Changes in Windows Server In-Place Upgrades
By Lewis Pope
Windows Server 2025 is now generally available as of November 1, 2024. While this new build of Windows Server brings tons of new and improved features, it also brings an unexpected surprise.
Microsoft is allowing for in-place upgrades of Windows Server 2022 to Windows Server 2025 similar to the existing in-place upgrade paths for Windows 10 to Windows 11. A change in terminology as Microsoft seeks to harmonize across Server, Windows 10, and Windows 11 is also adding to the challenge with the company now treating the term Feature Update the same as “OS Upgrade” and “Major OS Upgrade”.
This has created challenges for system administrators with reports that managed Windows Server 2022 boxes are upgrading unexpectedly. Windows Server in-place upgrades is a new behavior, and has led to many system administrators being caught off guard. This has left them scrambling to understand what is happening and to implement new processes and procedures around patching Microsoft Servers, in order to prevent unexpected upgrades to production systems that may cause undesirable impacts across the rest of their environment.
Where Can N‑able Help?
We have been able to ensure that N‑able partners are not affected by this surprise move from Microsoft. Based on our own concerns and the concerns of our partners, we are temporarily not allowing Windows Server 2025 upgrades in the Patch Management Engine for both N‑sight and N‑central. This should give our partners time to review and update their processes, configurations, and procedures to accommodate for new changes in Microsoft Server updates. At some point in the future, upgrades to 2025 will be un-blocked and become available to push through Patch Management in N‑sight and N‑central.
This pause only represents a short window of opportunity as Microsoft may introduce new Feature Updates that will perform in-place OS Upgrades in a future Patch Tuesday release under a new KB. The only long-term solution is for MSPs to re-evaluate their patching processes for Servers to ensure that proper control and review processes are in place to ensure only desired updates are applied.
Upgrades is a specific classification from Microsoft available in both N‑central and N‑sight Patch Management approval workflows. We would recommend not auto approving this class on Servers, thus keeping those patches for manual approval when you are ready.
Setting Manual Approvals in N‑sight
For N‑sight partners, we recommend choosing the Manual approval option for Upgrades under Microsoft Approvals in the Patch Management Feature Policies you can find under Settings > Patch Management from within the All Devices dashboard view.
We also recommend that N‑sight partners use the Patch Management Workflow view to review the status of missing and pending updates prior to the Installation Schedule configured in Patch Management Feature Policies. From the Patch Management Workflow view you will have the ability to specify globally, by client, or by site actions for individual patches. Here you can specify “Ignore” for KB5044284 and N‑sight’s Patch Management Engine will not apply this update during scheduled patching windows.
Recommended Patch Settings for N‑central
For N‑central partners we recommend not to include “Upgrades” in the patch installation maintenance window for servers, allowing for more nuanced control of when approved server upgrades are being installed instead of during the defined patch window for the Server.
We also recommend checking the By Device setting for Patch Approval and ensuring KB5044284 is set to « Declined » until you are ready perform the in-place upgrade of Server 2022 to 2025.
|
|
|
|
Other Recommendations
When performing in-place upgrades of any system, especially mission critical systems like servers, you must account for the process not going smoothly and needing to revert to a prior state. It is still best practice to perform a full system backup of a server prior to performing an in-place upgrade or other significant modifications to the system. We recommend our favorite data protection, backup, and standby-image solution Cove for this task.
Also be sure to talk with any co-managed, internal IT, or clients to ensure they are aware of the in-place upgrade for Windows Server 2022. Anyone with permissions and access to the server needs to be aware of the implications of triggering an upgrade from Windows Update locally on the device.
Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out the Patch Management section of our blog.
Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd LinkedIn: thesecuritypope Twitch: cybersec_nerd
Co-authored by Chris Dunsmore, Senior Product Manager at N‑able
© N‑able Solutions ULC and N‑able Technologies Ltd. All rights reserved.
This document is provided for informational purposes only and should not be relied upon as legal advice. N‑able makes no warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information contained herein.
The N-ABLE, N-CENTRAL, and other N‑able trademarks and logos are the exclusive property of N‑able Solutions ULC and N‑able Technologies Ltd. and may be common law marks, are registered, or are pending registration with the U.S. Patent and Trademark Office and with other countries. All other trademarks mentioned herein are used for identification purposes only and are trademarks (and may be registered trademarks) of their respective companies.