KB5025221 been pushed to managed Windows clients.

Topic

New Reply

KB5025221 is been pushed to two of our managed Windows 10 Pro clients.

Anyone see this ?

Reply | Quote

Replies

YES. Windows 10 is total broken. It overwrote the group policy on hundreds of managed computers and installed the update any way. We currently stopped all updates on the rest of the computers. MS is total useless. Their own tools break things.

Reply | Quote

Windows 10 does not overwrite group policy.

What often happens is that someone has changed a group policy/rolled out intune or done something to change the policies and they don’t realize the consequences.

So back to the original poster – so on two managed Windows 10 22H2 you received the April updates? And the humans on those machines didn’t check for updates and bypass your policies?  are these set via group policy? Intune? Behind WSUS?

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

What version of Win10 are you using?
20H2 is EOL in May (next month) and it is not uncommon for MS to force the next or latest version on near EOL devices.

20H2, 21H2 and 22H2 all have CU KB5025221.

1 user thanked author for this post.

Microfix

Reply | Quote

22H2 thats why i’m posting in the 22H2 forum. Even though for some reason it ended up in the W11 section. Haven’t seen an update brake through like this, well maybe towards the end of W7. I guess W11 is hunting us down ….

Reply | Quote

Windows 10 is bad wrote:

YES. Windows 10 is total broken. It overwrote the group policy on hundreds of managed computers and installed the update any way. We currently stopped all updates on the rest of the computers. MS is total useless. Their own tools break things.

Don’t know if “Managed” is different than my Home, BUT if MS overwrites GP to force it, How did you stop the CU anyway? I DO the CU’s but knowing may help later on something else.

W10 Pro 22H2 / Hm-Stdnt Ofce '16 C2R / Macrium Pd vX / GP=2 + FtrU=Semi-Annual + Feature Defer = 1 + QU = 0

Reply | Quote

Deferred.

Win10 Pro

1 user thanked author for this post.

CraigS26

Reply | Quote

Windows 10 is bad wrote:

It overwrote the group policy on hundreds of managed computers and installed the update any way.

Same situation here. Group policy was changed by MS update. Now have to work 20+ hours to start fix things that MS broken…..no sleep for next few days or weekends…there goes the vacation as well.

Reply | Quote

What was the domain controller OS?

When something like this has happened in the past it wasn’t patching that caused the change in group policy.

Tell me exactly what you are seeing in your event logs and network?

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

BTW I’m asking around on the patchmanagement list to see if others have seen issues.

 

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

We have ~125 Windows Servers running on VMware 6.8. Approx. 98% Windows 2019, a few Windows 2016 and 4 2012 R2 systems. We have a range of patching methods with less then half set to do auto patching, likely 40% have a script that runs on the first Sunday after patch Tuesday and the rest 20 or so to be done Manually to accommodate timing for application owners, needing to have VM snapshots or special routines needed for monitoring and application quirkiness. This past patch Tuesday, 99% patched that day including most of those that have always been set to Manual patching. There were 2 systems that are normally manual that installed but did not do the restart. None of the 2012 R2 servers were different from their normal routine.

Using WAC I could see that all the systems that installed on Tuesday had nothing selected in the  “Update Settings” properties. The few that did not install still had the “Download updates, but let me choose whether to install them” selected.

Any ideas why those that had other options previously selected would have changed or why they were now blank? How to prevent the changes from happing again as I have reset the ones we want done manually?

Thank You

Reply | Quote

I would investigate if any other group policy/registry/network changes were implemented.  In my own network I have seen no changes to the group policy I set.  When group policy changes there’s typically some change that has occurred that was a consequence of other actions.

Between last month and this month, what projects have folks been working on that might have touched group policy?

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Thank you for your reply. I am honored to get a response from the Queen of Windows Patching. That is not sarcastic.

So far I have not found any changes to any of those possible options. I did have an opportunity on the 12th to ask the Administrator of the PDQ installation, it is used as an adjunct to WUS for the desktop side of the house, if there were any changes to PDQ that might have caused it and his rechecking showed the servers are only inventoried but not managed. I am currently unable to query him more as I think he is hiding in Hawaii.

If you have further advise for how I might dig into looking for changes please do. I am totally open. Nothing bad came out of this month’s unplanned patching schedule but we can’t count on that always being the case. There are a number of sensitive applications and I would not want to press my luck.

Thank You

Reply | Quote

Gordon Hait wrote:

99% patched that day

What was patched? The same patch or different patches?
Do they go direct to MS or via WSUS etc?

cheers, Paul

Reply | Quote

We do not use WUS for the servers. Too many one off’s and the scripting done on the large group is so certain services can be shut down in specific orders. The patches that installed were the monthly OS updates, KB8990830 (Malicious Software Removal) on all the 2016 and 2019 Servers and KB5025229 the Cumulative Update on the 2019 Servers. KB5025228 was installed on the 2016 Servers. The 2012 R2 Servers were not different from the normal monthly routine.

Updates come from WU.

Thank You

 

Reply | Quote

Gordon Hait wrote:

hiding in Hawaii

I am suspicious when people seem unresponsive, particularly given the wide range of updates installed on different systems.

Check the system logs on a couple of servers to see if it says what triggered the updates.

cheers, Paul

Reply | Quote

Hiding Hawaii was in jest. He is on a scheduled vacation. It wasn’t what I would consider a wide range of updates. The standard Malicious Malware update on all of them and the correct corresponding roll up patch per the 2 server OS versions.

To date I have not found any helpful/suspicious log entries. Are there particular Event IDs I might look for?

Thank you for your input, questions and help. It is appreciated.

 

Reply | Quote

The fact that KB8990830 (Malicious Software Removal)  was installed is interesting as that normally only gets installed if you request WU manually.

I would look in the event log for any sign that a manual WU session was triggered.

The problem is that when any OS is looking at Windows update rather than any other third party tool, the windows update log files roll off EXTREMELY fast and by now even if you use the powershell command to convert the windows update logs to readable text, the data may be long gone.

I would review what other projects or network changes happening before this event occurred.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

It might be in the Group Policy log – Applications and Services Logs/Microsoft/Windows/GroupPolicy

cheers, Paul

Reply | Quote

Thank you both for your suggestions. @Paul it looks like the group policy logs also roll off very fast. Nothing close to that date and earlier  are still around.

At this point I’m rather resigned to we won’t know what happened and hopefully resetting those we want at other that auto install will stay as they are set. The one good thing that came out of it was I only needed to start my day at 4 AM once, instead of the 3-4 times I usually do, to get the patching done in the off hours.

I’m going to keep digging and will post if I find something that I need explained or just seems like an oddity and might provide insight.

Again, thank you to all that offered help and suggestions.

Reply | Quote

Yea, those log files roll off too fast.  Just watch and see if something happens next month.  If it does, holler back.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote