Sysadmin Shock As Windows Server 2025 Installs Itself After Update Labeling Error

A security update mislabeling by Microsoft led to Windows Server 2022 systems unexpectedly upgrading to Windows Server 2025, impacting 7 percent of Heimdal customers and leaving administrators scrambling to manage unexpected licensing and configuration challenges. The Register reports: It took Heimdal a while to trace the problem. According to a post on Reddit: "Due to the limited initial footprint, identifying the root cause took some time. By 18:05 UTC, we traced the issue to the Windows Update API, where Microsoft had mistakenly labeled the Windows Server 2025 upgrade as KB5044284." It added: "Our team discovered this discrepancy in our patching repository, as the GUID for the Windows Server 2025 upgrade does not match the usual entries for KB5044284 associated with Windows 11. This appears to be an error on Microsoft's side, affecting both the speed of release and the classification of the update. After cross-checking with Microsoft's KB repository, we confirmed that the KB number indeed references Windows 11, not Windows Server 2025."

As of last night, Heimdal estimated that the unexpected upgrade had affected 7 percent of customers -- it said it had blocked KB5044284 across all server group policies. However, this is of little comfort to administrators finding themselves receiving an unexpected upgrade. Since rolling back to the previous configuration will present a challenge, affected users will be faced with finding out just how effective their backup strategy is or paying for the required license and dealing with all the changes that come with Windows Server 2025.

And this is why people are reluctant to update

[locofungus]

There are far too many cases where fixes do far more than just fix things.

This case appears to be an mistake on Microsoft's part, but it's not at all uncommon for fixes to deliberately change behaviour.

Debian tries very hard not to update versions in a release and backport security fixes to the old version. But almost no other vendor seems to behave like that.

Re:

[RevRagnarok]

Calm down with the Debian cheerleading - you're describing the entire concept of "Enterprise Linux." All of them do that.

Re:

[drinkypoo]

Redhat also does the backporting thing. IME they have even older versions than Debian in some cases, although it's been a while since I was dumb enough to mess with a rpm-based distribution, and certainly don't want to do business with enemies of the GPL.

Typical windows sysadmins!

[ls671]

Those are typical windows "sysadmins"! No machine dedicated to test the updates before applying those updates to prod servers? No snapshots on the SAN so they can quickly roll-back? Typical!

Since rolling back to the previous configuration will present a challenge,

I have a really small setup and rolling back anything isn't a challenge at all!

Re:

[Nrrqshrr]

This is even more of a sin after the SolarWinds debacle.
They saw everything that happened, probably were impacted by it, and still learned nothing.

Re:

[jhoegl]

Monopolies be like...

Re:Typical windows sysadmins!

[ledow]

Often you don't get a choice. Certain security requirements/ certifications REQUIRE updates to be pushed to all machines within 2 weeks of release to all machines. There's little time for any testing on that, especially server-side. These can be really basic requirements for things that all companies have and that insurers, cybersecurity accreditations, etc. insist upon.

Then you have the difficulty of managing and blocking updates - WSUS is no longer being developed (and goes away in Server 2025). Intune, Autopatch etc. are extra monthly licences and can be a pain to manage en-masse. Intune doesn't even let you block individual updates last time I looked.

There are third-party patch management solutions out there precisely because the Windows ones can be so dire, but even they can't necessarily see this kind of thing and stop it in time.

And rolling back an entire OS upgrade that's mistakenly marked as an update is far bigger a problem than just rolling back a single Windows KB number, and likely requires restoration from snapshot / backup which means downtime and THEN scrambling to stop it updating that update, same as the above, before it decides to do it itself. For every server. In companies that have dozens or hundreds of virtual machines.

Hell, if you've ever managed a network, you'll have seen single individual KBs that blue-screen and put the device into modes where no remote recovery is possible and you have to restore from backup or safe-mode them to remove them. If you haven't seen that, I question what you've been managing and how long.

Windows updating is really awful for modern times. Don't even get me started on CAU and/or deploying non-CAU updates on clustered servers.

Re:

[wildstoo]

Exactly. Windows has always been a nightmare to keep updated but it's even worse now, and the compliance requirements for some security certifications are absolutely incompatible with a cautious approach. The business says "we need this security certification and it says patch within 14 days, no exceptions" and we cannot say "that's insane". Management simply won't hear it. Result: we'll be fully patched, whether that patch is a disaster or not.

Re:

[AlexanderPatrakov]

It's even worse. Certain security requirements/ certifications require updates to be pushed to all machines within 2 weeks of release to all machines. EVEN IF if the update is 100% broken and results in regular bluescreens.

Re:

[wildstoo]

You talk as if every workplace has the budget and leadership to allow such things. It would be great if everyone had the luxury of choosing their jobs based on how sensible the IT departments are - sadly that's not how the real world works.

Re:

[ls671]

Well, it's almost 2025. I didn't have that flexibility and versatility in 2000 either but now it's almost a standard nowadays even for really small setups where most things are virtualized anyway. Are we going back in time or something?

Error?

[Bert64]

paying for the required license

If it's microsoft's error they should provide this for free, otherwise it's basically extortion (we screwed you, now pay up or your data is toast).

Re:

[geekmux]

paying for the required license

If it's microsoft's error they should provide this for free, otherwise it's basically extortion (we screwed you, now pay up or your data is toast).

Exactly. This was an upgrade forced by the vendor. Either they can give the license away, or they can pay for all damages incurred.

'Helping IT'

[Njovich]

So after all the issues at Fortinet, Crowdstrike, SolarWinds, Palo Alto, is it really worthwhile to use this kind of 'helpful' software? Seems to be causing more trouble than it's worth.

This is news?

[quonset]

Every week there's another story about Microsoft screwing over its customers and/or user base. At what point do we stop posting these stories since these are a regular part of life, their incompetence something we'll just have to live with?

Maybe..

[eniac42]

Put a block on MS ip address range for the network so updates are blicked, lift it every 2 weeks to allow updates, keep a test machine running that looks for these problems before allowing the updates?

Microsoft has been

[diffract]

a big advertiser for Linux lately, I guess they didn't want to leave out the server space too

Microsoft is always slip-shod and tasteless

[sinkskinkshrieks]

Just a couple of years ago, their MDE plan 2 untested updates pushed ot the world randomly deleted millions of users' icons, causing panic.