Windows Server 2025 Updating Issues

🔒 Secure Bits 💡
𝗪𝗶𝗻𝗱𝗼𝘄𝘀 𝗦𝗲𝗿𝘃𝗲𝗿 𝟮𝟬𝟮𝟱 – 𝗬𝗼𝘂 𝗠𝗶𝗴𝗵𝘁 𝗪𝗮𝗻𝘁 𝘁𝗼 𝗥𝗲𝗮𝗱 𝗧𝗵𝗶𝘀 𝗕𝗲𝗳𝗼𝗿𝗲 𝗨𝗽𝗴𝗿𝗮𝗱𝗶𝗻𝗴

Are you planning to upgrade your infrastructure to 𝗪𝗶𝗻𝗱𝗼𝘄𝘀 𝗦𝗲𝗿𝘃𝗲𝗿 𝟮𝟬𝟮𝟱?
Well… maybe hold on just a bit longer.

Over the last 4–5 months, I’ve built four full environments running only Windows Server 2025. There have been some issues of course — like needing to 𝗿𝗲𝘀𝘁𝗮𝗿𝘁 𝘁𝗵𝗲 𝗻𝗲𝘁𝘄𝗼𝗿𝗸 𝗮𝗱𝗮𝗽𝘁𝗲𝗿 𝗮𝗳𝘁𝗲𝗿 𝗲𝗮𝗰𝗵 𝗯𝗼𝗼𝘁 on DCs, or problems with Kerberos encryption keys.

But one problem stands out: 𝗪𝗶𝗻𝗱𝗼𝘄𝘀 𝗨𝗽𝗱𝗮𝘁𝗲 𝗯𝗲𝗵𝗮𝘃𝗶𝗼𝗿 𝗶𝘀 𝗰𝗼𝗺𝗽𝗹𝗲𝘁𝗲𝗹𝘆 𝘂𝗻𝗿𝗲𝗹𝗶𝗮𝗯𝗹𝗲.

🎯 𝗪𝗵𝗲𝗻 𝘂𝘀𝗶𝗻𝗴 𝗪𝗦𝗨𝗦, you usually control updates with GPOs (example):
▪️ Install every day at 6 PM
▪️ Download and schedule the install
▪️ Force restart (disable active hours)

This usually works fine…
𝗡𝗼𝘁 𝗼𝗻 𝗪𝗶𝗻𝗱𝗼𝘄𝘀 𝗦𝗲𝗿𝘃𝗲𝗿 𝟮𝟬𝟮𝟱.

Here’s what I’ve seen 𝗮𝗴𝗮𝗶𝗻 𝗮𝗻𝗱 𝗮𝗴𝗮𝗶𝗻:
🔺 Some servers install updates, but don’t restart
🔺 Others restart at random times
🔺 Some don’t install anything at all
🔺 And occasionally — they do follow the GPOs

⚠️ 𝗧𝗵𝗲 𝗿𝗲𝘀𝘂𝗹𝘁?
𝗧𝗼𝘁𝗮𝗹 𝘂𝗻𝗽𝗿𝗲𝗱𝗶𝗰𝘁𝗮𝗯𝗶𝗹𝗶𝘁𝘆 — and that’s a huge problem in enterprise environments. When you rely on GPO-controlled updates to patch hundreds of servers, this behavior breaks the entire process.

I’ve had to deal with this in customer environments, and I can tell you:
𝗜𝘁’𝘀 𝗮 𝗻𝗶𝗴𝗵𝘁𝗺𝗮𝗿𝗲 to manage inconsistent patching across your entire infrastructure.

🧪 This behavior is reproducible — I’ve included screenshots from my own demo (one of the better results actually…), but you can test it yourself easily.

So if you’re considering a full upgrade to 𝗪𝗶𝗻𝗱𝗼𝘄𝘀 𝗦𝗲𝗿𝘃𝗲𝗿 𝟮𝟬𝟮𝟱, my recommendation:
💡 𝗪𝗮𝗶𝘁 𝗮 𝗳𝗲𝘄 𝗺𝗼𝗿𝗲 𝗺𝗼𝗻𝘁𝗵𝘀.
Let these issues settle down first.

UPDATE: We cooperated with Microsoft to fix this issues in 12/2025 – it is fixed now.

I also ran into a weird Kerberos encryption issue, but couldn’t reproduce it again — so that mystery remains for now…

𝗛𝗮𝘃𝗲 𝘆𝗼𝘂 𝗵𝗮𝗱 𝗮𝗻𝘆 𝗶𝘀𝘀𝘂𝗲𝘀 𝘄𝗶𝘁𝗵 𝗪𝗶𝗻𝗱𝗼𝘄𝘀 𝗦𝗲𝗿𝘃𝗲𝗿 𝟮𝟬𝟮𝟱?