Microsoft still not said anything about unexpected Windows Server 2025 installs

Microsoft remains silent over Windows Server 2025 turning up in the guise of a security update earlier this week, much to the chagrin of affected administrators.

On November 5, Microsoft seemingly mislabeled the Windows Server 2025 upgrade with a globally unique identifier (GUID) for updates. The result was that some administrators' were faced with a surprise install of Windows Server 2025 thanks to patching software downloading and installing what was tagged as an update but instead turned out to be a whole new operating system.

The erroneous labeling itself was not enough to trigger an installation. However, some deployments of third party patching software misclassified it and applied it to servers. The problem was initially noted by a customer of security business Heimdal who arrived in the office to find Windows Server 2025 unexpectedly on their hardware.

According to Heimdal, Microsoft mistakenly labeled the Windows Server 2025 upgrade as KB5044284, a security update.

Morten Kjaersgaard, chairman and founder of Heimdal, told The Register: "We noticed that the Microsoft Server 2025 migration is automatic, which is mindbogglingly dangerous given the operational risk for customers facing unexpected downtime.

"On top of that, which is extremely concerning, the licensing check for Server 2025 happens only after the upgrade, which is completely irrational and adds further risk for end users, because you are then forced to pay for a new license, post your upgrade, as a rollback is virtually impossible to guarantee.

"Imagine if your electric car - say, a Tesla - received an automatic software update, but you couldn't drive on the new version, until you entered your credit card details to pay the full MSRP once again for the upgrade. Tesla would promptly be out of business, especially since you already paid for the car once."

Days after we asked the company for comment, a Microsoft spokesperson told El Reg "we're looking into this" and promised an update if it had anything to add. Since then, silence.

For affected administrators, silence will not be acceptable. Kjaersgaard told us on November 7 that Microsoft had pulled back the update however he hadn't seen a sign of a rollback being made available. He noted that such a rollback would be "technically very challenging" and said Heimdal was committed to ensuring that affected customers have a way forward via the company's Microsoft contacts.

A problematic update causing problems on Windows hardware? It all sounds rather familiar, though thankfully more limited in scope.

Jim Gaynor, editorial vice president at IT consultancy Directions on Microsoft, drew parallels with the CrowdStrike incident. He said: "This underscores that customers need to have careful monitoring of their patch/update management systems to avoid unintended consequences, and they should also have solid backup and restore processes in place to be able to recover from a failed patch/update of any sort. The CrowdStrike incident was just four months ago, after all - it's the same lesson.

"It also shows the risk of Microsoft promoting paid and/or potentially disruptive upgrades in 'trusted' channels that have traditionally been reserved for items customers could more or less blindly accept. Items that customers have been encouraged to quickly accept in the name of maintaining security.

"By putting something like an OS upgrade that requires paid license keys to activate in that channel, it means that a small error in labeling or classification or even a misclick from a hurried user could have some pretty serious consequences.

"Overall, whether it's CrowdStrike, Microsoft, or anyone else, vendors need to exercise care in how they present and deliver updates and patches - and putting a paid upgrade in the channel used for updates and patches is a risky and, in my opinion, ill-considered move that doesn't serve their customers." ®