Windows 2022 Servers Unexpectedly Upgrading to 2025, Aaaargh!

Posted by Fatboy40@reddit | sysadmin | View on Reddit | 487 comments

Arriving at work this morning, an "SME" sized business in the UK, something seemed a little off. Further investigation showed that all of our Windows 2022 Servers had either upgraded themselves to 2025 overnight or were about to do so. This obviously came as a shock as we're not at the point to do so for many reasons and the required licensing would not be present. We manage the updating of clients and servers using the product Heimdal, so I would be surprised if this instigated the update, so our number one concern is why the update occured and how to prevent it. Is 2025 being pushed out as a simple Windows update to our servers, just like "Patch Tuesday" events, have we missed something we should have set or are we just unlucky? Is this happening to anyone else?

Reply to Post

Reply

487 Comments

[-]

ihaag@reddit

Any had the issue where you have to disable to KDC to sign into the domain controller?

Reply

[-]

TNTGav@reddit

We are tracking this elsewhere - the running \*theory\* at the moment is [https://www.catalog.update.microsoft.com/Search.aspx?q=KB5044284](https://www.catalog.update.microsoft.com/Search.aspx?q=KB5044284) this, published as a security update, is actually an update to 2025. Not validated yet.

Reply

[-]

Fatboy40@reddit (OP)

I think this may be the smoking gun, and if it is then this is terrible! (and thank you for adding your helpful reply). I can see that KB 5044284 was the only update installed onto servers recently that's not a Defender definition, so it must be this. In our Heimdal patch management system client it lists this KB under the category "Upgrades", not under "Security Updates" or "Update Rollups", so something stinks here.

Reply

[-]

TNTGav@reddit

Still not verified but we are seeing certain Server 2022 (seemingly 21h2 versions of 2022) see this as a Security Update and others (24h2) list it as a Feature Update.

Reply

[-]

Mackerdaymia@reddit

Can confirm. Running Server 2022 21H2 and only seeing it as a Security Update for Win11 24H2. Nothing about a Server 2022 Feature Update. u/OP \- Is your WSUS Server on 24H2?

Reply

[-]

Fatboy40@reddit (OP)

I think I've enough evidence now to know that our third-party patch management tool, Heimdal, is classing it as an "Operating System Update" and triggered the update to be pushed to our servers based upon its policies. So a lesson for me / my employer is to go through Heimdal top to bottom and refine any and all Server update policies. Also the upgraded server were on 21H2.

Reply

[-]

ratman99uk@reddit

Heimdall settings to block on servers [https://i.imgur.com/Fp2YO4p.png](https://i.imgur.com/Fp2YO4p.png)

Reply

[-]

ESXI8@reddit

How do I setup this glorious program??

Reply

[-]

ratman99uk@reddit

[Heimdal® - One Platform. Total Cyber Security.](https://heimdalsecurity.com/?utm_term=heimdal&utm_campaign=GGL-UK-BRAND&utm_source=adwords&utm_medium=ppc&utm_content=BRAND-CORE&partner=g_GGL-UK-BRAND_BRAND-CORE_heimdal__Cj0KCQiAy8K8BhCZARIsAKJ8sfTMU6gQhc0R-VQ4m6BjwgexaZb78asg-xY12Z_LpUgVtjZyKY-v5jUaAn_gEALw_wcB&gad_source=1&gclid=Cj0KCQiAy8K8BhCZARIsAKJ8sfTMU6gQhc0R-VQ4m6BjwgexaZb78asg-xY12Z_LpUgVtjZyKY-v5jUaAn_gEALw_wcB) you can get a price for the patch management only being what we have

Reply

[-]

Fatboy40@reddit (OP)

I added it as an exclusion about 30 minutes ago in Heimdal. I'm now struggling to see how in Heimdal we can be a little more granular in approving updates, but it looks like it may be only "on" or "off"? :(

Reply

[-]

ratman99uk@reddit

we use one policy for servers and one for workstations. iv only blocked it on the server one for now

Reply

[-]

PCRefurbrAbq@reddit

Wait, there's a Windows Server 2025, version 21H2 in existence? Yikes.

Reply

[-]

nascentt@reddit

You should update your main post with this info

Reply

[-]

Fatboy40@reddit (OP)

Done.

Reply

[-]

ratman99uk@reddit

I cant find KB5044284 in our Heimdal consol. is it listed as that in yours?

Reply

[-]

ratman99uk@reddit

to answer my own question, it doesnt have the KB at the start, its just 5044284

Reply

[-]

DeejayCa@reddit

I see KB5044281 just installed on my Server 2022 LTS 21H2, not the KB5044284 so I quickly went and blocked KB5044284 across my Syncro patch management software for server policies just in case.

Reply

[-]

lordcochise@reddit

We're up to date on all our Server 2022 patching (WSUS server is also 2022), absolutely no sign of a 2025 upgrade, nor have the 2024-10 cumulatives caused any issues, BUT when 'checking online for updates' guess what DOES appear: https://preview.redd.it/bjl6nu57i3zd1.jpeg?width=1255&format=pjpg&auto=webp&s=d5bc456c231b4f0a273fefea49b660688bbc00ca

Reply

[-]

annatarlg@reddit

Came here to post this….its just an update, click!

Reply

[-]

dustojnikhummer@reddit

Okay, stupid question. Are you saying that there is a version of Server22 that is build number 24H2? I thought 24H2 was Server 25? That Windows Servers stayed on their major releases, ie Server19 was 1909?

Reply

[-]

TNTGav@reddit

No sorry it was poor initial wording. 24H2 is 2025.

Reply

[-]

dustojnikhummer@reddit

Okay thanks, I was confused. Everything 2022 I could check was 21h2

Reply

[-]

neko_whippet@reddit

How do you know if your 2022 is a 21h2 or 24h2? 24h2 is pretty new so,it must be windows 2022 that’s been installed not long ago ?

Reply

[-]

CircuitSprinter@reddit

Go to Settings, System, About. Towards the bottom you’ll see Version info.

Reply

[-]

neko_whippet@reddit

Ok thanks but 24h2 is pretty recent build no? I though servers couldn’t upgrade build number like that unless you install a new OS version So could you go from windows 2022 21h2 to 24h2 just from windows update or you need a specific windows 22 iso to get 24h2 build ?

Reply

[-]

CircuitSprinter@reddit

I’m under the assumption that 24H2 is the version for 2025 LTSC. That’s what this thread is meant to investigate, what update causes this to happen

Reply

[-]

lordcochise@reddit

I believe that is the case; you can get physical ISOs for Server 2025 std/dc as of this week now and their version will be essentially 24H2. I don't see anything in WSUS yet that would look like 'Server 2025 hotpatch category' but 'Microsoft Server operating system, version 24H2' have been for several weeks and would apply here.

Reply

[-]

neko_whippet@reddit

So it could happen on any version of 2022 then

Reply

[-]

what-the-puck@reddit

Yes I'd say so. If you run the 2025 upgrade you're going to get 2025

Reply

[-]

Lukage@reddit

To simply address the question, the 2\*H2 builds on Server OS can't be upgraded from one to the next any more. You'd have to deploy a new ISO. That said, they all get the same updates.

Reply

[-]

mistakesmade2024@reddit

Or just type 'winver' in a cmdline or the start menu. :-)

Reply

[-]

Fatboy40@reddit (OP)

Or run "winver".

Reply

[-]

dagamore12@reddit

Winver should still work on svr22, dont have at home so cant test it, but it works on my 2019, it reports your version.

Reply

[-]

TNTGav@reddit

Update -> Take the 24h2 part of this with a grain of salt

Reply

[-]

dustojnikhummer@reddit

24H2 Server 2022? What?

Reply

[-]

bdam55@reddit

FWIW, the smoking gun is here: [https://www.reddit.com/r/sysadmin/comments/1gl6jsw/comment/lvyps27](https://www.reddit.com/r/sysadmin/comments/1gl6jsw/comment/lvyps27) This was a Feature Update released to the Windows Update channel (not the Update Catalog) that is properly classified as an Upgrade (Feature Update). As much crap as MS deserves for screwing up updates, this is one of the rare times where they are not to blame.

Reply

[-]

CircuitSprinter@reddit

What’s interesting is my WSUS environment doesn’t even have KB5044284 in its catalog for Server OS, only for Win10.

Reply

[-]

yukee2018@reddit

I can not find it either, I am checking now Azure update manager if anything got installed there, but it does not seem like it.

Reply

[-]

bdam55@reddit

There's another layer here that I think could add some clarity for anyone else reading along. Always important to remember that KB articles (ex. KB5044284) are just that: knowledge base articles. Their relationship to actual updates isn't always straight-forward. This is further complicated by the fact that there's multiple update streams (WSUS/WU/Catalog/Offline-Catalog) that contain different sets of updates. The server update listed in the catalog that u/TNTGav points to is almost certainly not a FU, that's almost certainly exactly what it says: the monthly cumulative update for the 24H2 server release. MS has \_also\_ started publishing to WU/WSUS FUs that are updated with the latest monthly CU. These FUs will, appropriately, be given the same KB as their CU counterparts. I don't believe these monthly updated FUs are published to the catalog though, which is why they don't appear in the search above.

Reply

[-]

0h_P1ease@reddit

> published as a security update, is actually an update to 2025. Dude what is going on here? how could THAT possibly slip by? wow MS. wow!

Reply

[-]

bdam55@reddit

FWIW, it wasn't classified as a security update: [https://www.reddit.com/r/sysadmin/comments/1gl6jsw/comment/lvyps27](https://www.reddit.com/r/sysadmin/comments/1gl6jsw/comment/lvyps27) This was a Feature Update released to the Windows Update channel (not the Update Catalog) that is properly classified as an Upgrade (Feature Update). As much crap as MS deserves for screwing up updates, this is one of the rare times where they are not to blame.

Reply

[-]

ajicles@reddit

https://preview.redd.it/4o92m0nwi5zd1.png?width=678&format=png&auto=webp&s=643b2985014f42a090aef059bf17a9f8ba513ccb It won't install until you accept and license it.

Reply

[-]

ajicles@reddit

https://preview.redd.it/bcbrwea6j5zd1.png?width=747&format=png&auto=webp&s=df62f964b0a0aec47231448d07726782ca7b65e7 Just going to send it.

Reply

[-]

ajicles@reddit

https://preview.redd.it/pq2r4k4oq6zd1.png?width=1028&format=png&auto=webp&s=7f781ecd54a86a8d69ac0d1142ce793441459259 Upgraded no problem.

Reply

[-]

nsfwhola@reddit

does the upgrade remain activated after a restart? did you buy a win server 2025 key?

Reply

[-]

ajicles@reddit

Lol no. There is no upgrade rights unless you have software assurance.

Reply

[-]

Deadmeat5@reddit

Okay. BUT, let's assume this is an upgrade package. Check out the Column "Products" on the page you linked. It says "Microsoft Server Operating System-24H2" That is MS Speak for "Windows Server 2025", is it not? So, the real question then should be, why is this KB showing up as a missing patch on Windows Server 2022 systems? As others have pointed out, the correct October patch for Windows Server 2022 is KB5044281. Why would the KB5044284 show up for Windows Server 2022? As far as I know, the MS Speak for that System is "Microsoft Server Operating System-22H2"

Reply

[-]

Xetrill@reddit

Just ran [wumgr](https://github.com/DavidXanatos/wumgr) on a Server 2022 VM, it *right now*. It reported KB5044284 with category "Upgrades" and curiously and likely incorrect, it also says it's a 180 GB download.

Reply

[-]

pivotman319@reddit

That 180 GB estimate is the *entire* size of every installable component and language combination MS published onto Windows Update infrastructure for WS2025 upgrades + Server Insider flights, ***including base OS images***.

Reply

[-]

digitaltransmutation@reddit

The 180GB estimate appears for a lot of routine updates, you cant really rely on that.

Reply

[-]

PianistIcy7445@reddit

Interesting NG, was using pswindowsupdate untill recently

Reply

[-]

ParticularAccount894@reddit

I think we may another update to look at. After installing KB504428 you get the option to install 2025 https://preview.redd.it/y05rqmuwg3zd1.png?width=846&format=png&auto=webp&s=0dfe11c7135ebe3ff96f5f6eb0cea02ab3bb45f7 but it does not auto install. Does the KB5044284 Auto install?

Reply

[-]

mancmagic@reddit

My worry with this is, is that just going to sit there for the next few years? Ie just waiting for somebody to accidentally click it if doing manual updates etc.

Reply

[-]

EveningFig7820@reddit

there's another warning after this screen, so unless you have a seizure and just start spaz clicking everywhere, you should be ok

Reply

[-]

Bazstad@reddit

I spaz clicked, luckily it was a test VM.

Reply

[-]

mancmagic@reddit

Ah that's good. Was just imaging one of those tired afternoons clicking through before a dreaded "shit, what have I just done" moments before the server goes offline.

Reply

[-]

SoonerMedic72@reddit

manual reboot script, run on one machine, go. {panic rising as you see hundreds of targeted machines} NOOOOO!!!!!

Reply

[-]

EncomCEO@reddit

Anyone got the relevant GPO to prevent this from being able to happen?

Reply

[-]

Gummyrabbit@reddit

I think I'll call in sick....

Reply

[-]

Fersww@reddit

Same here ..

Reply

[-]

babywhiz@reddit

On our servers, it's just a separate option to Download and Update. https://preview.redd.it/xgk7t0sii3zd1.png?width=561&format=png&auto=webp&s=e203019fa19f565fbb6e3779d9ccb1251ebb4d04

Reply

[-]

sccmjd@reddit

Also seeing that here.

Reply

[-]

vanillatom@reddit

Same here

Reply

[-]

Enxer@reddit

Wow. Just wow

Reply

[-]

krodders@reddit

We're looking at the method that we used to block Windows 11. Would be something like this: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\TargetReleaseVersion set to DWORD value: 1 HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\TargetReleaseVersionInfo set to STRING value: 2022 Is there anyone that can test and confirm?

Reply

[-]

RikiWardOG@reddit

HAHA jfc that's wild. reminds me, why and the world does Mac manage to always fuck up their OS updates. We block them with Jamf but it never works 100% there's always a dozen machines or so that get the update and ofc it's execs that end up being our pilot users.

Reply

[-]

After_Working@reddit

Have Ninja blocked that update from rolling out for the time being?

Reply

[-]

Lukage@reddit

That would be up to you to manage it. They don't choose what you apply.

Reply

[-]

After_Working@reddit

Fair enough, i just wondered if one update certainly is known to cause an issue like this, i wondered if they step in and hold it back.

Reply

[-]

nont0xicentity@reddit

They are using Windows Update API via the machine, they don't have a catalog on their own to pull patches, so it sees what the machine sees. ATM blocking feature updates shows it blocked on our 2022 21H2 systems, but I have some that don't see it and need a reboot, so hopefully it shows blocked there as well.

Reply

[-]

bm74@reddit

No - I've just selectively blocked it - even though we're not running 2019. Ninja have put a yellow warning at the top of all their pages with instructions etc.

Reply

[-]

TNTGav@reddit

u/Fatboy40 We have still not verified yet that this is listed as a security update and it possibly could JUST be an Optional Feature Update. If you could update the main post that would be great.

Reply

[-]

Fatboy40@reddit (OP)

I've removed your name from my update to "protect the innocent" ;) (and altered the text)

Reply

[-]

UseMstr_DropDatabase@reddit

Does it remain activated after the upgrade?

Reply

[-]

Fatboy40@reddit (OP)

Nope :(

Reply

[-]

CluelessPentester@reddit

Sorry, but this is kinda hilarious. "Oh, here, let us upgrade your server to the newest version automatically! Oopsie, it looks like you don't have a license. Get fucked!" How can a company be so out of touch with the real world

Reply

[-]

ourlastchancefortea@reddit

That's why Microsoft, like any responsible company, alpha tests their updates. They simply do it in production. YOUR production, not theirs. They aren't stupid.

Reply

[-]

ApprehensiveBowl5091@reddit

exactly what i've been saying for 20 years. Every other release of windows is basicly a beta test that we as consumers even pay for, then a year or two after they release a functional OS on the same premise/principle as the "beta" Examples: Windows 2000/ME = It's a wonder I decided to make IT a career. Windows XP = Good stuff Windows Vista = Good lord... Windows 7 = Good stuff Windows 8 = ⛥ K̷͎̖̄̎Ǹ̷̹͎̠̌͌͑͘Ḛ̵͛̃͋̌͂E̶͔̰̜̓Ë̶͈͓L̵̯͑ ̸̥̬͕̹́͋B̴̺͖̞̙͐͊̅Ẻ̸̟̠̳̰̒͜F̴̣̪̫̔̋́̚͝Ŏ̵̢͖ͅŘ̸̘̀̋̍̊E̸̗̓̓̊̕ ̶̡̳͉̈́̂̄̕͝M̸͔̗̙͉͑Ȩ̶̗͓̺̺̀ ̶̛͈̎̍͘͝P̴̨̜̺̥͎͂͆Ẹ̵̛̜̗̳̐̓̓̄A̵̞̣͑S̵̙̦͆̇Á̴͓̒̋N̸̻̺̂̐Ţ̵͍̖͛̑͘S̵̹̩̘̮̃͋͌̃!̶͕͈̬̲͊̎̋ ⛥ Windows 10 = Back on track Windows 11 = lEtS tRy SoMeThInG nEw!?! Consumers: Are you asking or telling windows 11? Windows 11 = I have no fecken clue boi!

Reply

[-]

sm9k3y@reddit

I guess I go back a little further than you, but you've got the general microsoft update cycle mostly... DOS 5.0 - Amazing! Windows 3.1 - Well it was GUI Windows NT - Oh shi!t you made a stable GUI! Windows 95 - Kinda cool but also WTF, can you keep my computer running for more than 8 hours? Windows 98 - haha Trolling the newbs (based on 95) Windows 2k! Sick, a better stable GUI (based on NT) Windows ME - Oh damn, I actaully feel, bad stop trolling. (based on 98) Windows XP - Stable GUI got a little better and friendly, I guess we're not trolling anymore. (based on NT) Windows Vista - I was wrong, how'd you make XP this bad? Windows 7 - Wait, you could have done this and didn't? I will run this OS forever Windows 8 - But Tablets and touchscreens? no we don't Give a F\*\*\* Windows 10 - The culmination of everything MS has learned, still based on NT and the old menus are there to actually get things done and stable AF for windows Windows 11 - Don't you want us to make this OS easier by taking away menus/settings you need/know to fix or repair things and moving them around randomly every week? Just trying to make you sysadmins look like morons, AI going to take your job soon anyways

Reply

[-]

renegadecanuck@reddit

The alternating thing does require you to blend 8/8.1 together, and ignore the initial launch of Windows 10. Windows 10 was a big improvement over 8 and 8.1, but it was still a bit of a tire fire at first. There's a reason so many people held on to Windows 7 until it was ripped away from them (and there's still an entire subreddit of people using it, in affront to all that is secure and righteous).

Reply

[-]

fish312@reddit

What sub

Reply

[-]

Old-Olive-4233@reddit

XP was also pretty awful until at least SP1 and at the time I'm pretty sure I disliked it until SP2.

Reply

[-]

renegadecanuck@reddit

I also don't remember 2000 being particularly bad, but it also was already end of life when my career started, so my exposure to it has been limited.

Reply

[-]

BlackV@reddit

2000 was amazing

Reply

[-]

BlackV@reddit

it requires you "ignoring" quite a few things

Reply

[-]

autogyrophilia@reddit

This feels right but is wrong. Windows ME was an attempt to modernize 95 with NT components, keeping the system on MS-DOS to try to keep it light. It didn't work well. 2000 (NT 5.0) did. Not without it's issues because it's Windows software. Windows XP was most of NT 5.0 released to the general public. Built upon 2000, as 2003 Windows Vista (NT 6.0) was poorly handled but it was always going to be painful as it was a huge overhaul with many changes that allow windows graphical session to be pretty secure ( the graphical session, we are still dealing with NTML1, nevermind 3rd party apps...) we are talking features such as the protected screen, running the graphics in user mode and not in kernel mode... As well as improving the support for the modern graphics Put this in perspective. It's what the Unix world is trying to do with Wayland and you see how that is going. All other versions of Windows build on NT 6.0, with a disappointing lack of additions versus changes. With some of these changes being baffling resulting in Windows 8 in particular

Reply

[-]

Joe-Cool@reddit

2000 still only needed up to Service Pack 4 during almost 5 years compared to 6a+post 6a security rollup on NT4. Windows ME was mostly software/hardware issues though. As an office machine a supported Compaq Armada 1500c had almost zero issues. It would run DOS games worse than Win98 and Windows programs worse than XP. And it would crash with many USB devices. But for just the right combination it'd run well. And faster than XP on that clunker (no EDO + a Celeron 300MHz).

Reply

[-]

baw3000@reddit

Windows 2000 was great, possibly even peak Microsoft. Windows ME was a shitshow.

Reply

[-]

MeanE@reddit

I used W2K until some small programs stopped supporting it even before it was EOL. Sad day.

Reply

[-]

BlackV@reddit

ditto, once sthings started moving to direct x, er.. 8? 10?, then I had to move cause me games stopped working

Reply

[-]

Electric_Ken@reddit

Exact, back in the days I renamed Windows ME, in French : "Windows Merdique Edition".....

Reply

[-]

ajicles@reddit

I was 6 years old when Windows 2000 came out.

Reply

[-]

RedShift9@reddit

Can you, idk, NOT say those kinds of things? For me 2003 is still 10 years ago.

Reply

[-]

ajicles@reddit

We are closer to 2040 than 2000. 1980 was 44 years ago

Reply

[-]

chaoslord@reddit

Friends I knew at the time working on ME called it "the dark time"

Reply

[-]

BlackV@reddit

ah the old "every 2nd release" fud, glosses over some many details to fit that pattern

Reply

[-]

Fantastic_Estate_303@reddit

Beta testing in production is the latest craze! Bonus points if you also do it on a Friday afternoon

Reply

[-]

bdam55@reddit

FWIW, this was not Microsoft's fault. They published the update properly and it's the RMMs who goofed: [https://www.reddit.com/r/sysadmin/comments/1gl6jsw/comment/lvyps27](https://www.reddit.com/r/sysadmin/comments/1gl6jsw/comment/lvyps27) This was a Feature Update released to the Windows Update channel (not the Update Catalog) that is properly classified as an Upgrade (Feature Update). As much crap as MS deserves for screwing up updates, this is one of the rare times where they are not to blame.

Reply

[-]

hihcadore@reddit

You’re not living until you deploy untested changes to production.

Reply

[-]

matt95110@reddit

They’re out of touch because they stopped caring about what users want. Now they’ve stopped caring about what businesses want, which is where they make all of their money.

Reply

[-]

joeytwobastards@reddit

They only ever cared about what shareholders wanted.

Reply

[-]

bassgoonist@reddit

that's basically the definition of a publicly traded company existing in capitalism

Reply

[-]

joeytwobastards@reddit

Yes.

Reply

[-]

AlexIsPlaying@reddit

They want Azure right? Because we will shove this automatically on your server!

Reply

[-]

brother_yam@reddit

This is straight up Mafia shit right here

Reply

[-]

BloodyIron@reddit

Because we as a collective industry do not push back enough on application vendors demanding they offer support for alternatives like Linux. We need to ring the bell loudly that this is not okay and that we need app vendors to do better.

Reply

[-]

Japjer@reddit

I imagine, if this is found to truly be a fuck up on Microsoft's end, a class action lawsuit will get you refunded if you end up buying a license. It'd be pretty fucked up if they automatically upgrade you and force you to purchase a new license.

Reply

[-]

lordcochise@reddit

I can totally believe MS wants to deliver server upgrade paths as they do on clients, but if it's not a free update for 2022 installations GOOD GOD who approved this without any kind of licensing warning

Reply

[-]

Bazstad@reddit

No - you need a new license

Reply

[-]

skipITjob@reddit

Activated and licensed are two different things. It's the license Microsoft cares about...

Reply

[-]

Remarkable_Cook_5100@reddit

In this case it is neither activated or licensed after the 2025 upgrade.

Reply

[-]

Hi_Kate@reddit

Unless you use licencing channel which lets you upgrade, like with SA or SPLA. Then it is licenced, but not activated.

Reply

[-]

skipITjob@reddit

Woohoo!

Reply

[-]

Nater41@reddit

Would like to add that this just happened to a Server 2019 of ours. Ran Windows Updates for the month and probably should have looked closely, but it booted back up with Server 2025 Standard installed. Never in my life have seen something like this.

Reply

[-]

CQuartly@reddit

Anyone used DISM in this situation? I've ran it on a couple of laptops that had updates installed and pending a restart which worked well, but not sure if anyone has applied it to this scenario

Reply

[-]

sysadminmakesmecry@reddit

So has this since been categorized correctly/fixed?

Reply

[-]

Fatboy40@reddit (OP)

Not really, or at least not to any proper conclusion. - After a Microsoft representative reached out to me personally, we sent a few e-mails to each other, they then ceased to reply / there's been radio silence. - For a while Microsoft pulled the update completely, I don't know it it's now back or configured / classified differently. - Was this a Microsoft update issue / miss-classification that caused issues with third parties? We don't really have the answer. - Were third party RMM tools at fault. We don't really have the answer.

Reply

[-]

GeneMoody-Action1@reddit

My understanding of it is; that since there were some obscure webinars on the matter, MS apparently planed this, server OS upgrades coming down the windows update channel like client OS does. They did not however release that as some big PR move, and instead just sort of let it happen. So that caught those who had used their patch managers to "Auto approve and apply updates" with a surprise upgrade. It is never a good practice to push untested updates to production systems, but it is never good to surprise people with a radical change in patching and OS upgrades either. The patch management products (Our included as it did affect some of our customers eventually as well) did not malfunction, they did what they were told, auto approved and install updates on servers. The change in that process and content however lead to unintended results. Though it was unfortunate, and we sympathize with the damage caused, we know at least in our system the issue would not happen in a default configuration, there had to be a user created automation to allow this to have happened. It is like blaming a car manufacturer for a distracted driver. Had MS been forthcoming with the information, or even have spoken quickly in response like all the admins and patch management vendors were trying to do as we were piecing together incidents that seemed to have no common denominator... We all could have made better informed decisions. We are evaluating our systems for if there are ways to prevent things like this in the future, but patch application schedules and testing are always an admin function, us limiting it in the name of nannying, can be perceived just as negatively by some.

Reply

[-]

sysadminmakesmecry@reddit

I logged a ticket with Action 1 today about this, and sort of got this same answer as well (after having to clarify my question), although support did not say if the misclassification was fixed by microsoft or not, so now I really dont know if I'm safe to push this supposed security patch or not, as it does show as available for my systems. Looks like heimdal can put an interrupt on this sort of process so this patch that should be a windows 11 patch (or so I believe) wont also push to servers - whereas action1 support has told me they wont/cant.

Reply

[-]

GeneMoody-Action1@reddit

It is not a matter of wont/cant as much as it is not needed from a system wide level, that is a decision to not limit what admins ***want*** to do on their own systems. We give you the tools to decide if it hits your systems, and it has no path to do so without your configuration of consent. Action1 therefore did not take a unilateral stance on what you could ***have***. You can still create a policy to flag it as require approval. But unless you have created a policy to allow it to pass, it will not go anyway. From the limited info we have, MS pulled it to better communicate the changes, but it is anticipated to come back. Note: This is a "As we know it currently" this position may change as more info comes to light. To be clear again, it was not a misclassification as far as we know right now, it was a change in how server updates come down the windows update channels and how now that they will they will be classified. This was effectively the first time an in-place upgrade for a server OS came down that channel, and it sort of slipped din undetected until it made itself well known. I still call that a serious error in judgement on their part, but not really an error in the literal sense as far as classification was concerned. The windows 11 / server update confusions seems to stem from the fact that the KBID int he catalog for download did not correspond to the same update the same KBID did for server in the update channel. So when people received one, and then went to investigate the other, the wires got crossed based on the KBID and some people's misunderstanding on what they mean as a whole. I am not claiming to have the inside info here, and MS has been pretty tight lipped about it as of the last time I looked, but details are coming out each being a breadcrumb, this is the best observation we have of it at the moment.

Reply

[-]

sysadminmakesmecry@reddit

Ya, I have no idea whats going on. In action1, this patch only went to my user test group which doesnt include servers. So, only a small handful of machines got this KB, but I dont think its showing as available for my servers specifically. I've straight declined this update now.

Reply

[-]

DeltaSierra426@reddit

Folks, quit blaming MS for once. I know it's too easy to do (their own fault, lol). The only aspect that you can blame them is for enabling in-place upgrades to Server 2025. That's why this is happening and Heimdal hasn't been honest and forthcoming about this: that they didn't program the necessary changes to properly handle this change. Well, Microsoft also could have written about this more rather than just stashing it in a video: [https://techcommunity.microsoft.com/blog/windowsosplatform/windows-server-2025-the-upgrade-and-update-experience/4220877](https://techcommunity.microsoft.com/blog/windowsosplatform/windows-server-2025-the-upgrade-and-update-experience/4220877) If it was a Microsoft problem, why did most RMM solutions not have this problem? And yes, if sysadmins were actually testing updates before pushing to larger production swaths, this would have been caught on one host instead of tens or more servers. You guys are leaving too much to autopilot (no, I don't mean MS's solution) and not enough manually checking down. Patch management automation is a great thing, but it still takes some care and thoughtfulness -- this is the Windows ecoysystem, after all!

Reply

[-]

mcdithers@reddit

While I didn’t experience this particular issue, there are many here in a situation like mine where funding is either very limited or non existent for a lab environment. I wound up paying out of pocket for my lab environment, and grabbed a couple 2nd gen Xeon scalable generation servers off of r/homelab sales. My employer did pitch in and covered the cost of the ssd/hdds and additional memory, plus licensing costs. To me it was a worthy investment, but not everyone thinks the way I do, nor would I expect them to.

Reply

[-]

Klutzy-Let3203@reddit

This has impacted some of our servers too. I can't see this anywhere else on the thread, but we were able to find the folder the updates have installed too (Windows\\SoftwareDistribution\\Download\\(long string...)\\ see screenshot. I'm wondering if by deleting the update files (on this server, the update is pending), it would cause the "upgrade" to fail, anyone else tried this or even noticed it? https://preview.redd.it/e9lv52vhla0e1.png?width=810&format=png&auto=webp&s=f423b08504ed7c3a851110e06969230f6af83e56

Reply

[-]

severnd@reddit

We tried that one but didn't have any success.

Reply

[-]

CQuartly@reddit

Thanks for confirming and sorry to hear it did not resolve the issue!

Reply

[-]

CQuartly@reddit

Curious about this in principle

Reply

[-]

mahsab@reddit

So this settles the "upgrade vs migrate" debate

Reply

[-]

andrea_ci@reddit

hahaahah

Reply

[-]

Lefty4444@reddit

The answer is always upgrade!

Reply

[-]

raiksaa@reddit

Spilled my fucking coffee thank you

Reply

[-]

spittlbm@reddit

Definitely does not 🙂

Reply

[-]

KoalaOfTheApocalypse@reddit

In a reverse circumstance, I tried to install KB5044284. First I specified with pswindowsupdate and it couldn't find it. Next I manually downloaded the KB from update catalog and it failed to install. I was trying to upgrade server standard 2022. I had to end up using the .iso, which was it's own adventure.

Reply

[-]

Comfortable_Swim_380@reddit

So help me. Im actually impressed at this level of screwing up this time.

Reply

[-]

cubic_sq@reddit

3/4 of our on prem customers are just AD and file shares. Would be nice to do the same (but reluctance elsewhere will always win..)

Reply

[-]

Comfortable_Swim_380@reddit

I got Linux hosts connecting to ad pretty good now. Was actually much more click and play then I expected. At least on this one distro I tried. Group policies don't work unfortunately though only authentication.

Reply

[-]

cubic_sq@reddit

We have truenas with AD integration for fileshares scattered here and there, but still not able to avoid windows cals as we still have windows servers deployed (not just for AD)

Reply

[-]

Comfortable_Swim_380@reddit

I like nextcloud for my nas stuff. Its super polished free and absolutely bursting with features.

Reply

[-]

Comfortable_Swim_380@reddit

The things that are open standards that can be replaced though which is probably at least 80% of the roles. My clients and end users dont even know I switched the server out. IIS / ldap / and some parts of exchange will probably stay a problem. But then you pitch replacing those things completely. Btw open exchange is making good strides.

Reply

[-]

Comfortable_Swim_380@reddit

As windows servers failed over time I would pitch it I can replace this functionality for free free fa free free free and the windows hosts can still connect to it. Minus my labor of course Price is one hell of a motivation.

Reply

[-]

Comfortable_Swim_380@reddit

God help the sysadmin people if the dc decides to do this. New plan will be "enjoy your new server 2025 install."

Reply

[-]

Neither-Promise-6410@reddit

[https://youtu.be/CZKecJvD26k?si=95i6ir0ABiUqQ\_Ol](https://youtu.be/CZKecJvD26k?si=95i6ir0ABiUqQ_Ol)

Reply

[-]

Beginning_Hornet4126@reddit

Windows Server requires specific license for the server AND it requires CALs for the users or devices. You can't just upgrade and stay licensed. A 2022 user/device CAL is not valid for a 2025 server. A license upgrade is quite expensive and can't just happen for free or automatically.

Reply

[-]

Zahid-Zubair@reddit

I don't know why, but I am happy with the unexpected update 😂😂😂😂.

Reply

[-]

ColXanders@reddit

Ah crap this has happened to us too. Using Heimdal as well. Just waking up to this reality...

Reply

[-]

Fatboy40@reddit (OP)

I feel a little less crap now knowing that I'm not on my own, good luck with the remediation. Looking on one server, under "Windows Update > Update History > Uninstall updates", there is an Uninstall option available for KB5044284. So, once an incremental backup of the server has completed I'm going to attempt the Uninstall and keep my fingers crossed that it can roll itself back (there a Windows.old folder on the C drive / volume so fingers crossed).

Reply

[-]

Joe-Cool@reddit

> So, once an incremental backup of the server has completed I'm going to attempt the Uninstall and keep my fingers crossed that it can roll itself back (there a Windows.old folder on the C drive / volume so fingers crossed). How did it go? Can it be uninstalled?

Reply

[-]

Fatboy40@reddit (OP)

Nope, just like other Windows Server in-place upgrades it cannot be rolled back :(

Reply

[-]

Joe-Cool@reddit

That's sucks. Thanks for checking.

Reply

[-]

Randalldeflagg@reddit

I peaked at mine. Yeah.... no. Its just the user folders. There is no roll back for servers that I am aware of. Its all or nothing typically.

Reply

[-]

Dr4g0nweasel20@reddit

Yes, please keep us posted about this!

Reply

[-]

ColXanders@reddit

Please post back how it goes. I'm in the US and just getting notice of this so we are in discovery mode. Any additional info would be helpful. I have our MSSP involved which has a direct relationship with Heimdal and will post any updates I get here as well.

Reply

[-]

spetcnaz@reddit

Wowww who's bright idea at Microsoft was this? Who wants servers to migrate to a new version, basically an in-place upgrade. Microsoft should give serious heads up for such things.

Reply

[-]

bdam55@reddit

FWIW, Microsoft was not the cause of this automatic updating, that was due to their RMM. As for why MS released a Feature Update for a server OS: The cloud. That is, they need a cloud-based solution to server upgrades that isn't ConfigMgr. The only solution is for the update to likewise come from the cloud, hence a Feature Update delivered via Windows Update. Not saying I like it ... but it's not like they had much of a choice.

Reply

[-]

spetcnaz@reddit

Microsoft was the one that mislabeled the update, and the RMMs picked it up. It was on Microsoft. Microsoft labeled it as a Windows 11 security update. Let's not try to whitewash their mess up. It's also on Microsoft that this feature is even a thing now. It's like selling mini nukes on the corner of every street, but with really detailed instructions on how to not make them explode when you don't want to. Then when one inadvertently explodes, you start looking for who is to blame. The first question would be, why the fuck are we selling mini nukes on the corner of the street, not who messed up the instructions. This was never an option before and it should not be in the future, because we see how easily things can go wrong. Sever OS upgrades can't be left to simple human errors! Yes they have a choice, by creating tools, that you run deliberately to make server version upgrades deliberate, not because someone at MS or at an RMM company made an oopsie.

Reply

[-]

bdam55@reddit

But ... they *didn't* mislabel anything. If they had, all hell would have broken loose far beyond just a handful of RMMs. MS's own tools would have gleefully installed this if that were the case. That not just a theory either, the update metadata itself found on devices being offered the FU: [https://www.reddit.com/r/sysadmin/comments/1gl6jsw/comment/lvyps27/](https://www.reddit.com/r/sysadmin/comments/1gl6jsw/comment/lvyps27/)

Reply

[-]

spetcnaz@reddit

They did mislabel it, it was shown as a Windows 11 update.

Reply

[-]

bdam55@reddit

Say what now? At no point was it shown as a Windows 11 update. What does that even mean? I believe, like others, you are confused about what KBs are. They are Knowledge Bulletins (or Knowledge Base Articles if you prefer); nothing more, nothing less. They are \_not\_ updates. The KB articles themselves are not a source of truth for what updates are related to those KBs Nor is the Update Catalog website (https://www.catalog.update.microsoft.com) a source of truth for what has been released to the WSUS or Windows Update channels. It sad, but true, that there literally is no single source of truth for the Microsoft update ecosystem. What happened here is that MS released a Feature Update to the Windows Update channel with proper metadata to identify it as Feature Update (Classification = Upgrade) for a given product (Server 2022) with the appropriate KB because it includes the latest Server 2025 CU. These are demonstrable facts. What RMMs did with that info, and the impact to their customers, is fully on them.

Reply

[-]

spetcnaz@reddit

The RMMs just randomly decided to mess up the patch names? For funzies? The KB or the update that was reported as being the culprit had the wrong description. Maybe some RMMs read that instead of the metadata, but clearly there was a mistake, that usually doesn't happen. Also, again, these types of Server upgrades should never be part of the Windows update system, where widely availed tools that people use to manage updates, can break the systems. It's a "feature" no one asked for, because it's easy to see how it can relatively easily upgrade the server to a new version.

Reply

[-]

ChrisDnz82@reddit

There was no mistake, what happened was literally advised by MSFT it would happen months ago, feel free to check any of my other comments over the last few days explaining why this was never the issue it was made out to be: [https://www.youtube.com/watch?v=LCcug9HHnIQ&t=4s](https://www.youtube.com/watch?v=LCcug9HHnIQ&t=4s) The big issue here is that 99% of people dont have time to keep up to date with everything MSFT do and this change in how they upgrade servers has caught people out, including some RMM tools not designed to properly handle it

Reply

[-]

spetcnaz@reddit

My second point stands, even if this was RMM fuck up. Server upgrades should never happen because of oopsies. This option that MS made available, is a ticking time bomb, as we saw already.

Reply

[-]

ChrisDnz82@reddit

I agree, this is gonna make my life hell for years

Reply

[-]

bdam55@reddit

The RMMs just dun goofed, which was my original point. Life happens sometimes. 99% of the time, MS is to blame. This just isn't one of those times. \>The KB or the update that was reported as being the culprit had the wrong description. Pics or it didn't happen. The update in question (88285020-3ed0-4f3f-90c7-d2fa3581bd7f) is not publicly mentioned by Microsoft anywhere that I can find. \>It's a "feature" no one asked for That's simply not true. As companies have moved their systems management tools to the cloud they've been asking MS for a cloud-based solution to manage servers. That includes managing servers upgrades ... from the cloud. So here we are: server upgrades from the cloud. Don't get me wrong: I grok, and to some degree share, your underlying distaste for this showing up in the UI. However, many orgs have very specifically asked for cloud management of servers and ... well ... here it is folks.

Reply

[-]

spetcnaz@reddit

It is true, because there should be way more steps involved in a server upgrade process, than "oopsie". Companies asked for an easier cloud server management, there are ways to do it, without exposing everyone to a potential shit show. Again, this case being a prime example of it.

Reply

[-]

andrea_ci@reddit

in-place upgrades are ok in the last two versions. not optimal, but they works.

Reply

[-]

spetcnaz@reddit

Until they don't. That's not the point, the point is so many things can go wrong, this is absolutely insane.

Reply

[-]

andrea_ci@reddit

just do backups.

Reply

[-]

MBILC@reddit

Yes, because IT wants to spend days or weeks restoring backups because MS decided a new OS install can be done via Windows Updates. Not sure how many Windows systems you manage, but when you get into the 100s to several hundreds this could cause major issues. While Server 2025 is not far off from 2022, there still needs to be proper testing and validation done against 3rd party apps and such. We have seen MS force OS upgrades on end users before, so it could happen with server versions as we know MS QA process is not always the best. This does though bring the question, are there not GPO / Configuration policies that can be used to decline these that most should already have in place, but I guess is MS has categorised it...may not work

Reply

[-]

andrea_ci@reddit

It doesn't want to spend day rebuilding servers at each update.. so.. create the procedures you want, depending on the service you're updating, and act following those. While most of the servers are clean reinstalls, I did my fair share of in place updates when that's the best course of actions

Reply

[-]

MBILC@reddit

Not against in place upgrades, as those are planned and have proper outages defined and the company communicated with where applicable. The fact MS would allow this update to go out, can break so many things. Unplanned outages are never good when you are just expecting a normal windows patch cycle, not an entire OS upgrade. Just the OS version change could break so many applications like AV or what ever else 3rd party apps that look for specific OS versions to run on.

Reply

[-]

andrea_ci@reddit

Hold on... Obviously even inplace upgrades must be scheduled and tested... Launching them (or just forcing them like in this case) and praying is just a disaster waiting to happen.

Reply

[-]

spetcnaz@reddit

That's what we are saying. Server version upgrades should take more steps than "oops you didn't tick/untick this one box". It should be very deliberate, multi step process.

Reply

[-]

MBILC@reddit

Exactly.

Reply

[-]

MBILC@reddit

Exactly.

Reply

[-]

spetcnaz@reddit

That's an abhorrent excuse, if we can even call it that.

Reply

[-]

lordcochise@reddit

Have done in-place upgrades since the 2003 days, mostly they've gone pretty ok (albeit on a very specific schedule and we have pretty vanilla setups). But it's sounding like those that have tried this have broken activation, also not sure if the default optional feature / update AD blocks would catch this or not...

Reply

[-]

spetcnaz@reddit

Yeah, there is a huge difference between a planned n place upgrade, and getting one through auto update.

Reply

[-]

lordcochise@reddit

it looks like for the one that appears in the LTSC optional update area you still have to positively affirm download / update but yeah if it's auto-applying via normal update paths for the AC folks, particularly for those not on perpetual licensing, BIG oof

Reply

[-]

dustojnikhummer@reddit

Even ignoring compatibility, what about licensing??

Reply

[-]

spetcnaz@reddit

Exactly

Reply

[-]

babywhiz@reddit

Go buy one now, sucka!

Reply

[-]

dustojnikhummer@reddit

One? Server itself is one thing but you need a whole new set of CALs.

Reply

[-]

babywhiz@reddit

Ohh good point!

Reply

[-]

Hopeful_Day782@reddit

"Oh shucks, guess you'll have to pay us more money, this is so sad" I'm sure they *really* care.

Reply

[-]

Andrei_Hinodache@reddit

Hi u/Fatboy40 Andrei from Heimdal here, man, I'm really sorry for the havoc that was created with this update, our team (thanks for raising this with them - I have a feeling you were the first to bring it up to our Customer Success team) managed to pinpoint this and blocked this update across all server policies to avoid any further upgrades from 2022 to 2025 I also notice another point in the chat where you're asking how to apply a granular approach to updates - if you'd like, we can set a call up tomorrow and we can look at this one together. Here's the official com. that just went out a while ago: On 5th Nov 12.16UTC, Heimdal was notified by a customer about unexpected upgrades related to Windows Server 2025 in their environment. Due to the limited initial footprint, identifying the root cause took some time. By 18:05 UTC, we traced the issue to the Windows Update API, where Microsoft had mistakenly labelled the Windows Server 2025 upgrade as KB5044284. **Our Analysis and Fix:** Our team discovered this discrepancy in our patching repository, as the GUID for the Windows Server 2025 upgrade does not match the usual entries for KB5044284 associated with Windows 11. This appears to be an error on Microsoft's side, affecting both the speed of release and the classification of the update. After cross-checking with Microsoft’s KB repository, we confirmed that the KB number indeed references Windows 11, not Windows Server 2025. Currently, we can see that approximately 7% of our customers have been impacted by this upgrade. **To prevent further unintended upgrades, we have immediately blocked KB5044284 across all server group policies.** If you would like to address this patch on your servers, we recommend manually removing it or reaching out to our support team for assistance.

Reply

[-]

Lando_uk@reddit

I'm confused by your analysis, how did the KB5044284, which is an standard update for Win11/Server 24H2, even manage to get approved and installed on Server 2019 and 2022 clients? If you ran KB5044284 on a Server 2022 manually, surely it would stop, saying its the wrong OS. None of this makes any sense to me.

Reply

[-]

nont0xicentity@reddit

It happened outside of Heimdal so it is not limited to them and their analysis may be correct. Say you have KB5044285 meant to be able to upgrade 2019/2022 to 2025. But for some reason, MS labeled it as KB5044284 everywhere and made KB5044284 applicable to 2019 and 2022. Now you have a patch showing under KB5044284 that was never supposed to but since the installer is actually KB5044285, it can be installed on 2019/2022. For a simple explanation, download Teams, and rename it to OneDrive, it will install Teams because that is what is under the hood. If you check the catalog it has 3 entries, one being for server OS and from what I understand, that was never supposed to be there. The other 2 entries are for Win11 24H2 and lasted updated 10/8, whereas the server one was last updated 10/31, which is unusual. If you look at the KB, it only list Windows 11 under the Applies To section.

Reply

[-]

Deadmeat5@reddit

> If you check the catalog it has 3 entries, one being for server OS and from what I understand, that was never supposed to be there. Well, that is interesting and all BUT. Let's just check this out together: https://www.catalog.update.microsoft.com/Search.aspx?q=KB5044284 This is what you are referring to, right? Heimdall and now you basically saying this KB should only show the two Windows11 rows. Is that right? That the Server entry there is wrong? If so, how about this one: https://www.catalog.update.microsoft.com/Search.aspx?q=KB5043080 This is last months patch. This one ALSO has three entries. Windows Server 2025 and Windows11. This one ALSO has two different "Last Update" dates. So, what is the deal here? Was the September patch there also wrong to show up for non Windows11 systems? Was this also a Windows2025 upgrade package? I am just as confused as Lando is. Nothing makes sense. It sounds like people say "KB5044284 is only for Windows11. It should have never show up on Windows Server" when to me it looks more like "KB5044284 is supposed to show up on Windows Server as that holds the monthly update for October. But for some reason it not only shows up on Windows Server 2025 but also on Windows Server 2022 and that this binary is simply not just a regular update but more of an 'upgrade to 2025 and update' kind of thing"

Reply

[-]

nont0xicentity@reddit

When looking at [https://support.microsoft.com/en-us/topic/october-8-2024-kb5044284-os-build-26100-2033-6baf4a06-9763-4d9b-ba8a-f25ba6ed477b](https://support.microsoft.com/en-us/topic/october-8-2024-kb5044284-os-build-26100-2033-6baf4a06-9763-4d9b-ba8a-f25ba6ed477b) when I posted, it only showed it was applicable to Windows 11. Now it's showing 2025. Your guess is as mine unless MS makes an official statement, which I have not seen. Everything keeps referencing Heimdal's statement. For 2022 21H2 it showed up as a Feature Update in our environment, which was auto rejected. I saw other reports that 2022 22H2 was showing up as a Security Update, but I don't have any of those, so can't confirm myself. I can confirm that later that day, MS must have pulled or corrected something because it disappeared from our rejected list across our 2019 and 2022 systems, which means it was no longer visible via the API.

Reply

[-]

Deadmeat5@reddit

Yup, this entire thing is a massive mess. MSFT doesn't really help if they insist of using terms like "server 21h2 or 22h1" etc. Misclassified or not, in the end you will see updates on your server with the description like: "2024-09 Cumulative Update for Microsoft server operating system version 24H2 for x64-based Systems" I say, using terms like that is asking for human error. If you just glance over this and think "yup, monthly update. everything fine" you don't have to wonder why it got installed. If it were like this: "2024-09 Cumulative Update for Microsoft Server 2025 for x64-based Systems" you would immediately see that his is supposedly for Server 2025. And if you saw that showing up on your Server 2019 or 2022 systems you would know this isn't right. The fact that this package in question right now was not just an update but also works as an upgrader just added to the mess. Because even if a monthly update for a different OS was shown on your system, installing it wouldn't work. You would get an error like "Update for Server 2025 only. You are running Server 2019. Please download the update for Server 2019" From everything I have seen is that because of the wrong classification, it showed up as a regular update, a lot of people seem to have all regular updates set to auto approve/install and on top of that they didn't notice that this update had "24h2" in the description to tip them of it shouldn't be showing up on Server 2019/2022.

Reply

[-]

Lando_uk@reddit

So if I downloaded and ran the msi of this KB5044284 manually on a 2019/2022 server, you think it would work and reboot into Server 2025? There would be no system check in place?

Reply

[-]

Clear_Key5135@reddit

KB5044284 is for the October CU for all os's on the current production branch of windows.

Reply

[-]

Lando_uk@reddit

No it isn't. The Oct CU for Server 2019 is KB5044277 and the Oct CU for Server 2022 is KB5044281.

Reply

[-]

Clear_Key5135@reddit

> Server 2019 that is not the current production branch of windows

Reply

[-]

bdam55@reddit

FWIW, this was not Microsoft's fault. They published the update properly: [https://www.reddit.com/r/sysadmin/comments/1gl6jsw/comment/lvyps27](https://www.reddit.com/r/sysadmin/comments/1gl6jsw/comment/lvyps27) I think you are also misunderstanding how KBs related to updates and the fact that there's ... unfortunately ... no actual source of truth for any of it. This was a Feature Update released to the Windows Update channel (not the Update Catalog) that is properly classified as an Upgrade (Feature Update). As much crap as MS deserves for screwing up updates, this is one of the rare times where they are not to blame.

Reply

[-]

Fatboy40@reddit (OP)

> If you would like to address this patch on your servers, we recommend manually removing it or reaching out to our support team for assistance. Hi Andrei, The real problem here is that from what I can see, and I know this is not Heimdal's fault, is that there's no way to "rollback" the upgrade to Windows Server 2025 unless you know otherwise? We've now a selection of 2019 servers that we either need to bare metal restore, try to rebuild, or purchase 2025 licensing that we have not budgeted for. So, do we now assume that Microsoft must be held liable for this mistake, and somehow hope that they provide a method to get back to Windows Server 2019? (which I'm assuming is not possible, and I've no doubt that they'll not own up to it and cover customers for the required 2025 server and CAL licensing). Thank you.

Reply

[-]

dreieckli@reddit

> *We've now a selection of 2019 servers that we either need to bare metal restore, try to rebuild, or purchase 2025 licensing that we have not budgeted for.* As this is Microsofts fault, I think they need to pay. For your work to rollback (compensation for damage). Or for the new license. They should not get away with it

Reply

[-]

Andrei_Hinodache@reddit

You're spot on with your analysis - I hope our Founder doesn't kill me for quoting him, but "it's like upgrading a tesla OS and saying, now to drive your car, insert your credit card." We're doing all that we can internally to see if anything can be done - even the roll-back is a b..... since it's a new version of the OS...

Reply

[-]

Narrow_Ruin@reddit

That sounds like a free upgrade customer satisfaction situation to me. To stick with that car analogy, there are all kinds of small issues that car companies fix under customer satisfaction that are not serious enough to be a recall, but fixing the problem for free helps keep a customer coming back. I am not saying this because I want some free upgrades, my employer already pays for on-going upgrades in an EA. I am saying that because it is the right thing to do.

Reply

[-]

randonamexyz@reddit

Do you know the relevant KB for Server 2019? Thanks

Reply

[-]

ajunne@reddit

While I appreciate the actual work done here, I stopped reading the post after the words "our Customer Success team".

Reply

[-]

SquashNo7817@reddit

The corporate is whole world of BS team titles.

Reply

[-]

Secret_Account07@reddit

As opposed to what? Customer failure team?

Reply

[-]

sarkie@reddit

Don't be a twat

Reply

[-]

Beneficial_Proof356@reddit

It's the update

Reply

[-]

cubic_sq@reddit

Yep. Saw this on 2 azure vms - and they only have the azure native rmm / updates.

Reply

[-]

bushmaster2000@reddit

So if they force the update then I expect cal licenses to be upgrades as well automatically free instead of having to pay to upgrade them unexpected

Reply

[-]

cloudAhead@reddit

I manually checked Windows update and was not unexpectedly upgraded to 2025. There is a separate section in the UI to upgrade to 2025 if you choose to do so. The experience is similar to what Microsoft did client side with Windows 11. My guess is that OP may have auto approved all packages, or a similar option, in their patching tool.

Reply

[-]

Fatboy40@reddit (OP)

It looks like you've made a pretty accurate guess :(

Reply

[-]

RandomLukerX@reddit

Can you clarify for my sanity, this was caused by a third party patch management tool in your environment?

Reply

[-]

bdam55@reddit

FWIW, it was the RMM. Microsoft published the update properly: [https://www.reddit.com/r/sysadmin/comments/1gl6jsw/comment/lvyps27](https://www.reddit.com/r/sysadmin/comments/1gl6jsw/comment/lvyps27) This was a Feature Update released to the Windows Update channel (not the Update Catalog) that is properly classified as an Upgrade (Feature Update). As much crap as MS deserves for screwing up updates, this is one of the rare times where they are not to blame.

Reply

[-]

Fatboy40@reddit (OP)

The simple answer is "yes", however it's a little more nuanced that that in that KB5044284 is a Security Update from Microsoft but our RMM tool classed it as an OS Update. It seems that for others their RMM may also be potentially miss-classifying it, and even some Microsoft tools cannot be trusted 100% to not install the upgrade to 2025.

Reply

[-]

cloudAhead@reddit

[KB5044284](https://support.microsoft.com/en-us/topic/october-8-2024-kb5044284-os-build-26100-2033-6baf4a06-9763-4d9b-ba8a-f25ba6ed477b) is an OS update - a servicing stack update, but not an upgrade to 2025. I wouldn't be surprised if it delivered the code to offer the in place upgrade, though.

Reply

[-]

SonicDart@reddit

Does anyone know if the same issue could happen in other patch management systems? We're using SCCM for the bulk of our windows servers

Reply

[-]

soccer362001@reddit

We got a notice from an RMM we are trialing that we should block it because it was causing 2022 to update to 2025. This is likely a global issue.

Reply

[-]

Randalldeflagg@reddit

Our RMM showed it as a critical patch witha CVSS off 8.8. Which triggered our security manager to start yelling about it needs to be installed on every system. Talked him down to installing it on one non critical server that is IT facing only. Yeah... now its a unlicensed server, and the backup teams (me) hadn't added it to the backup jobs yet. So, I guess I am rebuilding that server and reconfiguring our VeeamOne install. I hate my job this week

Reply

[-]

RandomLukerX@reddit

That's disgusting and warrants a policy review on security being able to dictate with authority. Security should be the goal, compliance is a must. (Licensing)

Reply

[-]

Randalldeflagg@reddit

anything 7 and above we have to address ASAP. The fact this update is listed as a Security Update in the Update Catalog and not a Feature Update is what drove this move.

Reply

[-]

RandomLukerX@reddit

Firm policies need exception clauses. Clearly it wasn't classified right meaning it should have been negated.

Reply

[-]

zz9plural@reddit

Yes, same here. Looks like Heimdal is at least partly at fault for OPs problem. The exact reason for the miss-classification remains to be determined.

Reply

[-]

YnysYBarri@reddit

What's worrying me more than the "who's fault is it anyway?" is this delightful piece of advice from Heimdal: https://preview.redd.it/lnbe2qciibzd1.jpeg?width=1065&format=pjpg&auto=webp&s=d225040e03250c19cd7807d8f120939fd755c154 Sorry, what century are we in? We no longer play the "my server has an uptime of 2.3 squilion years!" game. You don't encourage disabling automatica updates, you encourage managing them in a controlled fashion.

Reply

[-]

YnysYBarri@reddit

And Heimdal are doing their best to look dodgy. This blog ppst went from mild Microsoft bashing to 404 in about an hour https://preview.redd.it/n4dzj87rwbzd1.png?width=1080&format=pjpg&auto=webp&s=f909c01d3e4d806034a1ae8c3fb312d243ceeec2

Reply

[-]

YnysYBarri@reddit

https://preview.redd.it/fxkocoaswbzd1.png?width=1080&format=pjpg&auto=webp&s=129966e11c459262d71b957b5299a1775e708371

Reply

[-]

YnysYBarri@reddit

https://preview.redd.it/r6m8u4ptwbzd1.png?width=1080&format=pjpg&auto=webp&s=36be45e72a72464bb6981722d32e6d75d1c32974

Reply

[-]

Sufficient-West-5456@reddit

But here he is op is complaining and blaming it on msft

Reply

[-]

My1xT@reddit

Even then this shouldn't just be a 1 click thing as unlike with win11, ws2025 iirc ISNT a free upgrade

Reply

[-]

nsfwhola@reddit

strange

Reply

[-]

DoctorETrill@reddit

8AM

Reply

[-]

FrancescoMasala@reddit

I had this problem even on windows server 2019!

Reply

[-]

External_Gain2380@reddit

It's reasons like these where I have blocked all URLs to Download Windows Updates. This way nothing network wide can check for download or install updates. WSUS can deploy them.

Reply

[-]

PhantomWang@reddit

I'm also worried about this because our servers are managed by Azure Update Manager and I noticed this evening they're starting to show Server 2025 as a pending update. Luckily it appears the current classification for it is "Unsupported" so I don't believe it will automatically install, but at this point I have to actively monitor it because I can't trust Microsoft.

Reply

[-]

Electrical_Arm7411@reddit

https://preview.redd.it/n6pjoagkg4zd1.png?width=536&format=png&auto=webp&s=f0a1682e4c447b74fc630b1f7e626594aab222ea Make sure you exclude the KB ID in each of your maintenance configurations in Azure Update Manager.

Reply

[-]

maikel87@reddit

Just checking, we sure this is the correct way of excluding the update? or should it just be only "5044284"

Reply

[-]

Electrical_Arm7411@reddit

I just did the KB5044284; my servers do not show it as a pending update on AUM. Probably doesn't hurt to do it both ways just incase? Not 100%.

Reply

[-]

severnd@reddit

ok, seen an issue with 2 Dell T30 servers that are non-bootable after the "upgrade". also ; servers running Hyper-V; in 50% of cases so far, the VMS are not bootable - error connecting to the storage. I guess its permissions but not had chance to dig around - the "fix" is to remove hyper-v, reboot; reinstall hyper-v, reboot and should be good. Any server that was using LBFOAdmin for NIC Teaming will have an issue; you will need to use SET TEAM to create that team: example: *New-VMSwitch -Name "SET Team" -NetAdapterName "NIC1","NIC2"* Also; anyone using ThinStuff; make sure you have installed the latest patch otherwise only a few people can login - so update; reboot and should be ok.

Reply

[-]

Darkk_Knight@reddit

As Biff said in Back To The Future, "There's something very familiar about all this" with third party controlled systems like Crowdstrike. Now this isn't Heimdall's fault or any other 3rd party patching system that Microsoft screwed up the classification of update instead of upgrade. It begs the question why you let it update it so early vs wait a few days to shake out the bugs?

Reply

[-]

Substantial-Reach986@reddit

A handful of our servers got upgraded, including our Veeam server. Thankfully, none of the Veeam services seemed particularly bothered by the unexpected in-place upgrade, so we could quickly restore the single mission-critical server that got completely borked by the upgrade. What an absolute shitshow.

Reply

[-]

Fatboy40@reddit (OP)

I feel your pain. How are you dealing with licensing for what's being left on 2025? (or maybe you're planning on moving them back to their previous state when you have the time?).

Reply

[-]

Substantial-Reach986@reddit

We're fortunate enough to have a volume license agreement for Windows Server Datacenter, that, as I understand it, works as a subscription license that covers unlimited Windows Server VMs on all our servers. This also means that as long as we keep paying the yearly bill, we are allowed to use any supported version of Windows Server on licensed hardware. I might be butchering this as I don't normally deal with or understand licensing terms, but that is how it's practically has worked for the last 5 or so years I've worked here. The problem was just that, we had not prepared for this. We had not checked that everyone could access our Windows Server 2025 MAK keys, and we had not automation or AD activation in place. And of course it turned out that something was fucked with regards to who could see our 2025 MAK keys. After a lot of panic it turned out that there was one, single person who could see our (paid for!) 2025 MAK keys, and that was my manager. He doesn't know why no-one else sees it, our reseller rep doesn't know, Microsoft probably doesn't know either. But our manager, after finding the blessed MAK key, manually installed it on all our unexpected 2025 servers. So now we're good. And I'm cashing out time off and am currently pretty drunk.

Reply

[-]

CyberCrud@reddit

If you're in IT and not running your own WSUS server to approve and deny updates, then you're really just a glorified Best Buy employee.

Reply

[-]

severnd@reddit

umm, FYI; WSUS has been depreciated. [https://techcommunity.microsoft.com/blog/windows-itpro-blog/windows-server-update-services-wsus-deprecation/4250436](https://techcommunity.microsoft.com/blog/windows-itpro-blog/windows-server-update-services-wsus-deprecation/4250436)

Reply

[-]

BlackV@reddit

> depreciated depreciated does not mean do not use or unsupported, mean no changes going forward

Reply

[-]

CyberCrud@reddit

Umm, still works to block and approve updates. Guess who didn't have this problem today? My enterprise.

Reply

[-]

nont0xicentity@reddit

We are an MSP and I use an RMM and had previously blocked this KB, so no issue here. Same results, different tool, doesn't mean I'm a BB employee. What an uneducated comment.

Reply

[-]

OinkyConfidence@reddit

Quiet, Best Buy; Circuit City is talking ;P

Reply

[-]

nont0xicentity@reddit

:D Would have had more credibility if the guy said use Windows Update for Business or else, but he chose WSUS...

Reply

[-]

CyberCrud@reddit

WSUS worked to block this update. 🤔 How can it be?!? 🙄

Reply

[-]

nont0xicentity@reddit

Because you can use multiple tools to achieve the same results, doesn't mean one is inferior to the other, so to try and call everyone out for not using a deprecated tool is wild. Most tools out there can block by KB and be effective. In certain environments, high security is required, which means companies have to patch ASAP to stay compliant. This is generally not an issue on servers but since MS classified this as a security update for certain versions, this either got auto-approved or was manually approved after seeing it was as security update. Not every OS version showed it was a Feature Update. Keep in mind, this is not Patch Tuesday, so it was released OOB, and Server has not seen a patch that can upgrade major versions before, surprise! As I said though, no issues here, it was previously blocked for other reasons (Same KB as Win 11 24H2 upgrade) and we patch on a delay. You kind of missed the point of this thread, wasn't about the tool that's being used, this was about Microsoft's antics, this is much broader than what is in your environment.

Reply

[-]

CyberCrud@reddit

And yet you're trying to belittle me for what is in my environment... which worked flawlessly btw. Okay.

Reply

[-]

CyberCrud@reddit

You had the problem, but I'm the uneducated one. Okay...

Reply

[-]

nont0xicentity@reddit

And can't read either, as I said "no issue here"...

Reply

[-]

CyberCrud@reddit

Can you point me to the car stereo section, young man?

Reply

[-]

Training-Swan-6379@reddit

I use a third-party utility to prevent windows from updating

Reply

[-]

BlackV@reddit

I mean this was caused by the specific 3rd party, but OK

Reply

[-]

Lando_uk@reddit

ok, so this is a Heimdal issue not a general WU issue everyone should be aware of?

Reply

[-]

nont0xicentity@reddit

No, you should be aware because other tools sees it as varying things, some as Security Updates, some as Feature Updates, and other classifications. In Ninja, it is showing up as a Feature Update on our 2019 and 2022. If someone had Feature Updates auto approved, it would upgrade. I had globally blocked it because it is also the same KB that upgrades Windows 11 to 24H2 and we're staying away from that for a while.

Reply

[-]

ChrisDnz82@reddit

Even as a Feature Update it will still catch a lot out who will think its just going up another version of 2022 and not actually 22 to 25. This happened to so many people with Win 10 to Win 11 when MSFT recently made that upgrade exactly the same as the normal FU

Reply

[-]

Lando_uk@reddit

Correct me if I’m wrong but server OSs stay on the same version for their lifespan, there aren’t two different versions of 2022 for example ?

Reply

[-]

ChrisDnz82@reddit

sorry i didn't catch this yest, the build versions change with new upgrades, build versions will impact the patches that are installed and detected as needed. Often causing confusion. A lot will update the build of an OS then cant find the KB number of the patch, thats because once on that build it doesnt show the patch, it only shows the patches that are installed or needed on that new build

Reply

[-]

nont0xicentity@reddit

Luckily, we had rejected the KB to prevent Windows 11 to upgrade to 24H2 (why use the same KB?!), but we did go through the 10 to 11 upgrade by accident. Luckily all worked out, but this is much worst. MS also released the October patch for Windows 11 22H2 and 21H2 which automatically upgrades them to 23H2. I'm seeing a bad pattern here...

Reply

[-]

OinkyConfidence@reddit

Have a screenshot of your WSUS setting (if you use it) ?

Reply

[-]

ChrisDnz82@reddit

yeah, they reuse/use the same KB a lot, more than most will be aware of. Its the underlying GUID that changes and agan that can catch a lot out depending on how they block them

Reply

[-]

Lando_uk@reddit

But why would a Win11/2025 update show up as any sort of update for 2019/2022? On WSUS that KB5044284 shows as not applicable to any of 2019/2022 servers. How comes WSUS and WU works fine with the update but 3rd Party tools are having trouble?

Reply

[-]

VinzentValentyn@reddit

It shows as available for server OS 2019 and up. Whether it installs or not is down to your policy. It's not a Heimdal issue

Reply

[-]

Fatboy40@reddit (OP)

I wouldn't be so sure of that as there's enough doubt / lack of clarity in that it could also affect other RMM tools.

Reply

[-]

jeetah@reddit

So what I've gathered from this, is that this unintended upgrade is only occuring when using Heimdal. That's something that should really be mentioned close to the top or in the title.

Reply

[-]

raffey_goode@reddit

if we are using SCCM and WSUS is there any action we need to take?

Reply

[-]

RCTID1975@reddit

Just don't blindly auto approve any patches like good policy dictates and you're fine.

Reply

[-]

Capital-Insurance581@reddit

https://www.catalog.update.microsoft.com/Search.aspx?q=KB5044284 Microsoft has still this kb also for server You can still see this at this manual download page.

Reply

[-]

techosarusrex@reddit

My lab environment somehow had the upgrade target gpo set as 24H2, not once did I set anything like that up. That might be why.

Reply

[-]

tehcheez@reddit

So we didn't update to 2025, but I can confirm the 4 2022 VMs I have updated this morning (not automatically, that's just the update schedule we have) and now have an option under Windows Update to update to 2025. Have never seen that until today.

Reply

[-]

horamon@reddit

Are you also using Heimdal? Some of our customers running Windows Server VMs reported the same but we've been unable to reproduce the issue internally on fresh or existing installations (we don't use Heimdal ourselves).

Reply

[-]

spittlbm@reddit

Confirmed. Just did a manual "check for new updates" abd the upgrade option appeared.

Reply

[-]

AdWerd1981@reddit

Had the option in Windows Updates on a 2022 VM yesterday, but today that option has vanished. I'll check my other VMs to see if it's the same, but it feels like M$ pulled the feature update part.

Reply

[-]

ChrisDnz82@reddit

I’m not convinced this is solely a Microsoft issue, aside from the fact that they’ve made the patching process incredibly confusing for most users. For one, KB numbers are not unique—they’re often reused across different types of patches. One unique identifier is the GUID, which most people don’t see but is included in the metadata used by patching engines. When searching for a KB in the Microsoft catalog, it’s common to expect a full OS upgrade or Feature Update but instead find a Cumulative Update (CU). This reuse of KBs across different operating systems has become standard practice. Microsoft has also been presenting upgrades to new OS versions under the guise of standard Feature Updates for the current OS. For example, Windows 10 devices receive 23H2 or 24H2 Feature Updates (FUs) for both Windows 10 and Windows 11, all using the same KB number as the latest CU. If you install the Windows 10 update, you get the latest version of Windows 10; if you install the Windows 11 update, it upgrades you to Windows 11. These patches look nearly identical, with the only distinction being a reference to "10" or "11" in the title. As a result, they often pass through approval systems automatically unless specific keywords, aside from the KB number, are used. Many admins auto-decline upgrades initially and then re-evaluate later for this very reason. You might wonder why the Feature Update has a KB number when online sources often say they don’t. The explanation is that the WUA API assigns a KB number to Feature Updates, and WSUS also packages Feature Updates with a KB. As previously mentioned, the KB number aligns with the latest CU.

Reply

[-]

thecalstanley@reddit

Had the option on a test VM yesterday, the option to upgrade to Server 2025 has now gone. Odd.

Reply

[-]

aowdnmp@reddit

same here, I guess MS has fixed something...

Reply

[-]

ChrisDnz82@reddit

I don't believe this is a MSFT issue other than it might catch some people out that you can upgrade from 2022 to 2025. KB's are not unique, they are re-used all the time. KB's for the latest CU and latest FU are also shared, the FU changes monthly inline with the CU. Searching the KB and finding a CU in the catalogue is normal, that doesn;t mean it wasn't also the KB number for an FU "Upgrade". Whats really going to catch people out is those that auto approve upgrades without any keyword filtering, who will assume its like the old service packs. As far as I can tell only Heimdal have this issue, none of the RMM tools im in sync with seem to have it including our own

Reply

[-]

cuddlyclara@reddit

On my German Windows Server 2022 21H2 there is no button to upgrade. All updates including KB5044281 are installed. But I can't see the KB5044284 update.

Reply

[-]

VRDRF@reddit

Not seeing anything weird on our side, the kb article not even required by any servers in SCCM.

Reply

[-]

greenstarthree@reddit

I knew I made the right decision to stick with WSUS for server patching for now and not go with 3rd party solutions. Might be the only opportunity I get to say that.

Reply

[-]

mrfame@reddit

WSUS can’t ever be the right decision to anything. It is a clusterfuck of overcomplicated decisions and low quality code that barely does what it says it does. God I hate it with a passion. /rant

Reply

[-]

terrybradford@reddit

We don't have that issue when rocking 2003 server - someone before who I dismissed as an idiot clearly saw this coming 👏

Reply

[-]

aowdnmp@reddit

Yesterday it was shown also on my 2019/2022 servers.. this morning I run a check for updates again and disappeared... maybe MS fixed something...

Reply

[-]

konikpk@reddit

So as i read its Heimdal problem. We have MECM + WSUS and no servers updating. KB5044284 is not required in any of 2022 servers.

Reply

[-]

Odd_Letterhead9371@reddit

RemindMe! 2 days

Reply

[-]

CptCptLuxx@reddit

Just make a gpo (windows update for business), target version 21H2 and the update is no longer offered to any Server

Reply

[-]

Odd_Letterhead9371@reddit

I'm using RMM for patch management and am curious whether it will suppress the misclassified update if we apply the GPO.

Reply

[-]

ITStril@reddit

I can confirm: GPO with target version 1809 for Windows 2019 and 21H2 for Windows 2022 seems to suppress the upgrade notification

Reply

[-]

cubic_sq@reddit

So far the only servers we have that presented the win2025 update are 2 recently deployed 2019 servers in azure. Even then, they presented as optional updates yesterday. This morning both servers don’t show 2025 as an available optional updates on both hosts at all. Both servers only have update management as deployed and managed by azure.

Reply

[-]

brink668@reddit

Yes 2025 can be upgraded via Windows Update just like workstations now

Reply

[-]

Fatboy40@reddit (OP)

Thank you. So you'd be leaning more towards Windows Update having instigated the in-place upgrade that the third-party tool? (or I suppose the third-party tool may have just instantly pushed it out). It looks like we need to understand where the logs are for Windows Update and why the update was triggered so soon with 2025 being only available for a few days.

Reply

[-]

Sufficient-West-5456@reddit

Just restore then man

Reply

[-]

brink668@reddit

WSUS or Windows Update appears to allow it

Reply

[-]

zz9plural@reddit

WTF? Even my DCs are offering inplace upgrades to 2025. Are inplace upgrades of DCs supported now?

Reply

[-]

_theonlynomiss_@reddit

Yes its kind of supported. The Domain Forest will Remain without the 2025 Features until every dc is Updated

Reply

[-]

_theonlynomiss_@reddit

Most importantly here is: MS ALLOWS(!) the upgrade but doesnt Support it

Reply

[-]

NoSelf5869@reddit

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/upgrade-domain-controllers#prerequisites In my understanding, in-place upgrade of DC's has been supported, but not recommended, for long time.

Reply

[-]

zz9plural@reddit

Thanks, I actually did read that article and remember being annoyed by the typcial vague language of MS documentation. The article mentions that inplace upgrades (may, or do always?) need manual preparations, which in this case would mean what exactly? DCs not getting automagically upgraded because conditions aren't met, or (given MSs track records definitely a possibility) DCs trying to upgrade anyways and messing up AD?

Reply

[-]

NoSelf5869@reddit

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/upgrade-domain-controllers#adprep---forestprep-and-domainprep Please read the link carefully, its written there.

Reply

[-]

zz9plural@reddit

I did, and I may be blind, but where exactly do they say what happens if you don't run the preparations?

Reply

[-]

dcdiagfix@reddit

then you can't update... domainprep and forestprep are required for the first DC of that type in an environment, the IPU upgrade for a DC works pretty seamlessly out of of the 100 or so i've done had near zero issues.

Reply

[-]

PkRavix@reddit

In particular you should not in-place upgrade to 2025, the new 32k mode is only supported on new installs. 2025 can run in 8k compatability mode until all your DCs are 2025.

Reply

[-]

PMental@reddit

I doubt many organizations actually have a use for 32k though, so likely not a major factor for most. That said I'd never bother with in-place of a DC anyway since it's so easy to set up new ones and decommission the old.

Reply

[-]

brink668@reddit

Yes in-place upgrades have been around but via Windows Update for Server that is new.

Reply

[-]

Justsomedudeonthenet@reddit

It's been supported for a long time. Few recommend it since it's trivially easy to spin up a new DC, but it's supported.

Reply

[-]

EncomCEO@reddit

"set settings to prevent auto inplace upgrade" and how does one do that?

Reply

[-]

pressresetnow@reddit

What? Ngl I wasn’t aware of that

Reply

[-]

FutureSafeMSSP@reddit

https://preview.redd.it/ajlzb4lri7zd1.jpeg?width=1837&format=pjpg&auto=webp&s=8db7f275b248513a3757b006b32502bf4b3ed779 Here is the Heimdal CPO reply explaining how the misclassification in the Microsoft API caused the curfuffle.

Reply

[-]

small_horse@reddit

Yep, our RMM tool is set to hold any new updates for review, this morning got 40\~ packages all nicely named "Server 2025" - jesus mary and joseph Microsoft what are you THINKING?!

Reply

[-]

what-the-puck@reddit

Wouldn't that be a good thing? That your RMM clearly identified and labeled and held them?

Reply

[-]

small_horse@reddit

yes it (for once) actually did its job properly! it was more that MS are deciding to issue an update package to entirely change the underlying OS, which seems really dumb

Reply

[-]

what-the-puck@reddit

I suppose, it's nothing new though. Since the Internet on average has been able to "handle" service packs or OS updates, they've been moving over the wire. Windows 8.0 to 8.1, 8.1 to 10, various major updates to versions of 10, 10 to 11... Those were all update available through Windows Update. And likewise on the Server side (2012 -> R2 -> 2016 -> 2019 -> 2022). Those could be done in-place as well through downloads that happen while Windows is up and running (and restarting) via files downloaded over the Internet.

Reply

[-]

spetcnaz@reddit

The issue isn't between inplace vs wipe upgrade. The issue is that a server OS, now has the same, relatively easy way of getting upgraded in place while in production. That's an absolute insanity. Server isn't a desktop, it can break so many things. No version of the server before had this toes to auto updates, and that was good.

Reply

[-]

spetcnaz@reddit

And on a server, that's the stupid and scary part.

Reply

[-]

ourlastchancefortea@reddit

> THINKING Office 2025 Dictionary: Unknown word, do you want to add it?

Reply

[-]

65_Shelby@reddit

I just finished building a new server T550, Silver, 64gb, RAID1 and RAID5 and went (had to) with Server 2019. After updates and starting my pre-build of the server it gave me the upgrade to 2025 option also. I didn't do it as we haven't even licensed the machine due to a possible RAID issue. I'm rebuilding the RAID as we speak and if it fails I'll push the 2025 upgrade just to see what happens because that means the card or backplane is bad. If it's successful then I will be tearing it down anyway, again for the correct install of 2022.

Reply

[-]

Vexser@reddit

Maybe it's time to block MS at the company DNS. Only let trusted/secured hosts contact them. Otherwise you might turn up to a room full of bricks.

Reply

[-]

TrueStoriesIpromise@reddit

In WSUS/SCCM, KB5044284 shows as 0 required/0 installed for 24H2. Seems like Heimdal is the problem, not Microsoft.

Reply

[-]

KlaasKaakschaats@reddit

Thanks for checking, I was wondering what would happen in MECM.

Reply

[-]

BrooklynEagle98@reddit

This seems like the issue. OP should update the post

Reply

[-]

damnedbrit@reddit

Testing on W2K22 and I see that there is the option under Windows Update in the GUI below pending normal updates and below the Install Now an area that says the next version is here and a "Download and install" link. Running: Install-WindowsUpdate -WindowsUpdate does *not* offer the upgrade to W2K25. It does look like from the descriptions elsewhere in this thread that it's a Heimdal setting that is enabled to 'upgrade to Windows 11' that is being misused to upgrade to W2k25 as well.

Reply

[-]

EncomCEO@reddit

We do not use Heimdal, we have automatic WU disabled, and we still get the option to install Server 2025 if we run a manual Windows Update on certain WS2022 boxes. Tried: Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate. Create a new DWORD (32-bit) Value named DisableOSUpgrade and set its value to 1. Still getting asked if we want to install, even after a reboot.

Reply

[-]

whetu@reddit

You might like to check out the keys I've listed here: https://www.reddit.com/r/sysadmin/comments/1gk2yly/how_to_block_the_upgrade_of_windows_servers_2022/lvkz3gh/

Reply

[-]

EncomCEO@reddit

Thank you

Reply

[-]

damnedbrit@reddit

Yep, not saying that it's not offered, I am saying it's not automatically installed if you do a normal manual update of Windows, nor if you use a power shell script to install Windows update.

Reply

[-]

VinzentValentyn@reddit

2019 affected also, if anyone is running that

Reply

[-]

randonamexyz@reddit

Do you know the relevant KB for Server 2019? Thanks

Reply

[-]

Mitchell_90@reddit

Seeing the same on Server 2022 instances, both in an environment with WSUS and another with GPO controlled Windows Updates where Server 2025 is being offered via UI. This doesn’t look like anything to do with a KB being pushed as both environments have been updated with last month’s patches since mid-late October and are only just showing this now. Microsoft did introduce “Flighting” in Server 2025, essentially the same thing that’s been present in Windows 10 and 11 builds for years now as part of the Insider program so it might be something to do with it. I’m pretty sure that section in the UI is pulled down by via a number MS CDNs - potentially the same used for client. A network trace might show what’s being fetched.

Reply

[-]

Weird_Lawfulness_298@reddit

I looked at a 2022 server and one of the options it had in Windows update was to download and install Server 2025.

Reply

[-]

what-the-puck@reddit

Microsoft did the same for 8.0 -> 8.1 -> 10 -> 11 for example, as well as minor OS versions. Just click a button in Windows updates to bring the system to the newer OS. Servers could do it but it wasn't generally so easy from what I saw.

Reply

[-]

renegadecanuck@reddit

Difference being that owning a license for Windows 8/8.1/10 gave you upgrade rights to the next version.

Reply

[-]

what-the-puck@reddit

Certainly, that's true. A lot of Enterprises licence Windows Server in the same way.

Reply

[-]

bdam55@reddit

It's an optional update though right? There's nothing in place that's going to automatically install it? In the OP's case it was due to his 3rd party patching tool, not Windows Update itself YOLO'ing it.

Reply

[-]

TkachukMitts@reddit

Also seeing this on 2019 servers.

Reply

[-]

mustang__1@reddit

Wonder if that implies the server can handle the upgrade? (like w10 -> 11)?

Reply

[-]

Hi_Kate@reddit

Any currently supported server is supported for inplace upgrade to 2025. So 2012R2 boys in the comments, show you have balls.

Reply

[-]

mustang__1@reddit

I didn't see it listed on my r2 server (ht you call me out like that lol).... But apparently it also hasn't been patched in several months so we'll see if it shows up after a reboot lol

Reply

[-]

p90rushb@reddit

Not seeing it on my NT 4.0 servers

Reply

[-]

TkachukMitts@reddit

Well to be fair the CRTs must be so dim at this point that it would be hard to see.

Reply

[-]

spittlbm@reddit

It's how I maintain my tan

Reply

[-]

Weird_Lawfulness_298@reddit

Yeah, I just checked and it was on 2019 servers.

Reply

[-]

neko_whippet@reddit

Where was it im checking on some 2022 and some 2019 and I dont see an upgrade option to 2025

Reply

[-]

cubic_sq@reddit

CALs implications? #lazyweb not looked into this yet myself…. Just assumed it costs more…

Reply

[-]

Randalldeflagg@reddit

if you don't have 2025 CALs and OS licenses, you are fucked. Hope your backups are working correctly and its not a production machine

Reply

[-]

cubic_sq@reddit

Is what i had thought Also saw on another post tonight there are licensing guilt screens that are presented to be accepted and clicked through

Reply

[-]

Randalldeflagg@reddit

There is if you manually log into your servers to run updates. We use a RMM (Kaseya) to handle patching. So no prompts.

Reply

[-]

AnomalyNexus@reddit

The combination of a silent & non-optional with license no longer valid is absurd. Guessing MS fucked something up & will backtrack this

Reply

[-]

TheProle@reddit

Look at me. I’m joshtaco now

Reply

[-]

Lughnasadh32@reddit

After reading this post, I checked the servers at an NPO that I manage. Both are 2022 (21H2) and both have the upgrade to 2025 option. My main question here is....is there a cost? If so, I am not a fan of this 'marketing tactic'. Someone with less experience could click download and install and then they would be on the hook for whatever the licensing costs at that point. https://preview.redd.it/yzr6a7vkd3zd1.png?width=695&format=png&auto=webp&s=bed7c3f0a60d4d3d3243196f615f851c2c2954bd

Reply

[-]

sweetrobna@reddit

Normally for a non profit purchasing through techsoup or azure for non profits windows server licenses/CALs have software assurance. Your 2019/2022 cals work for server 2025 at no additional cost.

Reply

[-]

Lughnasadh32@reddit

That’s my experience in the past, but it’s not the cows. I’m worried about is more the main surfer license.

Reply

[-]

Catsrules@reddit

>but it’s not the cows You are still managing cows in 2024? We were able to migrate our cows to the local farmers about 80 years back.

Reply

[-]

Lughnasadh32@reddit

We actually sold our last ones a few years ago when my step father's health started to decline. I need to proofread voice to text more often, just been a busy day at the office.

Reply

[-]

Catsrules@reddit

Ahh it is Reddit, we get what we pay for :)

Reply

[-]

sweetrobna@reddit

Software assurance covers the base windows server license too

Reply

[-]

Fatboy40@reddit (OP)

> My main question here is....is there a cost? 100% there is, in Windows Server licensing for the CPU cores and also CAL's.

Reply

[-]

daniejam@reddit

It’s the same in 2022 though….

Reply

[-]

Jeeper08JK@reddit

https://preview.redd.it/dt7s610zf3zd1.png?width=320&format=png&auto=webp&s=a1c2d2e6b085a6560759bde3f79723085cac8bfd

Reply

[-]

Lughnasadh32@reddit

TY - I can see this biting people in the butt. Most people don't read these warnings. They will install the update then wonder why the server stopped working 180 days later.

Reply

[-]

dcdiagfix@reddit

at least it won't auto updated on DCs as it will need domainprep and forestprep :D

Reply

[-]

Jeeper08JK@reddit

https://preview.redd.it/uzg2b3zx93zd1.png?width=1011&format=png&auto=webp&s=66375db63bf5827bf68900e31d746272c0dd18cf

Reply

[-]

Remarkable_Cook_5100@reddit

https://preview.redd.it/ywaehohcf3zd1.png?width=667&format=png&auto=webp&s=13a4e42d8bd8ccfba71bf14956b7ad694b614531 If you click the Download and Install you get this, which indicates it is not a FREE upgrade!!

Reply

[-]

lordcochise@reddit

AH, ok so at least there IS a warning then

Reply

[-]

Randalldeflagg@reddit

fun fact, if you use an RMM tool, you dont get this popup warning, it just happens. And then you are screwed when you find out it upgraded your SQL servers and you can't get an outage to take those DB offline to restore the OS to 2022 and then restore those DBs back to production.

Reply

[-]

lordcochise@reddit

![gif](giphy|8YX0bYjXjzpQWB1ake|downsized)

Reply

[-]

1Original1@reddit

Wat,that's ridiculous

Reply

[-]

Jeeper08JK@reddit

Micro$oft strikes again

Reply

[-]

Fatboy40@reddit (OP)

Good spot!

Reply

[-]

BarsoomianAmbassador@reddit

It's amazing that Microsoft continues to do ridiculous things like this to the IT people who are their advocates. Making this an update to production servers, which requires the purchase of licensing for functionality and compliance, is not only abusive to clients, but it is indicative of the power of monopoly. Imagine that, through no fault of your own, and following best practices for security, this "update" was applied to your server farm and you had to restore them all from backup? I'd be brushing up my Linux skills and ripping out Microsoft Server wherever I could.

Reply

[-]

moonwolf3533@reddit

We have a separate section in the UI to upgrade our server. This should never be an option unless they are giving the upgrade away for free and even then it shouldn't be there.

Reply

[-]

Gmoseley@reddit

Awarded just because the constant stream of updates. Ty for sharing the knowledge

Reply

[-]

ConfectionCommon3518@reddit

Why do I sense this is the idea of the MS marketing dept to show massive uptake figures? Servers are quite often delicate creatures playing home to licensing services and other stuff that may take one look at the server and knowing things have changed just decide to not play taking down the entire production line and then the fun starts both at the practical level and the point where they start waking up the lawyers.

Reply

[-]

bdam55@reddit

I don't blame you for that conclusion, but I would argue this is more about moving updates 'to the cloud'. If you don't have ConfigMgr (which MS really wants you to abandon) then how are you going to manage sever updates? MS wants you to use AUM pointing at Windows Updates. So that means Server FUs need to come from WU. And that's fine, as long as there's the appropriate controls for that. So far, what I'm reading here, the OP's issue is specific to his third party patching solution.

Reply

[-]

Conditional_Access@reddit

I know it can feel that way sometimes, but knowing the people that actually work on this stuff, I'm confident this is absolutely not the case.

Reply

[-]

TaliesinWI@reddit

Malice, incompetence, etc.

Reply

[-]

mankycrack@reddit

NinjaOne put a yellow banner across the top of their portal today warning about this. I blocked the update on Monday because I was getting bad vibes over the weekend

Reply

[-]

extremetempz@reddit

Licencing aside, I'm not sure what the issue is, Linx distros like Debian and Ubuntu do this, Everytime I login to servers I see a prompt to upgrade Block the update and move on

Reply

[-]

ITGuyThrow07@reddit

The issue is it being identified as a "security update" that can't be rolled back and, oh yeah, you have to be licensed for it.

Reply

[-]

extremetempz@reddit

1. Have Backups 2. I've unapproved the update in WSUS and now I don't see it 3. Everyone should have their updates delayed for this very reason, yes this is a first for Microsoft inplacing servers, but they have been known for pushing our Dodgy patches.

Reply

[-]

severnd@reddit

this is fine but its classed as a security update ; for many of us working in a secure environment, such updates are deployed quickly to prevent attacks. block all you like but once the update has started rolling out to a device; its getting installed. for us, the patch rolled out at 2am UK time. wasnt even patch Tuesday ffs!!

Reply

[-]

Gh0styD0g@reddit

What a balls up 😲

Reply

[-]

Vicus_92@reddit

Fuck me, it's a server not a desktop. Who thought this was a good idea!? Guess I know what I'm reviewing tomorrow.

Reply

[-]

longlivemsdos@reddit

yep I think MS forgot that since around WS2016 (or 19 can't remember which) with xbox services and Edge auto opening on 'news' tab instead of protected.

Reply

[-]

MBILC@reddit

Don't forget the Coupon's option in Edge, cause servers need that too...

Reply

[-]

RBeck@reddit

And now you're out of compliance for 2025 CALs.

Reply

[-]

lordcochise@reddit

that's also a big one for some folks, particularly those not using DC editions; This sort of thing was one reason we moved to DC versioning to not have to worry about it as a SMB, other than specific stuff like RDS\\SQL cals

Reply

[-]

Icedman81@reddit

.... what? Last I checked, you still need Windows Server CALs, if you run Server Datacenter (ref: https://www.microsoft.com/en-us/windows-server/pricing). As far as I know, the only time you do not require CALs, is if you are using SPLA licensing - at which point, you yourself generally don't manage the licenses, but the MSP does (also, the MSP is not allowed to give you direct access to the keys). This also means, that if you have any volume licenses that you want to use in your MSPs datacenter, you need to have an active SA with those licenses. Only thing you get "unlimited" of, is the ability to run as much Windows VOSE that you can on the hardware (and obviously AVMA). SQL on the other hand does not require CALs in the case of core licensing, only when using Server + CAL model. Although, Core licensing in virtual environment requires you to have a valid SA for the SQL Server Core packs and a minimum of 4 licensed vCores per vOSE (even if you only use one), unless you go and license the physical cores (IIRC, with Enterprise Edition + SA), which would allow you to run unlimited SQL Server instances (in other words, as many has the hardware can handle). And then there's the Azure Hybrid benefit model that muddles the costs and especially SQL Server licensing... A final note, some recommended reading: * https://www.microsoft.com/licensing/terms/welcome/welcomepage * https://download.microsoft.com/download/e/8/e/e8edae36-cbc6-4123-bc5a-f651d174fd6c/pur_explained.pdf * https://www.microsoft.com/licensing/docs/view/Licensing-Briefs And especially these from the Licensing Briefs link: * [Introduction to Microsoft Core Licensing](https://www.microsoft.com/licensing/docs/documents/download/Licensing_brief_PLT_Introduction_to_Microsoft_Core_licensing_Oct2022.pdf) * [Microsoft server products for use in virtual environments](https://www.microsoft.com/licensing/docs/documents/download/Licensing_brief_PLT_Licensing_Microsoft_server_products_for_use_in_virtual_environments_Oct2022.pdf) And to be a nitpicky too, when you have a valid SA for Windows Server licenses, your CALs need to have it too...

Reply

[-]

Confy@reddit

This person licenses

Reply

[-]

BloodyIron@reddit

"Enterprise ready"... *laughing from Linux* Yes I know this doesn't help, but the more of your systems you can migrate away from Windows, the more sanity you will have.

Reply

[-]

OinkyConfidence@reddit

"Enterprise ready"... *laughing* ***in*** *Linux* would be the correct parlance I believe.

Reply

[-]

BloodyIron@reddit

Well I'm literally using Linux as my OS to type this, so I think we're both right. As for the use of parlance... ;P

Reply

[-]

MBILC@reddit

Just to test, brand new clean install of Server 2022 - Not yet activated, used an MSDN ISO image: en-us\_windows\_server\_2022\_updated\_sep\_2024\_x64\_dvd\_cab4e960 First check for Windows Updates: https://preview.redd.it/fhtg3bfex4zd1.png?width=945&format=png&auto=webp&s=2d0be5ba191e31e4087bc9cae0854f738c880252

Reply

[-]

cpupro@reddit

Unintended, unintentional, free upgrade to the latest OS. Absolutely NOTHING bad could happen... Right? LOL

Reply

[-]

YellowOnline@reddit

I have no issue with in-place upgrades at all, but you should of course consciously choose to do it, not only because of compatibility, but also because of CALs. I'm fine with my 2022 DCs becoming 2025, but I only have 2022 CALs. Or did MS change how CALs work?

Reply

[-]

Remarkable_Cook_5100@reddit

Honestly, if Microsoft was simply giving everyone a free upgrade from 2019/2022 to 2025 with CAL and RDP license upgrades, that would be fine with me. But they are not, so this option should not even exist.

Reply

[-]

lordcochise@reddit

Yeah at first it almost feels like a 'free' R2 style upgrade but NOPE

Reply

[-]

Jeeper08JK@reddit

https://preview.redd.it/qwyaci11g3zd1.png?width=320&format=png&auto=webp&s=49ee72d273ef8a0cf77e13b5c86c51f5f38e3c97

Reply

[-]

YellowOnline@reddit

Oh, I didn't even consider that. Just like W10 licenses worked for W11, I assumed that an upgrade like this would also extend the license.

Reply

[-]

Megafiend@reddit

Your server guys have caused this by not managing the update tool effectively is what you're saying.

Reply

[-]

networkn@reddit

This is a dumb reply. It's a server, it has NO business upgrading. There are so many things wrong with an auto update including a lack of applicable licenses, compatibility, support from vendors, deprecated features.

Reply

[-]

Gummyrabbit@reddit

My ESXi are only licensed up to Server 2022.

Reply

[-]

networkn@reddit

Exactly.

Reply

[-]

Jamdrizzley@reddit

Do you use wsus to release updates manually or is your estate on a 'upgrade free for all' policy? If you don't use wsus then unwanted updates should be expected

Reply

[-]

networkn@reddit

This isn't a workstation. There are licensing implications. If my 2022 upgrades to 2025 then MS can pound sand for the licensing costs. I am extremely confident our consumer laws would cover us nicely.

Reply

[-]

jeffrey_smith@reddit

Are you a consumer?

Reply

[-]

networkn@reddit

For the purposes of the laws that protect me against this type of behavior, yes.

Reply

[-]

xCharg@reddit

> This isn't a workstation. There are licensing implications. Workstations are also licensed so how is that different?

Reply

[-]

networkn@reddit

Sigh. Workstation licenses are included in the price of your computer and don't have CALs to worry about.

Reply

[-]

xCharg@reddit

That's nothing more than your random assumption. No, my licenses are not included in the price of my computer.

Reply

[-]

McAUTS@reddit

WTF... what are you doing here? You're obviously not even a SysAdmin, so what are you telling us here?

Reply

[-]

xCharg@reddit

Sure, I don't work in your environment therefore I'm not sysadmin. Cool logic.

Reply

[-]

networkn@reddit

For the vast majority of people it's true. For the vast majority of server owners an upgrade from 2022 to 2025 would cost them a server license plus CALs.

Reply

[-]

GherkinP@reddit

i'd just like to interject to mention WSUS should not be used. https://www.bleepingcomputer.com/news/microsoft/microsoft-officially-deprecates-windows-server-update-services-wsus/amp/ it's been deprecated as of aug 13

Reply

[-]

_CyrAz@reddit

The link you provided quite literally says that WSUS will continue to receive updates and to be supported, which doesn't exactly sounds like "stop using it".

Reply

[-]

what-the-puck@reddit

Yeah, it hasn't seen new features in years, only patches. Microsoft just admitted it, that's all. WSUS is not end of life.

Reply

[-]

GherkinP@reddit

> Windows Server Update Services (WSUS) | Windows Server Update Services (WSUS) *is no longer actively developed*, all the existing capabilities and content continue to be available for your deployments. https://github.com/MicrosoftDocs/windowsserverdocs/commit/b9de39a7a50e881d725ba5af90ca179d20ecd2ca

Reply

[-]

_CyrAz@reddit

Still not the same as "not maintened/not supported/don't use it", and it hasn't been "actively developed" for for years anyway.

Reply

[-]

Finality-@reddit

All their recommendations are for cloud products. While deprecated it's functionality isn't going away. What would be the solution for air gapped networks where you can't use cloud, something third party?

Reply

[-]

asdrunkasdrunkcanbe@reddit

Windows server updates are managed just like any others. If you don't want your servers to update themselves automatically then you should be configuring them to not automatically update. If this is happening it's because they've decided it's OK for machines to update themselves and all the compatibility issues that may bring.

Reply

[-]

mwerte@reddit

And yet all the other posts here are "automate everything, touch nothing" variety. It can't be both. Not directed at you specifically, just frustrated

Reply

[-]

asdrunkasdrunkcanbe@reddit

You're kind of right, it can't be both, you need to segregate the stuff which needs management from the stuff which doesn't. Most of us in the automate everything camp also acknowledge that you can't literally automate everything. Sometimes you need gates, because automation lets things through which shouldn't be allowed through. In this example, you might allow patches to be automatically rolled out to non-prod environments, and then you apply them to prod environments on a week or two-week delay. That delay can also be automated, but someone should at least be eyeballing it and aware it's going to happen. For the sake of a ten minute check you can save yourself a day's stress and work if a patch goes out unintentionally. If you have no environment segregation (say for corporate services like a mail server), then you just have to suck it up. These are always my candidates for moving to cloud providers, aka making it someone else's problem.

Reply

[-]

Megafiend@reddit

Why Is a prod server configured to auto update without anyone reviewing the updates. I agree it's 100% shitty categorisation on Microsoft part, but this is easily prevented with proper process.

Reply

[-]

ClackamasLivesMatter@reddit

If a server updates itself I'm calling an exorcist. That shit should not happen.

Reply

[-]

Megafiend@reddit

The update wasn't blocked, and was automatically applied by an update tool. No need for an exorcist, just a review of the update procedure.

Reply

[-]

Pazuuuzu@reddit

Well when an upgrade is classified by Microsoft as a "Security Updates " that is a whole other can of worms...

Reply

[-]

RestartRebootRetire@reddit

https://preview.redd.it/n00rk781k4zd1.png?width=844&format=png&auto=webp&s=f09f035594fcd68b5ad3812513d76fbb62e35a28 Here's what I see on my Server 2022 Standard server that I manually update.

Reply

[-]

uxixu@reddit

Hate hate hate the way MSFT has done updates since Win 10.

Reply

[-]

Chaseshaw@reddit

Just within the last week I was wondering to myself if my policy of only updating windows manually after KBs have had a while to burn in was an outdated and inappropriate way of thinking. I have memories of windows updates "breaking" things, but these memories are 10-15 years old, and I was pondering if I should rethink this. Nope, no I should not. Windows automatic updates still breaks crap all the time it seems.

Reply

[-]

wooties05@reddit

Thank your for posting this.

Reply

[-]

hvas01@reddit

RemindMe! 2 Days

Reply

[-]

Advanced_Day8657@reddit

Quick question... How can Microsoft treat a server like a desktop?

Reply

[-]

cubic_sq@reddit

Because it is almost 2025. And apps / etc on 2022 in theory most stuff should be fully compatible with 2025 if the vendor codes against guidelines properly. And ms should already know what interfaces are used on the 2022 host and have a good idea if stuff will most likely be ok ok 2025

Reply

[-]

ChrisDnz82@reddit

would anyone care to share their patch logs/windowsupdate logs? or provide the patch guid of the patch they think did it. I would like to check our patch db (I work for N-able) to see if we can help figure out more

Reply

[-]

Fatboy40@reddit (OP)

If you're able to indicate where on the Windows Server I can find the corresponding logs, or patch GUID, I'd be happy to send these.

Reply

[-]

ChrisDnz82@reddit

[https://learn.microsoft.com/en-us/powershell/module/windowsupdate/get-windowsupdatelog?view=windowsserver2022-ps](https://learn.microsoft.com/en-us/powershell/module/windowsupdate/get-windowsupdatelog?view=windowsserver2022-ps) Possibly logs in here if they exist, would normally use them for win 10/11 though: **C:\\Windows\\Panther\\** Guids will hopefully be in the logs.

Reply

[-]

Fatboy40@reddit (OP)

After running Get-WindowsUpdateLog on one of the servers that updated early this morning, at around 03:37 UK time, the earliest log entry is for 07:23 so around five hours later so I'm thinking probably not much use?

Reply

[-]

ChrisDnz82@reddit

is there anything in panther log location?

Reply

[-]

Fatboy40@reddit (OP)

Unfortunately not :(

Reply

[-]

ChrisDnz82@reddit

nightmare :-(

Reply

[-]

tuntaalam@reddit

If all else fails, call Microsoft and ask them to explain the behaviour of their shitty os.

Reply

[-]

Absolute_Bob@reddit

![gif](giphy|gaZ51cn7sUY4U|downsized)

Reply

[-]

KingStannisForever@reddit

Isn't that Ubisfot logo there? Anyway, Microsoft doesn't know what Microsoft is doing

Reply

[-]

trapped_outta_town2@reddit

They know, that's the point. They know you're not just gonna up and leave them for Linux. So they just do shit like this and you have no choice but to take it.

Reply

[-]

pdp10@reddit

> They know you're not just gonna up and leave them for Linux. Those who could leave for Linux easily, decamped years ago. Many of those enterprises left, can't leave easily. The same for IBM mainframes -- you don't keep paying for those if you have decent options.

Reply

[-]

BloodyIron@reddit

Actually there's plenty of AD environments (on-prem) that actually are eligible for migration to Samba AD (running on Linux), as the functionality said environments care about is fully served by Samba AD. Yes, not all scenarios are covered by Samba AD, but most are. (I know because this is something my company offers by the way) So while there are those who have migrated Windows->Linux already in part or whole, there's plenty of opportunity left for more of that!

Reply

[-]

Dependent_Price_1306@reddit

Why? It won't be in the script of the moron on the other end of the phone.

Reply

[-]

Die_Quelle@reddit

as if they could explain such things LOL.

Reply

[-]

DattiHD@reddit

Even if they bother to explain "he behaviour of their shitty os" it won't change the f\*\*\*\*ed up situation for affected admins.

Reply

[-]

fl_video@reddit

Can we confirm this is only impacting Server 2022?

Reply

[-]

nont0xicentity@reddit

No, showing on 2019 as well

Reply

[-]

UltraEngine60@reddit

As soon as they figure out patching at a decent cadence, and now hotpatching, they start treating major OS updates the same as hotfixes. One step forward two steps back. I can handle major OS upgrades myself Microsoft, back the fuck off.

Reply

[-]

mpekbre@reddit

RemindMe! 2 days

Reply

[-]

gbdavidx@reddit

An software matter expert??

Reply

[-]

bschmidt25@reddit

I'm sure all of the public sector entities who are in a change freeze because of the election really appreciate this. Shouldn't affect elections systems, but when I worked for a county that handled them we weren't allowed to touch a damn thing on election day. Only firefighting duty.

Reply

[-]

sharkbite0141@reddit

RemindMe! 2 days

Reply

[-]

5141121@reddit

RIP any Windows admins out there today. I'll pour one out for you as I push firmware to my AIX boxes.

Reply

[-]

Clasic-Zero@reddit

So…. If update is offering the upgrade Does that make it free?

Reply

[-]

brother_yam@reddit

No

Reply

[-]

MFKDGAF@reddit

RemindMe! 2 Days

Reply

[-]

Beardedcomputernerd@reddit

RemindMe! 5 days

Reply

[-]

ProfessionalITShark@reddit

Anyone got any guids?

Reply

[-]

ajf8729@reddit

KB5044284 is just the monthly CU for Server 2025. It was revised a few days ago because the product classification was changed from "Windows Insider Pre-Release" to "Microsoft Server Operating System 24H2". Not sure what KB this upgrade is coming from yet.

Reply

[-]

Gummyrabbit@reddit

I have a test server running 21H2 and I downloaded KB5044284 (which also downloads KB5043080). I can't even install it on 21H2. I get "Installer encountered an error: 0xca00a005". So I'm not sure how your patch tool is managing to get it installed.

Reply

[-]

Mysterious_Manner_97@reddit

Looks like this is a screw up perhaps due to kb5044281 having the exact same name? Outside of a comma.. wondering if ppl are using txt based approval rules?

Reply

[-]

lordcochise@reddit

Wasn't seeing this ANYWHERE in WSUS but checking online for updates on Server 2022 VMs does make this appear as an optional update not unlike Windows 10/11 client-side major build updates; On one hand I'm not surprised they eventually went this route for what used to be 'R2' versions (though Server 2019 -> 2022 -> 2025 could be more of an R3?); at the same time, everyone seems to be saying this isn't a 'free' update and requires a 2025 license or upgrade rights? HOO BOY there's gonna be plenty of admins pissed at M$ if that ends up being the case. Currently all our hypervisors / VMs are Server 2022 (21H2 LTSC essentially) and I have yet to see a WSUS update normally requiring approval that matches this; is it possible that what's really meant as an optional inline upgrade for the non-LTSC server builds got released wrong? Would make sense for those on active / enterprise licensing to have this path but PROBABLY NOT the rest of us if it breaks activation....

Reply

[-]

Monatomic@reddit

Saw this yesterday when spinning up a server. Microsoft is certainly being sneaky.

Reply

[-]

xerxes716@reddit

Dear Microsoft: [Rick and Morty | Get your shit together - YouTube](https://www.youtube.com/watch?v=xIAfCupuZ3w&list=WL&index=29)

Reply

[-]

Celikooo@reddit

According to WSUS, KB5044284 is only available for 2025 servers. It is declared as a Security Update. It is most likely not upgrading the OS from 2022->2025 Furthermore, the OP apparently configured Heimdal in a way to install all updates (including optional updates pulled from Microsoft), which most probably caused the servers to update to 2025.

Reply

[-]

Fatboy40@reddit (OP)

> According to WSUS, KB5044284 is only available for 2025 servers. It is declared as a Security Update. > It is most likely not upgrading the OS from 2022->2025 Nope, it 100% installed KB5044284 this morning, it's all in logs etc., and our RMM tool classifies it as an Operating System Update and installed it onto two 2019 servers + it errored on a third so thank God for that.

Reply

[-]

Celikooo@reddit

That's crazy... Best of luck taking care of your severs 👍👍

Reply

[-]

InfamousStrategy9539@reddit

Is the Heimdal dashboard showing the update in the assets for the servers? When did they update? Ours is set to update them on Fridays, but just checked our DC and it hasn’t been updated.

Reply

[-]

Fatboy40@reddit (OP)

The "GP" (why on Earth did they call it that, for me GP = Group Policy in Active Directory) was set so that OS Updates occurred on a Tuesday and Thursday, so overnight today it started to push it out.

Reply

[-]

InfamousStrategy9539@reddit

Ahaha, same, it could have been named better. Thanks, back off my lunch now. Off to the dashboard I go!

Reply

[-]

idle19@reddit

thanks Microshaft

Reply

[-]

severnd@reddit

we've got this garbage pending on 75 servers! mix of 2022 and 2019! block that KB if you can, but probably too late if you're updating to meet security compliance rules.

Reply

[-]

sliverednuts@reddit

Honestly you deserve this, why would you use such shitty products to update your servers!!! Better start reading properly !!!!

Reply

[-]

Calimore@reddit

More exclamation marks = more being right!!!!!!!!!!!!!

Reply

[-]

MushyBeees@reddit

It’s zero surprise your partner doesn’t want to sleep with you.

Reply

[-]

networkn@reddit

You know, it's optional to be a prick online right? Get a grip.

Reply

[-]

Fatboy40@reddit (OP)

I personally do not manage the servers / systems so cannot comment if Heimdal is appropriate, if that's what you're referring to? You assume that it was Heimdal that instigated this and not Windows Update etc? (As an aside to the above why such a shitty reply?)

Reply

[-]

Thebelisk@reddit

People online are arseholes, that’s why the shitty reply. I feel your pain brother. I haven’t had this particular issue, but it brings back memories of a Win10-to-Win11 update which caught me off guard. I had rules in place to stop the Win11 update, but MS changed how they were pushing out the updates at one point, which bypassed my rules. Really frustrating, and I can only imagine the world of hurt you have ahead of you with servers unexpectedly updating.

Reply

[-]

Crot_Chmaster@reddit

WTF Microsoft

Reply

[-]

KernicPanel@reddit

This would be a disaster if it happened to rds servers or brokers as the windows version needs to match.

Reply

[-]

mgF0z@reddit

Love it, you've got to love MSFT!

Reply

[-]

SnooDucks5078@reddit

wow, thanks for the heads up! I just noticed it appear as an optional install on my 2022 domain controllers! Better check SConfig set to manual.

Reply

[-]

mb194dc@reddit

I've seen this happen with Office, but not Server itself, though on 2019 not 2022.

Reply