from the security-update-is-a-new-Windows-OS dept.
Arthur T Knackerbracket has processed the following story:
Administrators are reporting unexpected appearances of Windows Server 2025 after what was published as a security update turned out to be a complete operating system upgrade.
The problem was flagged by a customer of web app security biz Heimdal. Arriving at the office on the morning of November 5, they found, to their horror, that every Windows Server 2022 system had either upgraded itself to Windows Server 2025 or was about to.
Sysadmins are cautious by nature, so an unplanned operating system upgrade could easily result in morning coffee being sprayed over a keyboard.
Heimdal's services include patch management, and it relies on Microsoft to label patches accurately to ensure the correct update is applied to the correct software at the correct time. In this instance, what should have been a security update turned out to be Windows Server 2025.
It took Heimdal a while to trace the problem. According to a post on Reddit: "Due to the limited initial footprint, identifying the root cause took some time. By 18:05 UTC, we traced the issue to the Windows Update API, where Microsoft had mistakenly labeled the Windows Server 2025 upgrade as KB5044284."
It added: "Our team discovered this discrepancy in our patching repository, as the GUID for the Windows Server 2025 upgrade does not match the usual entries for KB5044284 associated with Windows 11. This appears to be an error on Microsoft's side, affecting both the speed of release and the classification of the update. After cross-checking with Microsoft's KB repository, we confirmed that the KB number indeed references Windows 11, not Windows Server 2025."
As of last night, Heimdal estimated that the unexpected upgrade had affected 7 percent of customers – it said it had blocked KB5044284 across all server group policies. However, this is of little comfort to administrators finding themselves receiving an unexpected upgrade.
Since rolling back to the previous configuration will present a challenge, affected users will be faced with finding out just how effective their backup strategy is or paying for the required license and dealing with all the changes that come with Windows Server 2025.
(Score: 4, Insightful) by drussell on Saturday November 09, @07:56PM (6 children)
What on earth are they smoking over there in Redmond?! 🙄
(Score: 3, Touché) by Frosty Piss on Saturday November 09, @08:01PM (5 children)
The problem at Redmond isn't too much herb, it's too much white marching powder.
(Score: 4, Insightful) by JoeMerchant on Saturday November 09, @10:15PM (3 children)
Resistance is futile. You will be assimilated.
It's more than a Trek meme, it's the business plan and attitude of Redmond.
🌻🌻🌻 [google.com]
(Score: 2) by DannyB on Monday November 11, @06:37PM (2 children)
Doesn't Microsoft understand that they should announce their intentions, obtain consent, and understand that "No means no!" ?
The Centauri traded Earth jump gate technology in exchange for our superior hair mousse formulas.
(Score: 0) by Anonymous Coward on Monday November 11, @06:57PM
What's wrong with you? Are you some sort of purple-haired lesbian with a degree from Oberlin [oberlin.edu]?
The business of America is business, you fucking commie!*
*Hey VLM/khallow/ChrisMaple/etc. I saved you the trouble. And you're welcome. Except I was satirizing you folks. Heh. Heh.
(Score: 2) by JoeMerchant on Monday November 11, @07:52PM
Billy Gates was busy dropping out of college at the very moment that "no means no" was being rolled out as a replacement for "when she says no she really means YES!!!"
🌻🌻🌻 [google.com]
(Score: 2) by mcgrew on Tuesday November 12, @07:47PM
The problem at Redmond isn't too much herb, it's too much white marching powder.
Which is why the world is so screwed up today: Ronnie's coke. His "war on drugs" was a war on cannabis only, he WANTED people coked up to pay for his illegal war in Central America. I'd go to every weed dealer in town and it was always the same: "Got any weed?"
"No, man, it's been really dry. Want some coke?"
He got his wish. Before the coke-soaked eighties, CEOs saw their companies beholden to the customers, stockholders, workers, and city. But cocaine's biggest effect is to cause horrible greed and destroy empathy. Today, only the stockholder matters to the cokehead CEOs.
Impeach Donald Saruman and his sidekick Elon Sauron
(Score: 5, Interesting) by looorg on Saturday November 09, @08:06PM (3 children)
Surprise! You'll be working overtime reinstalling things tonight!
https://www.theregister.com/2024/11/08/windows_2025_surprise_install/ [theregister.com]
There was a follow up, where they are still waiting for an explanation from Microsoft. They are apparently now trying the CrowdStrike defence ...
Basically it's your own fault. You should have known and prepared better.
(Score: 2) by Gaaark on Saturday November 09, @08:42PM (2 children)
Yup! I'd be SOOooooo pissed if this happened to computers under my control.
They don't know what. the. hell. they. are. doing.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. I have always been here. ---Gaaark 2.0 --
(Score: 2) by mcgrew on Tuesday November 12, @07:54PM (1 child)
Yup! I'd be SOOooooo pissed if this happened to computers under my control.
And here I thought you were smart enough to NEVER use Microsoft garbage on a server! Sterling Ball [cnet.com] learned the hard way to stay away from that evil company.
Yes, evil. What they did to the Ernie Ball company, that makes the world's best (IMO) guitar strings taught him a very expensive lesson. The Ernie Ball company now uses absolutely no Microsoft, and is FOSS when possible.
Impeach Donald Saruman and his sidekick Elon Sauron
(Score: 2) by Gaaark on Tuesday November 12, @08:31PM
I haven't used MS products since 1999. :) :) :) :)
Just sayin' that I'd be pissed if I was stupid enough to use a product that comes from a company that would do that.
For people that DO use Microsoft products:
.....Would you eat at a restaurant that regularly pissed in your soup and crapped in your food?
No. You would say, "Feck this... I'll eat elsewhere!"... except you don't. You say, "Everyone else eats here, so i do too."
Meh. I've been 'eating' better since 1999 (since JUST before Ernie Ball started 'eating' better too!)
--- Please remind me if I haven't been civil to you: I'm channeling MDC. I have always been here. ---Gaaark 2.0 --
(Score: 2) by Deep Blue on Saturday November 09, @08:54PM (3 children)
Microsoft's mistake. It's the same thing as getting an unordered magazine/package (addressed to the person or household receiving it), they get to keep it and it can't be charged for. That's how it works here.
(Score: 4, Interesting) by KritonK on Sunday November 10, @06:55AM (2 children)
Presumably, installing/upgrading the new version is free for a short time, as with previous versions of Microsoft's OSs. However, if users decide to keep it after that time, they have to buy a license. So, yes, they won't be charged for the copy. (It is free, anyway.) If they keep using it, however, they'll have to pay. It's their choice.
<conspiracy_mode>Given this, I wonder whether this upgrade was really a mistake, or an attempt to create sales for a product that most users wouldn't have bought before their current version's EOL.</conspiracy_mode>
(Score: 2, Interesting) by Anonymous Coward on Sunday November 10, @04:09PM
Yup. Most of my clients are on Server 2019. They aren't budging until Microsoft releases a better and more stable server. They don't want or need any of the shitty new features, copilot, AI integration, more vendor lock-in, etc...
Of course they're also scrambling to go completely web-based with their LOB app so they can just start buying Chrome boxes or small Linux machines...
(Score: 2) by mcgrew on Tuesday November 12, @07:58PM
I wonder whether this upgrade was really a mistake, or an attempt to create sales for a product that most users wouldn't have bought before their current version's EOL.
I've forgotten who it was who said "never ascribe to malice that which can be explained by stupidity," but I say never ascribe to stupidity that which can be explained by greedy self-interest.
I don't wonder at all. Microsoft has always been evil.
Impeach Donald Saruman and his sidekick Elon Sauron
(Score: 5, Informative) by Anonymous Coward on Saturday November 09, @08:54PM
I work for the Mother Ship and have data.
If you have server 2022, you can go into Settings > Windows Update and *manually* upgrade from Server 2022 to Server 2025. These are called "seeker" updates and are not automatic. There are (supposed to be) two separate screens you have to click through to do it, and it means you don't have to fish out install media to upgrade.
Some third-party tools, I know of two, did not grok the way this showed up in the metadata from the Windows Update service.
(The following contains my assumptions and may not be correct.)
What I think happened is a dependency tree error. These tools saw that the 24H2 cumulative _security_ update KB5044284 could apply to a 22H2 machine IFF they first applied the optional non-security OS upgrade package, so they did that. They upgraded the OS, then applied the security update, and that was wrong.
(End assumption)
WSUS didn't do it. SCCM didn't do it. Updates straight from Windows Update didn't do it, only third-party tools.
There's never been a server OS upgrade package available via this route before, so the bug was never hit before. As far as I know, the mothership has turned the seeker updates off while the third parties fix their tools.
A couple of things make this more painful.
1. There isn't a trivial way to uninstall a successful upgrade after the next CU has been installed.
2. There isn't an automatic license upgrade from Server 22 to 25 like there was from Win10 to Win11, unless you have that as part of something like Software assurance. It would be easy to overlook an upgrade like this, but you definitely notice when you start getting activation nags.
(Score: 4, Insightful) by Rosco P. Coltrane on Saturday November 09, @11:02PM (8 children)
should expect castration.
(Score: 2, Interesting) by Anonymous Coward on Sunday November 10, @12:42AM (7 children)
I am worrking remotely with a place that uses MS Teams. About 6 months ago, it just decided to stop working on Linux. Neither Firefox nor Chrome. It shows the first frrame of video then freezes. Can't refresh screen, can do shit. It's only freaking streaming video, how hard can this be?! Diitto for OneDrive. It just can't handle a gmail account. Occasionally it will work then fail to download again and again and again.
The incompetence is shuddering.
(Score: 1) by khallow on Sunday November 10, @01:22AM (1 child)
And convenient. I bet if Linux and gmail were MS products, they would have the bugs fixed within the day.
(Score: 0) by Anonymous Coward on Sunday November 10, @02:58AM
(Score: 3, Insightful) by RS3 on Sunday November 10, @04:41PM (2 children)
"Never attribute to stupidity that which can be adequately explained by malice."
(Score: 3, Insightful) by mcgrew on Tuesday November 12, @08:07PM (1 child)
Your memes are all twisted up. The original saying was "never ascribe to malice that which can be explained by stupidity," but I say never ascribe to stupidity that which can be explained by greedy self-interest.
This particular clusterfuck is easily explained by greedy self-interest, no matter how incompetent Microsoft (and every other 21st century corporation) is.
Impeach Donald Saruman and his sidekick Elon Sauron
(Score: 2) by RS3 on Wednesday November 13, @01:18AM
It was intentional. It's a form of sarcastic humor I and some of my friends enjoy. Well, "enjoy" might not be the right word, but we get some kind of kick out of it, often including word play, puns, homonyms, words with many meanings, etc. You know.
(Score: 3, Informative) by Whoever on Sunday November 10, @09:58PM
Teams worked for me in Chrome on Linux (Mint 21.1) just a couple of weeks age. Is it possible you have an old version of Chrome, because that's all that is supported on your distribution?
(Score: 3, Insightful) by mcgrew on Tuesday November 12, @08:02PM
The incompetence is shuddering.
Incompetence? An evil corporation worth billions does something evil that will hike their bottom line is from incompetence?
If only I was so incompetent!
Impeach Donald Saruman and his sidekick Elon Sauron
(Score: 2) by mrpg on Sunday November 10, @03:16AM (8 children)
Microsoft still not said anything about unexpected Windows Server 2025 installs
...
On November 5, Microsoft seemingly mislabeled the Windows Server 2025 upgrade with a globally unique identifier (GUID) for updates. The result was that some administrators' were faced with a surprise install of Windows Server 2025 thanks to patching software downloading and installing what was tagged as an update but instead turned out to be a whole new operating system.
...
Days after we asked the company for comment, a Microsoft spokesperson told El Reg "we're looking into this" and promised an update if it had anything to add. Since then, silence.
https://www.theregister.com/2024/11/08/windows_2025_surprise_install/?td=keepreading [theregister.com]
(Score: 3, Informative) by kolie on Sunday November 10, @03:29AM (2 children)
It wasn't MS. It was third party patch automation that ran into a dependency tree they haven't seen before, that happened to include an optional S2025 node.
(Score: 0) by Anonymous Coward on Sunday November 10, @02:36PM (1 child)
Why do companies use third party software to manage their patches? Does MS not provide the right tools for this, or is this where companies like Clowdstrike come in and say they can handle all of that kind of stuff themselves?
(Score: 4, Interesting) by RS3 on Sunday November 10, @05:06PM
Why are there so many aftermarket gizmos, gadgets, and accessories available for cars, trucks, motorcycles, everything really?
It's just part of life- someone uses a thing, invents an augment, goes on "Shark Tank", gets investors, etc.
In Linuxland there are many admin tools available. Brief comparison of only a few: https://www.mezmo.com/blog/chef-puppet-ansible-configuration-management [mezmo.com]
Even simple PC tools like CCleaner, Glary, etc., can scan your computer, looking for available updates.
In my own direct experience, I rarely allow Windows automatic updates. That said, in some computers, say work ones, other people's, etc., where automatic updating is the norm, I'll run Windows Update manually. Even though automatic is enabled, it'll find updates that were never done by the automatic runtime.
Taking it further, I've found sometimes you have to go to the Microsoft update repository and manually download and apply the updates that never got caught by the Windows Update process.
And that's just updating- there are tons of admin functions that are streamlined by the many 3rd-party tools. If you ever do any Windows admin, I mean real deep stuff, you'll learn there are many great simple GUI tools. But then you'll run into something where you need to do CLI (command line) stuff and it's really complicated, like icacls, or net, or the many I can't think of because thank God I rarely do that stuff anymore. Many only run under PowerShell and get very tedious. Thankfully the last Windows Server I had my hands on was Server 2012. Some things are enhanced / improved, and some things are far more complex, creating the market for the 3rd-party tools.
(Score: 2) by NotSanguine on Sunday November 10, @02:32PM (4 children)
In a corporate environment, no updates should even be approved until they've been tested and confirmed to do what they say they do.
This is a failure of corporate IT to properly vet their updates prior to allowing them to be installed.
That MS snuck it in the back door is bad enough, but not making sure the updates you approve for installation aren't going to break your systems is really important.
Especially since Microsoft isn't all that competent when it comes to deploying updates. But that's nothing new, so IT staff that didn't test their updates is the larger problem.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by RS3 on Sunday November 10, @05:13PM (1 child)
I'd like to augment: corporate bean-counters generally view IT as a loss expense. Regardless, there's always pressure to reduce / minimize IT expense. I absolutely agree that in an ideal world you'd have, at the very least, complete backup systems- not just data backups, but full copies of hardware and software and run the tests on them. That's a lot of added cost, including software licensing costs.
IMHO companies like Microsoft should either 1) fully guarantee their software including being fully liable for any costs or losses due to software errors, or 2) allow customers at least one free extra license so they (we) can run full backup copies of the live production systems.
(Score: 4, Interesting) by NotSanguine on Sunday November 10, @08:12PM
As to 1, Ha! that's rich! [microsoft.com]:
And as for 2, all you need is a Visual Studio (nee MSDN, nee Technet) subscription [microsoft.com] which gives you dev/test licenses for all of Microsoft's software at a negligible (compared to the cost of the larger licensing agreement with MS) cost. Which would allow you to test (although if it's a larger organization, you should probably have at least a few extra licenses lying around for emergencies anyway) updates without issue -- especially in a virtualized environment. So, no. That's really not an issue.
I suppose it would be nice if Microsoft and others would offer some sort of Warranty/guarantee that their software is fit for a specific purpose. But you know as well (perhaps better) as I do that's never going to happen unless the government insists -- and good luck with that.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 4, Insightful) by ElizabethGreene on Monday November 11, @05:22PM (1 child)
If you don't have time to test updates, at least check the monthly /r/sysadmin patch Tuesday Megathread. I regularly hear about issues on there faster than I hear about them through official channels.
(Score: 2) by NotSanguine on Monday November 11, @06:34PM
Absolutely! Given the (not infrequent) screw ups for MS updates, having online resources to check on them is a very good thing. Especially in the SMB space, where you likely won't have the IT resources you would at a corporation with dozens-hundreds of servers and hundreds-thousands of client devices.
That said, if you do have the resources (VMs for each application server and type of client/desktop), it makes sense to apply updates to test devices before deploying across the enterprise, as that would allow you to catch issues like the one discussed in TFA (unlicensed/unwanted upgrades) and/or crashing bugs (like the Crowdstrike debacle), among other glaringly obvious issues that might arise.
Granted, such cursory tests (apply updates/reboot/see if there's an issue) likely wouldn't catch more subtle bugs (race conditions and the like), which make online resources (as you suggest) even more valuable.
No, no, you're not thinking; you're just being logical. --Niels Bohr