Alert essentials:

Third-party patching systems may misinterpret KB5044284 and upgrade server operating systems.

Verify upgrades are properly assigned before deploying to systems if a non-Microsoft tool is utilized.

Email Team

Detailed threat description:

The general release of Windows Server 2025 was made generally available a short time ago.

Recently, a cumulative update listed under KB5044284 was cited in several online articles as causing an accidental upgrade of the operating systems of Windows Server 2019 and Windows Server 2022 to Windows Server 2025.

After additional investigation, it has been determined that the three cumulative updates classified as security updates under KB5044284 listed below did not cause the unintentional upgrades.

  • 2024-10 Cumulative Update for Microsoft server operating system version 24H2 for x64-based Systems (KB5044284)
    UpdateID: a62b9737-1fe8-4df1-94b4-8ec61855a8d0
    Classification: Security Updates
  • 2024-10 Cumulative Update for Windows 11 Version 24H2 for arm64-based Systems (KB5044284)
    UpdateID: e25b84b6-b296-4bca-a2f1-91e179dc4acc
    Classification: Security Updates
  • 2024-10 Cumulative Update for Windows 11 Version 24H2 for x64-based Systems (KB5044284)
    UpdateID: d24b928d-6733-4faf-a7cd-0b396664efda
    Classification: Security Updates

Instead, a few third-party Remote Monitoring and Management (RMM) tools may have inadvertently deployed an update classified as an upgrade listed under the same KB number as the cumulative security updates from above.

It is believed that the upgrade listed below, deployed by third-party RMM tools, is the most likely cause of some accidental upgrades to Server 2025.

  • KB: 5044284
  • Update ID: 88285020-3ed0-4f3f-90c7-d2fa3581bd7f
  • Title: Windows Server 2025
  • Description: Install Windows Server 2025
  • Classification: 3689bdc8-b205-4af4-8d4a-a63924c5e9d5 (Upgrade)

Additionally, Microsoft released its analysis of the Server 2025 upgrade issue over the weekend.

Microsoft’s assessment concurred with some third-party Remote Monitoring and Management (RMM) tools, which interpreted the DeploymentAction=OptionalInstallation metadata as a required installation instead of an optional installation. Those RMM tools then pushed the upgrade alongside the required security updates.

The manufacturer recommends users verify whether third-party update software is configured not to deploy feature updates”. And perhaps that the policy “Select the target Feature Update version” can be set to “Hold” via group policy to prevent the banner that offers the optional upgrade when manually running software updates.

As a temporary measure, Microsoft has removed the Server 2025 Feature Update from the Windows Update channel. The update will be re-released to provide time for better communication from Microsoft and adjustments within third-party RMM tools.

Impacts on healthcare organizations:

Accidentally upgrading an operating system on a server will result in environmental and configuration changes to the device.

The new parameters can potentially affect how installed software programs operate.

Often, specialty software or older applications cannot automatically adjust to unexpected environmental changes and will become unavailable in the event of an accidental upgrade.

Affected Products / Versions:

KB
KB5044284

Microsoft UpdateID: a62b9737-1fe8-4df1-94b4-8ec61855a8d0
The update size is 836.6MB

*Tenable plugin #208302 associates this KB with Windows 11 v24H2 not a server.

Recommendations

Engineering recommendations:

  • Verify that KB5044284 has not been and will not be deployed in the server environment
  • Stay proactive with updates
  • Use management tools to monitor updates and establish protocols for update approvals
  • Engage in community forums to exchange information
  • Keep backups current and processes ready for a system rollback


Leadership/ Program recommendations:

Develop patching processes that manage updates to prevent downtime and productivity loss.

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.


References: