Sysadmin Shock As Windows Server 2025 Installs Itself After Update Labeling Error

A security update mislabeling by Microsoft led to Windows Server 2022 systems unexpectedly upgrading to Windows Server 2025, impacting 7 percent of Heimdal customers and leaving administrators scrambling to manage unexpected licensing and configuration challenges. The Register reports: It took Heimdal a while to trace the problem. According to a post on Reddit: "Due to the limited initial footprint, identifying the root cause took some time. By 18:05 UTC, we traced the issue to the Windows Update API, where Microsoft had mistakenly labeled the Windows Server 2025 upgrade as KB5044284." It added: "Our team discovered this discrepancy in our patching repository, as the GUID for the Windows Server 2025 upgrade does not match the usual entries for KB5044284 associated with Windows 11. This appears to be an error on Microsoft's side, affecting both the speed of release and the classification of the update. After cross-checking with Microsoft's KB repository, we confirmed that the KB number indeed references Windows 11, not Windows Server 2025."

As of last night, Heimdal estimated that the unexpected upgrade had affected 7 percent of customers -- it said it had blocked KB5044284 across all server group policies. However, this is of little comfort to administrators finding themselves receiving an unexpected upgrade. Since rolling back to the previous configuration will present a challenge, affected users will be faced with finding out just how effective their backup strategy is or paying for the required license and dealing with all the changes that come with Windows Server 2025.

And this is why people are reluctant to update

[locofungus]

There are far too many cases where fixes do far more than just fix things.

This case appears to be an mistake on Microsoft's part, but it's not at all uncommon for fixes to deliberately change behaviour.

Debian tries very hard not to update versions in a release and backport security fixes to the old version. But almost no other vendor seems to behave like that.

Re:And this is why people are reluctant to update

[RevRagnarok]

Calm down with the Debian cheerleading - you're describing the entire concept of "Enterprise Linux." All of them do that.

Re:

[drinkypoo]

Redhat also does the backporting thing. IME they have even older versions than Debian in some cases, although it's been a while since I was dumb enough to mess with a rpm-based distribution, and certainly don't want to do business with enemies of the GPL.

Re:

[Ed Tice]

This was a *mislabeled* backport security fix. Microsoft can't quite do like Debian because the parts of Windows are a bit more tightly coupled but, in general, Microsoft's security patches are relatively small.

Re:

[codebase7]

"Mistake" ???? Microsoft has had their hands caught in the cookie jar multiple times already with consumer systems. Even when we consider that these are production servers, you can't tell me that Microsoft isn't hopeful for a day when they can just unilaterally delete the previous version of Windows from every system in existence.

Re:Typical windows sysadmins!

[Nrrqshrr]

This is even more of a sin after the SolarWinds debacle.
They saw everything that happened, probably were impacted by it, and still learned nothing.

Re:

[jhoegl]

Monopolies be like...

Re:Typical windows sysadmins!

[ledow]

Often you don't get a choice. Certain security requirements/ certifications REQUIRE updates to be pushed to all machines within 2 weeks of release to all machines. There's little time for any testing on that, especially server-side. These can be really basic requirements for things that all companies have and that insurers, cybersecurity accreditations, etc. insist upon.

Then you have the difficulty of managing and blocking updates - WSUS is no longer being developed (and goes away in Server 2025). Intune, Autopatch etc. are extra monthly licences and can be a pain to manage en-masse. Intune doesn't even let you block individual updates last time I looked.

There are third-party patch management solutions out there precisely because the Windows ones can be so dire, but even they can't necessarily see this kind of thing and stop it in time.

And rolling back an entire OS upgrade that's mistakenly marked as an update is far bigger a problem than just rolling back a single Windows KB number, and likely requires restoration from snapshot / backup which means downtime and THEN scrambling to stop it updating that update, same as the above, before it decides to do it itself. For every server. In companies that have dozens or hundreds of virtual machines.

Hell, if you've ever managed a network, you'll have seen single individual KBs that blue-screen and put the device into modes where no remote recovery is possible and you have to restore from backup or safe-mode them to remove them. If you haven't seen that, I question what you've been managing and how long.

Windows updating is really awful for modern times. Don't even get me started on CAU and/or deploying non-CAU updates on clustered servers.

Re:Typical windows sysadmins!

[wildstoo]

Exactly. Windows has always been a nightmare to keep updated but it's even worse now, and the compliance requirements for some security certifications are absolutely incompatible with a cautious approach. The business says "we need this security certification and it says patch within 14 days, no exceptions" and we cannot say "that's insane". Management simply won't hear it. Result: we'll be fully patched, whether that patch is a disaster or not.

Re:

[AlexanderPatrakov]

It's even worse. Certain security requirements/ certifications require updates to be pushed to all machines within 2 weeks of release to all machines. EVEN IF if the update is 100% broken and results in regular bluescreens.

Re:Typical windows sysadmins!

[McLoud]

It's even worse. Certain security requirements/ certifications require updates to be pushed to all machines within 2 weeks of release to all machines. EVEN IF if the update is 100% broken and results in regular bluescreens.

Looks like who wrote those requirements or mandated that kind of certification needs to review that or be fired

Re:

[Darinbob]

No one got fired for promoting Microsoft as the blameless company that can do no wrong. More likely those people get promoted so that they can continue screwing things up.

Re:

[Anonymous Coward]

Lucky you! I work with a set of security controls that sets a 48-hour patching deadline for a lot of computers.

I lock the security weasels in a cage with the aviation safety twinkies, who insist that every change must be rigorously assessed for safety and correctness before being made and that the system can only have unplanned outages once every 23 days (roughly) and planned outages have to be announced at least 72 hours in advance. I listen to whichever one is alive after eight hours if compliance argum

Re:Typical windows sysadmins!

[thegarbz]

and goes away in Server 2025

It does not. It is depreciated, not removed. WSUS will keep working for longer than many on Slashdot will remain in the industry which includes the entire Windows 2025 support period.

Here's the relevant quote directly from Microsoft's own website:
Deprecated features continue to work and are fully supported until they are officially removed, and we have no current plans of removing WSUS from in-market versions of Windows Server (including Windows Server 2025).

Re:Typical windows sysadmins!

[unrtst]

Those are typical windows "sysadmins"! No machine dedicated to test the updates before applying those updates to prod servers? No snapshots on the SAN so they can quickly roll-back? Typical!

Often you don't get a choice. Certain security requirements/ certifications REQUIRE updates to be pushed to all machines within 2 weeks of release to all machines. There's little time for any testing on that, especially server-side. ...

How did you get modded 5, Informative???

You note that you have 2 weeks to push out the updates. Are you trying to tell us that you couldn't update one test system before the two weeks was up? That's all this would take.

And rolling back an entire OS upgrade that's mistakenly marked as an update is far bigger a problem than just rolling back a single Windows KB number, and likely requires restoration from snapshot / backup which means downtime and THEN scrambling to stop it updating that update, same as the above, before it decides to do it itself. For every server. In companies that have dozens or hundreds of virtual machines.

You already have downtime planned because you're applying a set of OS updates. FYI, rolling back a snapshot is quick. While you're doing it, setup that test system you neglected to test on so you can identify what's causing the problem (NOTE: they ended up having to do this anyway), block the update causing the problem, retest then, if ok, deploy to your first subset of servers.

Hell, if you've ever managed a network, you'll have seen single individual KBs that blue-screen and put the device into modes where no remote recovery is possible and you have to restore from backup or safe-mode them to remove them. If you haven't seen that, I question what you've been managing and how long.

So you've lived through that, but you still choose not to test updates before applying them in production?

Am I even on slashdot? Where are the actual sysadmins?

Re:

[ledow]

Why would one test system show you anything at all?

This would have to be one test 2022 system, and I guarantee you people still have 2019 out there en-masse and maybe 2016 (still supported until 2027!).

Then that presumes this update hits immediately and you'll notice the problem instantly (which may be true in this very unusual case) and isn't dependent on what software, services, options, etc. you have installed, whether it was previously in-place upgraded or fresh install, what apps you're using, etc. etc

Re:Typical windows sysadmins!

[unrtst]

Why would one test system show you anything at all?

Read TFS. Installing this one KB update on a test system would have clearly shown the issue - it would get upgraded to server 2025.

Sorry, but I don't think you get that not everyone has 10,000 machines, a staff of 50, and all the time in the world ...

It's 2024. You don't need to own a single server to test this. Use a VM in the cloud:
* snapshot the VM
* turn it on
* apply updates
* do whatever reboots and such are needed
* confirm it's ok.
* ... it would fail that, so freeze the release, roll back the VM snapshot, and alert someone that this needs more manually reviewed first.

You don't need 50 people to do this. Not even 1 FTE. Do this once a week, allowing for the rest of the week for the updates to roll out.

Lastly? This was managed by Heimdal - "One platform. Total Cyber Security". They DO have lots of employees and servers, and managing updates is a core to their role. This isn't a small shop with no full time sysadmins. Is there a reason you're defending these bad practices?

Re:

[codebase7]

You note that you have 2 weeks to push out the updates. Are you trying to tell us that you couldn't update one test system before the two weeks was up? That's all this would take.

A proper security audit would take far longer than that. Especially for anything where code integrity and behavior actually matters beyond a signature check and validation is required. You can't keep out exploits if you're just randomly installing whatever signed agile garbage the developer's github CI squeezed out five minutes ago.

So you've lived through that, but you still choose not to test updates before applying them in production? Am I even on slashdot? Where are the actual sysadmins?

Not everyone has the money in the budget to maintain a fleet of test systems, or have out-of-band management properly set up and secured so it can be used in these cases. Never

Re:

[unrtst]

You note that you have 2 weeks to push out the updates. Are you trying to tell us that you couldn't update one test system before the two weeks was up? That's all this would take.

A proper security audit would take far longer than that. Especially for anything where code integrity and behavior actually matters beyond a signature check and validation is required. You can't keep out exploits if you're just randomly installing whatever signed agile garbage the developer's github CI squeezed out five minutes ago.

What are you saying? That a proper security audit would take too long, so let's not do anything? Just try them on a test system first! You can even use a throw away VM in the cloud - nearly zero cost. And it would have caught this issue, as well as some of the other immediate glaring problem that have happened in the past.

So you've lived through that, but you still choose not to test updates before applying them in production?

Am I even on slashdot? Where are the actual sysadmins?

Not everyone has the money in the budget to maintain a fleet of test systems, or have out-of-band management properly set up and secured so it can be used in these cases.

What year is this? Use a VM. You can even use a throw away one in the cloud.
But let's come back to the actual case here - isn't Heimdal being used so that they can take care of the securit

Re:

[2TecTom]

should be patching the test bed first, why wasn't this caught predeploy?

Re:Typical windows sysadmins!

[Bongo]

A lot of what is called security is simply monster creations of bureaucracy by people who can't do anything productive. It's not Jason Bourne defeating the sophisticated powerful players, it's the "everyone take off your shoes" queue at the airport.

Re:

[Darinbob]

Gotta prove you're important and that you make a difference, and making these sorts of mandates can make that happen!

Re:

[grep -v '.*' *]

, it's the "everyone take off your shoes" queue at the airport.

But we all know that actually works, because the ones with the stinkiest feet will be the terrorists. They're the ones trying to sneak biological weapons on board.

Re:

[codebase7]

Often you don't get a choice. Certain security requirements/ certifications REQUIRE updates to be pushed to all machines within 2 weeks of release to all machines. There's little time for any testing on that, especially server-side. These can be really basic requirements for things that all companies have and that insurers, cybersecurity accreditations, etc. insist upon.

Because rushed security practices never produce bad outcomes. Hang on I need to install this latest upda.....3#$#W.s...We've been trying to contact you about your car's extended warranty....

Re:

[TaliesinWI]

WSUS still very much works in Server 2025. It's now marked as "deprecated" which means they're no longer changing/updating it (not that they've really done that since 2012R2 anyway) and also "don't be surprised if it's not in the _next_ server release.

Even if they don't keep publishing catalog updates until the 2034 EOL of Server 2025, I would be shocked if they cut them off before the 2031 EOL of Server 2022 (given that under Server 2022 it's still very much supported).

Re:

[ledow]

If it's marked as deprecated, it won't pass a cybersecurity audit.

Re:

[ElizabethGreene]

Don't even get me started on CAU and/or deploying non-CAU updates on clustered servers.

My lived experience is that clustering *reduces* availability as often as not. Though perhaps I've just had a bad run.

Re:

[ledow]

It's not so bad if you have the storage.

If you try to cheap out and use Storage Spaces Direct? Or if you try to run it on just a small handful of nodes? Yeah, just throw it in the bin and run VMs individually.

I've seen IT consultants recommend 2-node clusters running S2D to a several $m business. That's just a recipe for disaster.

Re:

[wildstoo]

You talk as if every workplace has the budget and leadership to allow such things. It would be great if everyone had the luxury of choosing their jobs based on how sensible the IT departments are - sadly that's not how the real world works.

Re:

[ls671]

Well, it's almost 2025. I didn't have that flexibility and versatility in 2000 either but now it's almost a standard nowadays even for really small setups where most things are virtualized anyway. Are we going back in time or something?

Re:

[Entrope]

I would answer your question, but it's taking a while to check. Apparently, virtualizing my web browser by logging into a virtual machine running off a virtual disk array in a virtual cluster is a literal cluster---- in terms of speed. If I'm ever able to log in and roll back to 2000, I'll let you know whether time travel is possible.

Re:

[unrtst]

No one with such budget constraints can afford the budget to deal with all the issues when they don't test things. Do a little work upfront, or a lot of work when things blow up.

If it's your job to manage server updates, then it's your job to do it properly, and to ensure leadership is aware of the situation on the ground.
If you're just a grunt hired to push some buttons, and it's someone else's job to manage the update process, and you've informed them about your concerns and they told you to just click th

Re:

[Darinbob]

If you get the upgrade for free, why would you need to pay for the license? If it's Microsoft's fault, and Microsoft wants the licensing fees, then they can send staff out on their own dime to do a proper restoration.

Error?

[Bert64]

paying for the required license

If it's microsoft's error they should provide this for free, otherwise it's basically extortion (we screwed you, now pay up or your data is toast).

Re:

[geekmux]

paying for the required license

If it's microsoft's error they should provide this for free, otherwise it's basically extortion (we screwed you, now pay up or your data is toast).

Exactly. This was an upgrade forced by the vendor. Either they can give the license away, or they can pay for all damages incurred.

Re:

[Luckyo]

Or at the very least microsoft should call and negotiate terms with relevant compensation.

Re:

[nightflameauto]

paying for the required license

If it's microsoft's error they should provide this for free, otherwise it's basically extortion (we screwed you, now pay up or your data is toast).

It's just the way business is done now. Fuck up? Charge the customer. I hope they get their asses sued off for it, but it seems like nothing, no matter how nefarious and evil on the surface, every sticks to them these days.

'Helping IT'

[Njovich]

So after all the issues at Fortinet, Crowdstrike, SolarWinds, Palo Alto, is it really worthwhile to use this kind of 'helpful' software? Seems to be causing more trouble than it's worth.

Re:

[thegarbz]

What is more trouble than it's worth? Security? You should see what trouble you get into when you don't have any at all. Big news this year: A couple of incompetent companies lost a lot of money, for everyone else IT admins had a very bad week. That's it. That's completely small irrelevant crap compared to suffering a major data breach or being infected by ransomware, or having internal development documents / IP being sold online.

Security is a lot less cost and effort than not having security. It's like an

Re:

[Ed Tice]

Are you really suggesting that the solution to security patches gone awry is to stop providing security patches? A good solution to security patches gone awry would be to improve software development techniques so that less security patches are needed and also improve the patching mechanism so they are less likely to go awry.

Re:

[srg33]

No. The suggestion is to just apply MS updates (or verify in-house) and NOT waste money on some 3rd party middleman company that fails.

This is news?

[quonset]

Every week there's another story about Microsoft screwing over its customers and/or user base. At what point do we stop posting these stories since these are a regular part of life, their incompetence something we'll just have to live with?

Re:

[YetAnotherDrew]

It's "news for nerds." Go upstairs and ask your mom if she's aware of Microsoft doing this. Assuming she hasn't heard you shouting about it through her floor.

Maybe..

[eniac42]

Put a block on MS ip address range for the network so updates are blicked, lift it every 2 weeks to allow updates, keep a test machine running that looks for these problems before allowing the updates?

Re:

[bill_mcgonigle]

> MS ip address range

How do you keep up with this with all the Azure v4 acquisitions?

Re:

[dskoll]

You can update periodically from here [microsoft.com].

Re:

[dcooper_db9]

You'll need an external firewall. Windows systematically removes any rules from the built-in firewall that interfere with its products.

Microsoft has been

[diffract]

a big advertiser for Linux lately, I guess they didn't want to leave out the server space too

Re:

[serafean]

Same has been said about Windows Vista.
Didn't happen then, probably won't happen now...

Re:

[ElizabethGreene]

To put this in Linux terms, imagine your favorite distro just dropped a new server release and some third-party script you use for making sure upgrades get installed misread the instructions and helpfully performed a dist-upgrade for you.

Would that be your distro's fault?

Microsoft is always slip-shod and tasteless

[sinkskinkshrieks]

Just a couple of years ago, their MDE plan 2 untested updates pushed ot the world randomly deleted millions of users' icons, causing panic.

Blame the user

[NotEmmanuelGoldstein]

... affected users will be faced with ...

I think, it's the third time this year, someone else is responsible for Microsoft's neglect and dirty deeds. When the don't-install-Chrome debacle was reported, the journalist failed to hold Microsoft responsible for their actions. When Recall Snapshots was announced, it was reported as "creepy", without investigating its built-in security and privacy. (Originally, there was none.)

We now have tech reporters playing favourites.

Ads?

[bill_mcgonigle]

Do they at least get Start menu ads as part of the Downtime Enshittification Insecurity
initiative?

Bug in Heimdal Asset Management Module

[laughingskeptic]

People buy tools like Heimdal Asset Management Module because Microsoft's defaults and Microsoft's plus-ups for system management like InTune still do not do what they want. But it was still Heimdal's code and not Microsoft code that determined that this upgrade was required. And it did it because the metadata in KB5044284 was wrong. It is still Heimdal's error that their product decided to automatically upgrade these systems because a patch downloaded for one operating system was tagged as being for an

Re:

[iAmWaySmarterThanYou]

Both are to blame. Microsoft for not testing before release and Heimdal for not testing before release.

I sense a pattern forming.....

Re:

[laughingskeptic]

What Microsoft test would have detected the incorrect metadata GUID? That metadata is there for information purposes, NOT to tell some automated tool to treat this as a dependency, grab another OS and install it before applying the update.

Re:

[iAmWaySmarterThanYou]

If the information has no value then why is it there at all?

Good code is written on the assumption that users are a bunch of monkeys pounding randomly on the keyboard yet still does something rational in response, not fucking up their servers.

And Jfc why is no one at MS checking this metadata anyway? Jfc, seriously, some intern enters this shit by hand while on the vpn from the bar? The entire process of release should be automated.

How did they not notice?

[ThumpBzztZoom]

I think I would have been a bit suspicious of a 5GB+ download (the smallest Windows Server 2022 upgrade I could find) for a "security update". This is roughly 7x larger than the largest Windows Server 2022 update, and 12x larger than any update for about 2 years.

I know disk space is cheap, but even if this was my home computer I would be wary of an update that is large enough to replace the entire OS.

Re:

[ArchieBunker]

Do you constantly keep an eye on bandwidth usage? On my 300Mbps connection 5gb would take a few minutes.

Re:

[laughingskeptic]

KB5044284 was not an OS upgrade, I contains updates to 328 files and is a pretty standard Windows update. The problem is that one metadata field in this updated indicated (in GUID form) that it was for Windows Server 2025. The BIG mistake was on the part of Heimdal Asset Management Module, which rather than OPTION-1) ignoring this metadata, or OPTION-2) deciding there was an OS mismatch and skipping, this 3rd party asset management tool decided on OPTION-3) It needed to upgrade the OS before applying the

Security update indeed.

[Mspangler]

The security update is a whole new operating system?

Somehow that seems appropriate when discussing Microsoft.

Re:

[organgtool]

Agreed, although replacing one MS operating system with another is certainly not an upgrade.

Re:

[dcooper_db9]

It would be more appropriate if the new OS was Linux.

Re:

[gweihir]

Indeed. The real question is "Is it an update or a downgrade?" though and whether it actually fixes any security problems or at least more than it introduces.

License? Nah it's free

[Growlley]

Unsolicated goods,

Needed another "L" added to the name.

[AgTiger]

"impacting 7 percent of Heimdal customers."

Heimdall (two L's) would have seen this coming.

why I'm well paid

[awwshit]

And people wonder why tech people are well paid. We are there with the right skills at the right time when vendors, and hardware, and people, shit the bed. Always standing by to wipe technical ass.

Re:

[gweihir]

Sad but true. To be fair, MS incompetence is a major job creator for IT and IT Security experts. We should be grateful to them. Well, maybe.

KB5044284 was not a stealth upgrade

[laughingskeptic]

KB5044284 contains updates to 328 files and is a pretty standard Windows update. (https://support.microsoft.com/en-us/topic/october-8-2024-kb5044284-os-build-26100-2033-6baf4a06-9763-4d9b-ba8a-f25ba6ed477b) The Microsoft mistake is that one metadata field in this updated indicated (in GUID form) that it was for Windows Server 2025. The BIG mistake was on the part of Heimdal's Asset Management Module, which rather than OPTION-1) ignoring this metadata, or OPTION-2) deciding there was an OS mismatch and skipping, this 3rd party asset management tool decided on OPTION-3) It needed to upgrade the OS before applying the patch.

Choosing OPTION-3 was a very bad choice and has little to do with Microsoft's metadata error.

Re:

[strikethree]

For decades, people have been telling Microsoft that security updates and feature updates should be separated.

This is the cost of not having them separated. But, I am sure the end result is still acceptable to Microsoft as long as their goals are achieved. Your goals are utterly irrelevant to Microsoft. They are too big to fail.

MS crapware

[gweihir]

Always good for surprises. Just never any good surprises. You would think they are a bit more careful with their corporate customers, but apparently not.

Did I get this right?

[vbdasc]

MS updates system A to system B without user interaction, and then asks money for system B's license? How unscrupulous can they get? At least when they were updating Windows 7/8 to Windows 10, the old licenses remained valid. I guess they need more money now.

Disk space

[Dareth]

I wonder how many of these OS updates failed due to the lack of disk space to complete the update.

Testing?

[YetAnotherDrew]

What testing? They're Microsoft.

We really need to start hiring and using engineers

[Ilove_Noname]

Long gone are the days of the 5 nines, and for anyone wondering, 5 nines represents 99.999% uptime. Who in their rigth mind has anything on the production side set to auto update? This is the exact reason we have labs and test beds. Apply to the lab/test bed wait a day or two (maybe even longer depending on how mission critical your servers are) then roll out to production. I feel like this is a direct result of firing the oldies who cost more and hiring a bunch if new sys admins who cost less.