How to block the upgrade of Windows Servers 2022 to 2025?
Posted by lrosa@reddit | sysadmin | View on Reddit | 145 comments
Hi,
is there a way to block the upgrade to Windows Server 2025 on Windows 2022?
I am starting to see links to download 2025 in the Windows Update interface of the servers.
Thank you
Ntinsky@reddit
Use group policy editor and set "Select the target Feature Update version" to Windows Server 2022
Mitchell_90@reddit
That setting only applies to systems running Windows 10 or 11 not Server.
Ntinsky@reddit
Are you speaking of experience or just saw it somewhere xause ws2022 admx contains the specific option?
Mitchell_90@reddit
The setting itself is for targeting Windows client feature updates only (Windows 10 or 11) so it won’t have any impact on Server, those typically don’t have feature updates anyway.
The setting in the ADMX has been there for a long time in client/server but that doesn’t necessarily mean it will apply to both. There’s lots of settings in ADMX files that are client or server specific.
Ntinsky@reddit
Yes but have you tried it or just assuming?Cause i am trying to point OP to a direction here.I mean no offense, theory is good until you have hands on and see for yourself. The setting is for future updates of OS that matches the version you specify
chrono13@reddit
Yes but have you tried it or just assuming?
Ntinsky@reddit
No i haven't tried it cause i dont use WS2022. I saw newer comments though and they confirm it works so......you re welcome
chrono13@reddit
Not working here. We have that policy enforced at the base of the domain. Does not impact servers at all. 2019 and 2022 are being offered the 2025 upgrade.
Ntinsky@reddit
Is it classified as a Feature update or just an update?
Commercial_Growth343@reddit
does this really work, similar to how we might do that for Windows 10/11 ?
Ntinsky@reddit
You can always give it a try and find out.
TheRogueMoose@reddit
I noticed no one is really answering the question here. I am also curious about how others are going about making sure to block this from automatically happening?
Crafty_Individual_47@reddit
there is DisableOSUpgrade regitry key but as update is incorrectly clasified (rumor) it probably wont help. I have not noticed any of our 2022 servers being updated to a 2025 And it seems to be a patch management software issue.
RestartRebootRetire@reddit
My 2022 server showed the optional 2025 upgrade yesterday, but today it's gone.
lrosa@reddit (OP)
Same on all my 2022.
whetu@reddit
Blocking a specific KB feels like a kludge to me, and it doesn't necessarily prevent a future KB from doing the same thing.
At a glance it looks like GPO or Registry is, for some, the way to do this.
Registry keys:
and
GPO path as per https://admx.help/?Category=Windows_11_2022&Policy=Microsoft.Policies.WindowsUpdate::TargetReleaseVersion
Odd_Letterhead9371@reddit
I'm just curious how will it block the update if it is misclassified as a Security update? We are using RMM to implement the windows update/patch policies.
whetu@reddit
By my understanding, the KB in question, KB5044284, appears to be tagged for
24H2.The logic is that by explicitly defining
TargetReleaseVersionInfo, Windows Update is less likely to make heuristic best-guesses. If you tell it that you expect21H2, it shouldn't select anything to do with24H2or anything else that isn't21H2.As with many things and especially in IT, explicit > implicit.
Obviously this isn't a 100% foolproof solution, and it's more specific to less-configured or unconfigured Windows Update than it is for RMM's, which may or may not overrule these settings.
Odd_Letterhead9371@reddit
Thank you for the clarification. However, the KB in question has also affected
21h2which is kind of odd.Secret_Account07@reddit
On my home computer I modified the gpedit to only show updates for 10Hx or whatever
I don’t think I would recommend this in enterprise though.
whetu@reddit
You don't think you would recommend bringing an aspect of a server under the control of configuration management?
sccmjd@reddit
I just asked over here. That's what I use on desktop OSes. I'm not sure exactly what the server details would be.... "Server 2022" and "21H2" I guess?
https://www.reddit.com/r/sysadmin/comments/1gkgp03/does_targetreleaseversion_work_on_windows_server/
So this?
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ProductVersion" /t REG_SZ /d "Server 2022" /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "TargetReleaseVersion" /t REG_DWORD /d "1" /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "TargetReleaseVersionInfo" /t REG_SZ /d "21H2" /f
whetu@reddit
Yeah, 21H2 == Server 2022
To validate:
sccmjd@reddit
Same here. Fresh Server 2022 test machine install, updated, got the 2025 off. Those lines worked. Didn't even have to restart. Just click the check for updates button again and the 2025 offer is gone. I refreshed the registry and the lines are there just like a desktop, no surprise.
I've used that on desktop OSes to try to force them to pull down an OS upgrade too if a machine is being stubborn about upgrading. Point it at the new version. So deleting those registry entries or making them the equivalent Server 2025 and 24H2? might be a way in the future to force it to pull an OS upgrade that way. Or just use an iso I guess. Or not even upgrade a server OS and install straight off an iso.
sccmjd@reddit
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
I only see an AU folder below that. Nothing in the WindowsUpdate folder. Although, looking at a desktop OS, I don't think there was anything there either to begin with.
philrandal@reddit
See https://www.reddit.com/r/sysadmin/comments/1gk2qdu/windows_2022_servers_unexpectedly_upgrading_to/
Unapprove KB5044284
JMejia5429@reddit
that would require admins to have some kind of patch management like WSUS or other. If the server is set to download and update automatically, best of luck OP. Either start modifying the winupdate settings or spin up a WSUS quickly and alter your GPO to point the servers to it.
YnysYBarri@reddit
But...WSUS is zero cost to install and very easy to use. It's been a while since I used it, but you get to pick everything - language, product, upgrade type etc. There's a product called...Feature Update I think. Ensuring this isn't selected means major upgrade patches won't get downloaded and therefore installed (I've done the same with W10 in the past - not downloading the W11 feature update stops W10 going to W11).
The 2 major gripes I have with WSUS are: it's very disk hungry because the GUI cleanup tool never works that well. 2nd is the awful way WSUS was implemented in Group Policy.
Fortunately there's a fix for both of these issues and it's called PowerShell ;-) in my previous post I had WSUS auto-approving all the categories and products, then PowerShell installed updates at 18:00 daily and I had a series of scheduled tasks that enabled me to cherry pick 01:00 reboots Mon-Fri over a repeated 2 week window. PowerShell also ran a cleanup script for WSUS daily that did a thorough decline of superceded updates, and performed database maintenance. I barely had to touch it.
Capable_Tea_001@reddit
Uh, yeah... Who's blindly patching servers with no approval process?
Did you learn nothing from CrowdStrike?
Tech88Tron@reddit
MS is dropping support for WSUS....
Key-Trainer9381@reddit
Yes they are. But as of now that date seems to be set to 2035.
Tech88Tron@reddit
Server 2025 is the last server version that will support it.
Key-Trainer9381@reddit
Server 2027 hasn’t been released yet, so no one knows yet.
Tech88Tron@reddit
Read this and use your inference skills: https://techcommunity.microsoft.com/blog/windows-itpro-blog/windows-server-update-services-wsus-deprecation/4250436
Key-Trainer9381@reddit
That only says that it’s supported in server 2025. Nothing more. Will probably be removed from next server version but as Microsoft havnt confirmed this no one knows. Talked to MS PMs last week and they confirmed this also.
Tech88Tron@reddit
They added extra verbiage to make it clear they are talking about current versions of Server...not Server in general.
"no current plans of removing WSUS from in-market versions of Windows Server" ... you only add that for one reason.
Key-Trainer9381@reddit
Again. I’m not saying it WILL be in Server 2028. I’m just saying Microsoft hasn’t said anything about this yet. When 20+ customers keeps asking me about this it’s important to not say anything more than Microsoft does.
Tech88Tron@reddit
You need to start planning now for it NOT to be in 2028, if you're smart and like to stay ahead of the game.
They have said something, and they worded it in a crafted way.
Key-Trainer9381@reddit
Oh I totally agree. I have been doing wufb and autopilot since 2019. No need to convince me.
mmoe54@reddit
I think it will be released in 2027 and named Windows Server 2028.
Key-Trainer9381@reddit
I agree.
NerdyNThick@reddit
Cite your source, or retract your disinformation.
Tech88Tron@reddit
If you read this: https://techcommunity.microsoft.com/blog/windows-itpro-blog/windows-server-update-services-wsus-deprecation/4250436
and think otherwise...I don't know what to tell you.
NerdyNThick@reddit
Thanks for the link, however I'm not sure that it supports your claim in any way, no matter how you interpret it.
Can you quote the part where it says that 2025 is the last Server OS version that will support it? I can't seem to find it.
I can see where they say they have no current plans of removing it and will ensure that it continues to work with its current features, but I can't see where it says future Server OS versions won't work with it.
Emphasis mine.
Tech88Tron@reddit
The fact they specifically say "in-market versions of Windows Server" says everything. They would have said no plans to remove it from Windows Server at this time.
You only add in specific language like that for one reason. C'mon man, are you just wishfully thinking?
NerdyNThick@reddit
So you're just assuming things using your own personal definitions of terms...
Tech88Tron@reddit
You're assuming in the other direction....
At least my assumption has sound reasoning.
NerdyNThick@reddit
Where did I make a claim about my position? I am assuming nothing because we have no positive information either way. You're just reading into things and coming to a conclusion based on your interpretation of them. I am not doing that.
TahinWorks@reddit
The day M$ removes the paywall from Azure Update Manager is the day I'll get off WSUS for my servers. Holding an update management service for ransom only works if there's a free alternative. I'm completely confident they'll either make the service free for 2025 Arc-connected machines, or extend the WSUS lifecycle. Doing neither will push customers to competitor's patch management solutions, which Microsoft will not risk.
jmbpiano@reddit
Don't worry. People will still be running Server 2025 in 2050.
Enog@reddit
Not true, they are simply not actively developing it any more, it will still be supported for years to come
Tech88Tron@reddit
Current functionality only, nothing new.
The time to start planning for migration is yesterday
Enog@reddit
Absolute nonsense, you can carry on using WSUS for the foreseeable future with absolutely no issues
Tech88Tron@reddit
How long is your "foreseeable" future considered?
Because "absolutely no issues" is a very strong statement for something that won't be update when new update methods are created moving forward.
Enog@reddit
Well it’s still going to be included in Server 2025, so probably 2035 at the latest
WSUS Deprecated
Tetrapack79@reddit
To be honest WSUS wasn't in a very active development to begin with. However MS will soon begin to remove features from it - first thing to go will be the drivers sync in April 2025, despite still being used in 34% of all WSUS installations.
Vel-Crow@reddit
Some of our devices were hit with this when we tested on 2019 and nothing and happened. Approved for other systems, and 2022 turned to 2025. The catalog shows it as being a security update, and most patch solutions approve those automatically.
Capable_Tea_001@reddit
You're too trusting.
We also approve automatically, but only to a group of non-production servers.
We verify patches on those servers before approving for production.
Vel-Crow@reddit
It certainly was an oversight, and we need to expand our test environment to include more OSs, but it's also reasonable to assume that a security patch won't do an irrevers9ble in place upgrade :P
I would expect the chance of a patch causing a different break, but not this.
Capable_Tea_001@reddit
The crowdstrike incident just a couple of months ago was caused by a dodgy security patch.
If I'm honest, you're right, I never expect a security patch to do such a thing.
But how our apps actually react to the updates is more important.
I just prefer the absolute granular control with our approach.
Short term pain (though mostly now automated) for long term gain.
Proper-Obligation-97@reddit
The update has wrong classification, it should be an upgrade not a security patch.
purplemonkeymad@reddit
Gotta love the boiler plate text they put on all updates so you have no idea what it is actually updating without looking on the internet.
That one says it's just a fix for remote desktop gateway. Seams it's more than just a bad classification? Did they push out the wrong update in that package?
ronin_cse@reddit
This HAS to be the case
JMejia5429@reddit
clearly not since this is the 2nd thread I saw posted on sysadmin about win 2022 auto upgrading to 2025
Ams197624@reddit
Strange, KB5044284 (in my wsus) is just the 2024-10 CU for Windows 11 24H2...
wes1007@reddit
I see a KB5044284 for windows 11 24H2 released 2024/10/08 but also a KB5044284 for server 24H2 released 2024/11/01 on wsus.
philrandal@reddit
Yeah, I think that was a red herring
Lando_uk@reddit
Why would denying KB5044284 which is a Win11/24h2 update have any affect on Server 2022 patching?
lrosa@reddit (OP)
Problem is that last WU installations were of Oct 10th during patch Tuesday, no trace of KB5044284
JMejia5429@reddit
You need WSUS or some sort of patch management and testing to confirm which KB is doing it for you. With WSUS all updates have to be manually approved (at least how i have set up) which means no machine in my environment is going to auto upgrade (win 10 > win 11 > win xxx or even servers). As an FYI, i've had a few upgrades come in under different KB. Reading what it does is critical vs just blindly approving.
I have WSUS with rings/tiers. My test computers (1 server and a about 150 user devices or roughly 10% of the user devices) -- they get everything. I monitor for issues on those devices for a few days and if things look good, then I approve for tier 2 -- lab / classroom computers. If it all goes well, then I approve for a larger pool of users. If it all goes well, everyone/everything gets the update. yes it does mean I am not patching the day of on all my devices but i rather take the slower approach than have a bad update causing havoc. Maybe there is a better way cuz i hate patch management but it has worked for me.
HolTes@reddit
I'm glad I don't work with you cause WTF
JMejia5429@reddit
I dont follow. WTF for having a policy and system in place to test updates so they dont brick my environment? Yeah, i dont want to do it the other way and burn my team out by pulling all nighters to undo the damage
slash8@reddit
I follow this approach when updating the -1M servers in my data centres.
Good strategy.
Climbsforfun@reddit
Yeah, sounds like a sane organized update policy… don’t k ow what that guy is going on about
hunterkll@reddit
Ring testing/deployment methodigy here too. Test/dev starts Wednesday (day after release), production servers that Friday. Organizationally we have a 7-business day policy deadline for critical, 10 business day for high.
Workstations are all deadlined the Friday after patch Tuesday week (so, right on the 7 day critical deadline), but users get nagged to hell and back to install early before the forced deadline. They receive the patch available to them in 3 staggered rings (1, 2, and 3 obviously). with all machines available the same day server patching is started, and ring-1 immediately upon release.
Highly regulated industry from compliance and security perspectives, so we have to patch often/patch rapidly.
Ring testing is the *standard* and best practice way this sort of thing should be done.
mmmmmmmmmmmmark@reddit
Is that why we're still running Server 2008 R2? Nothing will force it to update! ;)
Secret_Account07@reddit
Just seeing the text of 08 R2 raises my blood pressure. Honest to god, PTSD. Soooo many bad memories. So many bangings of the keyboard. So many broken servers. So many “WILL YOU UPGRADE THIS FUCKING THING” to customers.
I want all 08 (r2s) to die a fiery death. Same with 2012 to be honest.
catwiesel@reddit
ill take a server running 2008r2 over a 2019 that updates automatically to 2025 and loses its licences ANY day
servers are supposed to WORK like I set them up and WE planned and budgeted for.
NOT HOW MICROSOFT FUCKING WANTS
Secret_Account07@reddit
We were just discussing this in our meetings
We lucked out and the software we use for patching showed that patch wasn’t relevant anywhere in our environment.
Had it been the other way around we’d be doing quite a few restores today
catwiesel@reddit
you should not need a software to manage patching to have a functioning product
its fine if you add it to get more control, or easier, or better scalability or whatever. but it shouldnt be a requirement.
"just disable it in software y" is not acceptable as a solution for microsoft overstepping. it may be a workaround, but its still a bad one.
and dont get me started on wsus going EOL
Secret_Account07@reddit
You tell me how to manage patching for all Linux flavors, Microsoft, etc. and be able to run reports on all vulnerabilities.
I’ll wait.
catwiesel@reddit
im not playing what about ism...
and I dont understand why we are defending microsoft. you dont need to defend yourself. its fine to use management software. its not fine to requite it to get a working product.
a single server, with a license, an adequate number of cals, and no 3rd party software is, by definition and according to documentation by microsoft, as it was, good to use...
Secret_Account07@reddit
I’m not defunding Microsoft. I asked a question.
GenericLurker1337@reddit
What the hell are you on about? 2008 R2 is one of the best versions of Windows Server ever made.
Secret_Account07@reddit
Using 2008 (R2) in the 2020’s is Hell.
To be honest it sucked in 2019. OS should have died long ago.
cajunjoel@reddit
And here I am dreading the day 4 years from now where central IT forces us to rebuild my servers from scratch because they won't do in-place upgrades. SMH.
Secret_Account07@reddit
Oh god I wish we didn’t allow customers to do in-place upgrades. We have over 5,000 Windows servers. 99% of all the servers that break are in-place upgrades. We scream at customers to not do it, but they don’t listen. Every single time I see a weird/super strange issue with OS that A) makes no sense, and B) I can’t easily fix - INPLACE UPGRADE
I’m exaggerating with the 99% comment, but it’s high. It’s very high.
I wish we forced customers to swing apps over. Always.
They come crying to us when some obscure DLLs break after an update and repairs to fully fix the issue. Or some other fuckery. MS in-place upgrades for servers should never be trusted.
I’ll die on this hill.
SnooDucks5078@reddit
First thing is to let anyone who has access to the server know not to click the download and install button. Its dangerously close to the check for updates button !
Secret_Account07@reddit
I’m kinda surprised how many enterprises don’t disable automatic updates, or checking of updates.
Even if a user tried to run updates in our environment, wouldn’t work.
Remarkable_Cook_5100@reddit
The really bad part is if this is autoinstalled you will be out of licensing compliance like the second screen indicates.
Itsquantium@reddit
Bro just buy another license
Picklefart80@reddit
For us it would have to be a Datacenter license, not exactly a petty cash purchase.
Itsquantium@reddit
I was joking bruh.
Picklefart80@reddit
It’s hard to tell on Reddit anymore.
Remarkable_Cook_5100@reddit
This should not even be an option!
Remarkable_Cook_5100@reddit
Academic-Detail-4348@reddit
I am looking at my servers in Azure Arc and yup - 2022 has an ominous update available called "Windows Server 2025". KB5044284
ImperialRekken@reddit
Yeah, I see it too. It comes up under Server 2019 and 2022 as unsupported which would make me think it probably won't auto-install anywhere as long as MS won't decide to roll out support for said upgrade. Makes a tad worried since you cannot add unsupported updates to maintenance config exclusions.
billybensontogo@reddit
But the update in Azure shows as being 'unsupported'
bcredeur97@reddit
Does this mean server 2022 licensing works OK on server 2025?
Because if they want to do this, then that’s what it should mean LOL
chrono13@reddit
Verified it does not.
Aqxea@reddit
https://imgur.com/AI75oUo
MrMcGreenGenes@reddit
Set the clock to 1984, Marty!
amazinghl@reddit
Block KB5044284
3percentinvisible@reddit
How are we seeing this now, 25 was released on the first, it's not patch Tuesday till next week, so even if these are mislabelled is updates as security, they shouldn't be visible till next week?
Lando_uk@reddit
Someone on here must have a MS prem support account, so can one helpful redditor ask the question to support?
ireddit-jr@reddit
Lol I have a p1 ticket with ms from april for which I am waiting a response after multiple follow ups
Lando_uk@reddit
I’d open a ticket myself , but we stopped paying them this year for exactly the example you gave.
Imobia@reddit
Is this a thing?
dustojnikhummer@reddit
Seems to be https://old.reddit.com/r/sysadmin/comments/1gk2qdu/windows_2022_servers_unexpectedly_upgrading_to/
rms141@reddit
A bad sysadmin blaming Microsoft for his poor patch management doesn't mean that Microsoft is pushing 2025 automatically.
NerdyNThick@reddit
So, you don't auto approve security updates?
dustojnikhummer@reddit
People had that pushed on them...
Regardless, why is it, AT ALL, appearing in Windows Update??!
rms141@reddit
They didn’t have an upgrade forced on them. They have bad patch management that incorrectly categorizes a month-old KB. Their own mismanagement is the problem.
Imobia@reddit
OMFG, does that mean it’s free too.
zeroibis@reddit
Well yes M$ is free to upgrade you at your expense at a time, place and cost of their choosing.
VeryRealHuman23@reddit
Hahahahahahahahahah best joke all week
dustojnikhummer@reddit
Of course not.
yankdevil@reddit
Install Ubuntu?
Tech88Tron@reddit
Do people really auto install "optional" updates in 2024?
AtarukA@reddit
Honestly I do. Should I? Nope, but it's policy to do that so \*shrug*
Teejayturner@reddit
It seems the problem that’s going on is Microsoft marked it as a security update and lots of patch management apps auto approve security updates.
I see how people are saying it’s the admins fault, but really it’s Microsoft’s.
RCTID1975@reddit
I mean, it's both.
It shouldn't be listed as a security update.
But you really shouldn't be auto approving any updates on the server side.
Rivereye@reddit
Someone who speaks the truth. Many patch management systems bill themselves as being able to automate the patch management lifecycle, which to be automatic would include automatically approving and installing security updates.
Tech88Tron@reddit
It's the old "be ready for zero day, patch immediately" vs "delay updates to avoid bugs" debate.
zeroibis@reddit
Correct, although I do not think anyone has ever suspected that updates requiring the purchase of additional licensing being pushed out as security updates as a thing, optional or not.
Talk about check the fine print.
zeroibis@reddit
Not having this update would expose a critical flaw in M$'s bottom line. Therefore it is properly labeled a security update as it provides M$ with much needed financial security.
ronin_cse@reddit
According to my RMM it should be this update: https://www.catalog.update.microsoft.com/Search.aspx?q=KB5044284 (KB5044284)
Can anyone confirm is this is actually causing an upgrade? This is pretty crazy if so
nillawafer@reddit
You can lock in the target release to 21H2.
NO_SPACE_B4_COMMA@reddit
Microsoft is seriously upgrading Windows server automatically? JFC I'm glad I only have to deal with Linux
RCTID1975@reddit
No they aren't.
They did release it as an in place upgrade. The "automatically happening" part is because people have their servers set to update on a schedule without any controls in place.
NO_SPACE_B4_COMMA@reddit
Oh lmao
rswwalker@reddit
Server OSs do not auto upgrade. This is a bad patch issued from MS that makes OS appear to be 2025 in version. Add the patch to the exclude list and uninstall it where it installed.
210Matt@reddit
you cannot uninstall the OS upgrade. You have to restore from backups.
rswwalker@reddit
So Microsoft really sent out a Server OS upgrade through regular update channels and not just a bad update that changes the version numbering?
Someone is getting fired over there!
210Matt@reddit
It gets better, it was mislabled as a security update so it was auto deployed right away for a lot of orgs.
rswwalker@reddit
JFC, what a horror show. We only have one 2022 machine right now thankfully and it’s not running anything critical, so dodged a bullet there as we were about to roll out more.
fl_video@reddit
Yes
fl_video@reddit
Yeah no... This does not uninstall as it is indeed an OS upgrade. What a Fing nightmare. verified you cannot roll it back, the server becomes unlicensed.
rswwalker@reddit
Holy shit!
That’s a major fuck up!
D1TAC@reddit
Wait, we can in place upgrade to 2025?
netsysllc@reddit
you always could n2 versions, but with 2025 all the way back to 2012R2 is supported
Ok_Shower801@reddit
I'm not an admin currently, but when I was I used WSUS to block updates, including the sneaky win10 upgrade updates.
xqwizard@reddit
Strange, my lab WSUS has this update and is approved to all machines but none of my 2022 servers are picking it up. My one 2025 server did though.
Jazzedd17@reddit
Here for the answer. WTF