Microsoft remains silent on Windows Server 2025 appearing in the guise of a security update earlier this week, much to the chagrin of affected administrators.
On November 5, Microsoft mislabeled the Windows Server 2025 upgrade with a globally unique identifier (GUID) for updates. The result was that some administrators were brought before a surprise installation of Windows Server 2025 thanks to patching programs that download and install what was tagged as an update but instead turned out to be an entirely new operating system.
The mislabeling alone was not enough to trigger an installation. However, some third-party patcher distributions have misclassified it and applied it to servers. The problem was initially noted by a customer of security company Heimdal who came to the office to unexpectedly find Windows Server 2025 on his hardware.
According to Heimdal, Microsoft mistakenly labeled the Windows Server 2025 upgrade as KB5044284, a security update.
Morten Kjaersgaard, chairman and founder of Heimdal, told The registry: “We noticed that the Microsoft Server 2025 migration is automatic, which is staggeringly dangerous given the operational risk to customers facing unexpected downtime.
“On top of that, which is extremely worrying, the license check for Server 2025 only happens after the upgrade, which is completely irrational and adds additional risk to end users, as you are then forced to pay for a new license, post your upgrade, as a rollback is virtually impossible to guarantee.
“Imagine if your electric car—say, a Tesla—received an automatic software update, but you couldn’t drive the new version until you entered your credit card information to pay the full MSRP again for the upgrade. Tesla would immediately be out of business, especially since you already paid for the car once.”
Days after we asked the company for comment, a Microsoft spokesperson told us Electricity Reg “we’re looking into this” and promised an update if it had anything to add. Since then, silence.
For concerned administrators, silence is not accepted. Kjaersgaard told us on November 7 that Microsoft had withdrawn the update, but he had seen no sign that a rollback would be made available. He noted that such a reset would be “technically very challenging” and said Heimdal was committed to ensuring affected customers have a path forward through the company’s Microsoft contacts.
A problematic update causing problems on Windows hardware? It all sounds pretty familiar, but thankfully more limited in scope.
Jim Gaynor, managing editor at IT consulting firm Directions on Microsoft, drew parallels with the CrowdStrike incident. He said: “This highlights that customers must have close monitoring of their patch/update management systems to avoid unintended consequences, and should also have solid backup and recovery processes in place to recover from a failed patch/update of any kind CrowdStrike- after all, the incident happened only four months ago – it’s the same lesson.
“It also shows the risk of Microsoft marketing paid and/or potentially disruptive upgrades in ‘trusted’ channels that have traditionally been reserved for items that customers can more or less blindly accept. Items that customers have been encouraged to quickly accept in the name of maintenance security.”
“By placing something like an OS upgrade that requires paid license keys to activate in that channel, it means that a small error in labeling or classification or even a misclick by a hasty user can have pretty serious consequences.
“Overall, whether it’s CrowdStrike, Microsoft or anyone else, vendors need to be careful in how they present and deliver updates and patches – and putting a paid upgrade in the channel used for updates and patches is a risky and, in my opinion , ill-conceived action that does not serve their customers.” ®
