloud'.
If you don't have ConfigMgr (which MS really wants you to abandon) then how are you going to manage sever updates? MS wants you to use AUM pointing at Windows Updates. So that means Server FUs need to come from WU.
And that's fine, as long as there's the appropriate controls for that. So far, what I'm reading here, the OP's issue is specific to his third party patching solution.
Conditional_Access@reddit
I know it can feel that way sometimes, but knowing the people that actually work on this stuff, I'm confident this is absolutely not the case.
TaliesinWI@reddit
Malice, incompetence, etc.
mankycrack@reddit
NinjaOne put a yellow banner across the top of their portal today warning about this. I blocked the update on Monday because I was getting bad vibes over the weekend
extremetempz@reddit
Licencing aside, I'm not sure what the issue is, Linx distros like Debian and Ubuntu do this, Everytime I login to servers I see a prompt to upgrade
Block the update and move on
ITGuyThrow07@reddit
The issue is it being identified as a "security update" that can't be rolled back and, oh yeah, you have to be licensed for it.
extremetempz@reddit
severnd@reddit
this is fine but its classed as a security update ; for many of us working in a secure environment, such updates are deployed quickly to prevent attacks. block all you like but once the update has started rolling out to a device; its getting installed. for us, the patch rolled out at 2am UK time. wasnt even patch Tuesday ffs!!
Gh0styD0g@reddit
What a balls up 😲
Vicus_92@reddit
Fuck me, it's a server not a desktop. Who thought this was a good idea!?
Guess I know what I'm reviewing tomorrow.
longlivemsdos@reddit
yep I think MS forgot that since around WS2016 (or 19 can't remember which) with xbox services and Edge auto opening on 'news' tab instead of protected.
MBILC@reddit
Don't forget the Coupon's option in Edge, cause servers need that too...
RBeck@reddit
And now you're out of compliance for 2025 CALs.
lordcochise@reddit
that's also a big one for some folks, particularly those not using DC editions; This sort of thing was one reason we moved to DC versioning to not have to worry about it as a SMB, other than specific stuff like RDS\SQL cals
Icedman81@reddit
.... what?
Last I checked, you still need Windows Server CALs, if you run Server Datacenter (ref: https://www.microsoft.com/en-us/windows-server/pricing). As far as I know, the only time you do not require CALs, is if you are using SPLA licensing - at which point, you yourself generally don't manage the licenses, but the MSP does (also, the MSP is not allowed to give you direct access to the keys). This also means, that if you have any volume licenses that you want to use in your MSPs datacenter, you need to have an active SA with those licenses.
Only thing you get "unlimited" of, is the ability to run as much Windows VOSE that you can on the hardware (and obviously AVMA).
SQL on the other hand does not require CALs in the case of core licensing, only when using Server + CAL model. Although, Core licensing in virtual environment requires you to have a valid SA for the SQL Server Core packs and a minimum of 4 licensed vCores per vOSE (even if you only use one), unless you go and license the physical cores (IIRC, with Enterprise Edition + SA), which would allow you to run unlimited SQL Server instances (in other words, as many has the hardware can handle).
And then there's the Azure Hybrid benefit model that muddles the costs and especially SQL Server licensing...
A final note, some recommended reading:
And especially these from the Licensing Briefs link:
And to be a nitpicky too, when you have a valid SA for Windows Server licenses, your CALs need to have it too...
Confy@reddit
This person licenses
BloodyIron@reddit
"Enterprise ready"... laughing from Linux
Yes I know this doesn't help, but the more of your systems you can migrate away from Windows, the more sanity you will have.
OinkyConfidence@reddit
"Enterprise ready"... laughing in Linux would be the correct parlance I believe.
BloodyIron@reddit
Well I'm literally using Linux as my OS to type this, so I think we're both right. As for the use of parlance... ;P
MBILC@reddit
Just to test, brand new clean install of Server 2022 - Not yet activated, used an MSDN ISO image:
en-us_windows_server_2022_updated_sep_2024_x64_dvd_cab4e960
First check for Windows Updates:
cpupro@reddit
Unintended, unintentional, free upgrade to the latest OS.
Absolutely NOTHING bad could happen...
Right?
LOL
YellowOnline@reddit
I have no issue with in-place upgrades at all, but you should of course consciously choose to do it, not only because of compatibility, but also because of CALs. I'm fine with my 2022 DCs becoming 2025, but I only have 2022 CALs. Or did MS change how CALs work?
Remarkable_Cook_5100@reddit
Honestly, if Microsoft was simply giving everyone a free upgrade from 2019/2022 to 2025 with CAL and RDP license upgrades, that would be fine with me. But they are not, so this option should not even exist.
lordcochise@reddit
Yeah at first it almost feels like a 'free' R2 style upgrade but NOPE
Jeeper08JK@reddit
YellowOnline@reddit
Oh, I didn't even consider that. Just like W10 licenses worked for W11, I assumed that an upgrade like this would also extend the license.
Megafiend@reddit
Your server guys have caused this by not managing the update tool effectively is what you're saying.
networkn@reddit
This is a dumb reply. It's a server, it has NO business upgrading. There are so many things wrong with an auto update including a lack of applicable licenses, compatibility, support from vendors, deprecated features.
Gummyrabbit@reddit
My ESXi are only licensed up to Server 2022.
networkn@reddit
Exactly.
Jamdrizzley@reddit
Do you use wsus to release updates manually or is your estate on a 'upgrade free for all' policy? If you don't use wsus then unwanted updates should be expected
networkn@reddit
This isn't a workstation. There are licensing implications. If my 2022 upgrades to 2025 then MS can pound sand for the licensing costs. I am extremely confident our consumer laws would cover us nicely.
jeffrey_smith@reddit
Are you a consumer?
networkn@reddit
For the purposes of the laws that protect me against this type of behavior, yes.
xCharg@reddit
Workstations are also licensed so how is that different?
networkn@reddit
Sigh. Workstation licenses are included in the price of your computer and don't have CALs to worry about.
xCharg@reddit
That's nothing more than your random assumption. No, my licenses are not included in the price of my computer.
McAUTS@reddit
WTF... what are you doing here? You're obviously not even a SysAdmin, so what are you telling us here?
xCharg@reddit
Sure, I don't work in your environment therefore I'm not sysadmin. Cool logic.
networkn@reddit
For the vast majority of people it's true. For the vast majority of server owners an upgrade from 2022 to 2025 would cost them a server license plus CALs.
GherkinP@reddit
i'd just like to interject to mention WSUS should not be used.
https://www.bleepingcomputer.com/news/microsoft/microsoft-officially-deprecates-windows-server-update-services-wsus/amp/
it's been deprecated as of aug 13
_CyrAz@reddit
The link you provided quite literally says that WSUS will continue to receive updates and to be supported, which doesn't exactly sounds like "stop using it".
what-the-puck@reddit
Yeah, it hasn't seen new features in years, only patches. Microsoft just admitted it, that's all. WSUS is not end of life.
GherkinP@reddit
https://github.com/MicrosoftDocs/windowsserverdocs/commit/b9de39a7a50e881d725ba5af90ca179d20ecd2ca
_CyrAz@reddit
Still not the same as "not maintened/not supported/don't use it", and it hasn't been "actively developed" for for years anyway.
Finality-@reddit
All their recommendations are for cloud products. While deprecated it's functionality isn't going away. What would be the solution for air gapped networks where you can't use cloud, something third party?
asdrunkasdrunkcanbe@reddit
Windows server updates are managed just like any others. If you don't want your servers to update themselves automatically then you should be configuring them to not automatically update.
If this is happening it's because they've decided it's OK for machines to update themselves and all the compatibility issues that may bring.
mwerte@reddit
And yet all the other posts here are "automate everything, touch nothing" variety. It can't be both.
Not directed at you specifically, just frustrated
asdrunkasdrunkcanbe@reddit
You're kind of right, it can't be both, you need to segregate the stuff which needs management from the stuff which doesn't.
Most of us in the automate everything camp also acknowledge that you can't literally automate everything. Sometimes you need gates, because automation lets things through which shouldn't be allowed through.
In this example, you might allow patches to be automatically rolled out to non-prod environments, and then you apply them to prod environments on a week or two-week delay. That delay can also be automated, but someone should at least be eyeballing it and aware it's going to happen. For the sake of a ten minute check you can save yourself a day's stress and work if a patch goes out unintentionally.
If you have no environment segregation (say for corporate services like a mail server), then you just have to suck it up. These are always my candidates for moving to cloud providers, aka making it someone else's problem.
Megafiend@reddit
Why Is a prod server configured to auto update without anyone reviewing the updates.
I agree it's 100% shitty categorisation on Microsoft part, but this is easily prevented with proper process.
ClackamasLivesMatter@reddit
If a server updates itself I'm calling an exorcist. That shit should not happen.
Megafiend@reddit
The update wasn't blocked, and was automatically applied by an update tool. No need for an exorcist, just a review of the update procedure.
Pazuuuzu@reddit
Well when an upgrade is classified by Microsoft as a "Security Updates " that is a whole other can of worms...
RestartRebootRetire@reddit
Here's what I see on my Server 2022 Standard server that I manually update.
uxixu@reddit
Hate hate hate the way MSFT has done updates since Win 10.
Chaseshaw@reddit
Just within the last week I was wondering to myself if my policy of only updating windows manually after KBs have had a while to burn in was an outdated and inappropriate way of thinking. I have memories of windows updates "breaking" things, but these memories are 10-15 years old, and I was pondering if I should rethink this.
Nope, no I should not. Windows automatic updates still breaks crap all the time it seems.
wooties05@reddit
Thank your for posting this.
hvas01@reddit
RemindMe! 2 Days
Advanced_Day8657@reddit
Quick question... How can Microsoft treat a server like a desktop?
cubic_sq@reddit
Because it is almost 2025. And apps / etc on 2022 in theory most stuff should be fully compatible with 2025 if the vendor codes against guidelines properly.
And ms should already know what interfaces are used on the 2022 host and have a good idea if stuff will most likely be ok ok 2025
ChrisDnz82@reddit
would anyone care to share their patch logs/windowsupdate logs? or provide the patch guid of the patch they think did it. I would like to check our patch db (I work for N-able) to see if we can help figure out more
Fatboy40@reddit (OP)
If you're able to indicate where on the Windows Server I can find the corresponding logs, or patch GUID, I'd be happy to send these.
ChrisDnz82@reddit
https://learn.microsoft.com/en-us/powershell/module/windowsupdate/get-windowsupdatelog?view=windowsserver2022-ps
Possibly logs in here if they exist, would normally use them for win 10/11 though:
C:\Windows\Panther\
Guids will hopefully be in the logs.
Fatboy40@reddit (OP)
After running Get-WindowsUpdateLog on one of the servers that updated early this morning, at around 03:37 UK time, the earliest log entry is for 07:23 so around five hours later so I'm thinking probably not much use?
ChrisDnz82@reddit
is there anything in panther log location?
Fatboy40@reddit (OP)
Unfortunately not :(
ChrisDnz82@reddit
nightmare :-(
tuntaalam@reddit
If all else fails, call Microsoft and ask them to explain the behaviour of their shitty os.
Absolute_Bob@reddit
KingStannisForever@reddit
Isn't that Ubisfot logo there?
Anyway, Microsoft doesn't know what Microsoft is doing
trapped_outta_town2@reddit
They know, that's the point. They know you're not just gonna up and leave them for Linux. So they just do shit like this and you have no choice but to take it.
pdp10@reddit
Those who could leave for Linux easily, decamped years ago. Many of those enterprises left, can't leave easily.
The same for IBM mainframes -- you don't keep paying for those if you have decent options.
BloodyIron@reddit
Actually there's plenty of AD environments (on-prem) that actually are eligible for migration to Samba AD (running on Linux), as the functionality said environments care about is fully served by Samba AD. Yes, not all scenarios are covered by Samba AD, but most are. (I know because this is something my company offers by the way)
So while there are those who have migrated Windows->Linux already in part or whole, there's plenty of opportunity left for more of that!
Dependent_Price_1306@reddit
Why? It won't be in the script of the moron on the other end of the phone.
Die_Quelle@reddit
as if they could explain such things LOL.
DattiHD@reddit
Even if they bother to explain "he behaviour of their shitty os" it won't change the f****ed up situation for affected admins.
fl_video@reddit
Can we confirm this is only impacting Server 2022?
nont0xicentity@reddit
No, showing on 2019 as well
UltraEngine60@reddit
As soon as they figure out patching at a decent cadence, and now hotpatching, they start treating major OS updates the same as hotfixes. One step forward two steps back. I can handle major OS upgrades myself Microsoft, back the fuck off.
mpekbre@reddit
RemindMe! 2 days
gbdavidx@reddit
An software matter expert??
bschmidt25@reddit
I'm sure all of the public sector entities who are in a change freeze because of the election really appreciate this. Shouldn't affect elections systems, but when I worked for a county that handled them we weren't allowed to touch a damn thing on election day. Only firefighting duty.
sharkbite0141@reddit
RemindMe! 2 days
5141121@reddit
RIP any Windows admins out there today. I'll pour one out for you as I push firmware to my AIX boxes.
Clasic-Zero@reddit
So…. If update is offering the upgrade Does that make it free?
brother_yam@reddit
No
MFKDGAF@reddit
RemindMe! 2 Days
Beardedcomputernerd@reddit
RemindMe! 5 days
ProfessionalITShark@reddit
Anyone got any guids?
ajf8729@reddit
KB5044284 is just the monthly CU for Server 2025. It was revised a few days ago because the product classification was changed from "Windows Insider Pre-Release" to "Microsoft Server Operating System 24H2". Not sure what KB this upgrade is coming from yet.
Gummyrabbit@reddit
I have a test server running 21H2 and I downloaded KB5044284 (which also downloads KB5043080). I can't even install it on 21H2. I get "Installer encountered an error: 0xca00a005". So I'm not sure how your patch tool is managing to get it installed.
Mysterious_Manner_97@reddit
Looks like this is a screw up perhaps due to kb5044281 having the exact same name? Outside of a comma.. wondering if ppl are using txt based approval rules?
lordcochise@reddit
Wasn't seeing this ANYWHERE in WSUS but checking online for updates on Server 2022 VMs does make this appear as an optional update not unlike Windows 10/11 client-side major build updates; On one hand I'm not surprised they eventually went this route for what used to be 'R2' versions (though Server 2019 -> 2022 -> 2025 could be more of an R3?); at the same time, everyone seems to be saying this isn't a 'free' update and requires a 2025 license or upgrade rights? HOO BOY there's gonna be plenty of admins pissed at M$ if that ends up being the case.
Currently all our hypervisors / VMs are Server 2022 (21H2 LTSC essentially) and I have yet to see a WSUS update normally requiring approval that matches this; is it possible that what's really meant as an optional inline upgrade for the non-LTSC server builds got released wrong? Would make sense for those on active / enterprise licensing to have this path but PROBABLY NOT the rest of us if it breaks activation....
Monatomic@reddit
Saw this yesterday when spinning up a server. Microsoft is certainly being sneaky.
xerxes716@reddit
Dear Microsoft: Rick and Morty | Get your shit together - YouTube
Celikooo@reddit
According to WSUS, KB5044284 is only available for 2025 servers. It is declared as a Security Update.
It is most likely not upgrading the OS from 2022->2025
Furthermore, the OP apparently configured Heimdal in a way to install all updates (including optional updates pulled from Microsoft), which most probably caused the servers to update to 2025.
Fatboy40@reddit (OP)
Nope, it 100% installed KB5044284 this morning, it's all in logs etc., and our RMM tool classifies it as an Operating System Update and installed it onto two 2019 servers + it errored on a third so thank God for that.
Celikooo@reddit
That's crazy... Best of luck taking care of your severs 👍👍
InfamousStrategy9539@reddit
Is the Heimdal dashboard showing the update in the assets for the servers? When did they update? Ours is set to update them on Fridays, but just checked our DC and it hasn’t been updated.
Fatboy40@reddit (OP)
The "GP" (why on Earth did they call it that, for me GP = Group Policy in Active Directory) was set so that OS Updates occurred on a Tuesday and Thursday, so overnight today it started to push it out.
InfamousStrategy9539@reddit
Ahaha, same, it could have been named better. Thanks, back off my lunch now. Off to the dashboard I go!
idle19@reddit
thanks Microshaft
severnd@reddit
we've got this garbage pending on 75 servers! mix of 2022 and 2019! block that KB if you can, but probably too late if you're updating to meet security compliance rules.
sliverednuts@reddit
Honestly you deserve this, why would you use such shitty products to update your servers!!! Better start reading properly !!!!
Calimore@reddit
More exclamation marks = more being right!!!!!!!!!!!!!
MushyBeees@reddit
It’s zero surprise your partner doesn’t want to sleep with you.
networkn@reddit
You know, it's optional to be a prick online right? Get a grip.
Fatboy40@reddit (OP)
I personally do not manage the servers / systems so cannot comment if Heimdal is appropriate, if that's what you're referring to? You assume that it was Heimdal that instigated this and not Windows Update etc?
(As an aside to the above why such a shitty reply?)
Thebelisk@reddit
People online are arseholes, that’s why the shitty reply.
I feel your pain brother. I haven’t had this particular issue, but it brings back memories of a Win10-to-Win11 update which caught me off guard. I had rules in place to stop the Win11 update, but MS changed how they were pushing out the updates at one point, which bypassed my rules. Really frustrating, and I can only imagine the world of hurt you have ahead of you with servers unexpectedly updating.
Crot_Chmaster@reddit
WTF Microsoft
KernicPanel@reddit
This would be a disaster if it happened to rds servers or brokers as the windows version needs to match.
mgF0z@reddit
Love it, you've got to love MSFT!
SnooDucks5078@reddit
wow, thanks for the heads up! I just noticed it appear as an optional install on my 2022 domain controllers! Better check SConfig set to manual.
mb194dc@reddit
I've seen this happen with Office, but not Server itself, though on 2019 not 2022.