Thursday, September 14, 2023

Known Issue Rollback for Bad Windows Updates

Windows Update has historically been a problematic and time-consuming process for admins that can lead to long hours of troubleshooting, including rolling back or reimaging PCs due to bad Windows updates. With Windows being a prominent operating system in the enterprise, organizations must patch clients and servers due to the severity of today’s security vulnerabilities. You may not know that Microsoft provides a Known Issue Rollback (KIR) solution to help address bad Windows Updates. Let’s look closer at KIR and how you implement this process.

What are Windows Updates?

First, before we look at the Known Issue Rollback process, what are Windows Updates? Windows updates are patches to the operating system to bolster security, performance, and feature enhancements.

With the constant threat of potential security vulnerabilities, Microsoft regularly publishes security updates, feature updates, and non-security fixes. But what if a Windows update introduces an error code or a blue screen? That’s where Known Issue Rollback (KIR) becomes extremely important.

Types of Windows Updates:

  • Security Updates: Fixes designed to patch potential security vulnerabilities.
  • Feature Updates: Enhancements and new features are released semi-annually.
  • Non-security bug Fixes: Bug fix solutions that don’t necessarily relate to security.

When Windows Updates create problems

Even the best of Microsoft releases can sometimes experience issues. A problematic fix or a critical regression can manifest as menu problems, boot loader issues, or even complete system failures.

IT administrators often use tools like the Windows Update Troubleshooter or the command prompt to address these issues. In addition, Microsoft’s Windows Health Release Dashboard provides insights into known issues, which helps Windows administrators and general Windows users in troubleshooting issues after a bad Windows Update is released.

Windows release health dashboardWindows release health dashboard

However, let’s look at the Known Issue Rollback (KIR) process and how it can provide even more help for Windows administrators.

What is Known Issue Rollback (KIR)?

The Known Issue Rollback (KIR) feature is geared toward non-security bug fixes and provides a means for quickly reverting specific modifications to their prior state if any unforeseen critical regressions surface for enterprise organizations managing their Windows Updates. Computers pulling directly from Windows Update will automatically benefit from Known Issue Rollback.

It essentially allows businesses to control rollbacks using Group Policies in their environment if an update is problematic. Combined with WMI filtering, admins can effectively target specific clients and roll back bad updates.

What operating system level benefits from KIR? With Windows 10, Windows version 2004, the KIR framework was in place, and parts of the framework were functional with earlier versions. Microsoft’s monthly updates, quality updates, and other non-security updates leverage the functionalities of this rollback mechanism.

Initially, KIR was conceptualized for user-mode processes. However, this has been extended to the OS kernel and boot loader to accommodate KIR support in kernel mode. It’s worth noting that some earlier versions of Windows 10, notably versions 1909 and 1809, already have a foundational layer of KIR support.

So, how does KIR work?

New code vs old code path

When Windows developers code non-security-related fixes, they leave the old code in place and have logic that allows Windows to use the new code instead of the old code. so essentially, old code is “switched off” and the new code is “switched on.” This provides the basis for rolling back to the old code using the KIR.

Microsoft provides the following pseudo code to illustrate the logic:

if (BugFix::IsEnabled()) {// New Code (default path - enabled by default)} else {// Previous Code (alternate path - disabled by default)}

Using policy, the OS can be told to evaluate whether a particular fix should be active or dormant. If allowed, the new code takes precedence. However, in the case of a KIR, the OS defaults to the original code path, reverting back to the non-problematic code.

Microsoft’s monthly updates now adopt an “enabled by default” stance. This means the legacy code is set to inactive, ushering in the updated code. However, in scenarios where a fix manifests issues, Azure’s cloud infrastructure collaborates with Windows to modify this policy setting on the affected device, thereby neutralizing the problematic element. On the enterprise front, there’s evident autonomy, allowing for direct control over this policy.

Does not apply to security fixes

For clarity, it’s important to underline that KIR’s realm of operation is confined to non-security fixes. By adhering to this coding framework, the integrity of the original code is maintained. Considering that outdated code can be a potential vulnerability in the context of security fixes, it’s logical that KIR is excluded from security-oriented patches.

The Power of Known Issue Rollback (KIR)

When a particular Windows Update KB article identifies a problematic patch, KIR comes to the rescue. Instead of uninstalling updates entirely, this feature allows for issue rollback containment.

KIR features and capabilities

Note the following features and capabilities of the Known Issue Rollback.

  1. Selective Rollback: Instead of reverting all changes, KIR targets the specific code path causing the issue, leaving other essential fixes shipped intact.
  2. KIR Policy Definition: IT administrators can leverage Group Policy Editor and the administrative templates provided by Microsoft to set up KIR configurations. Within Group Policy, using the WMI filtering menu helps pinpoint affected versions of Windows devices.
  3. KIR Activation: IT personnel can use tools like Mobile Device Management to activate the issue rollback configurations on most end-user devices by downloading the necessary KIR MSI files.
  4. Monitoring and Further Actions: Post-deployment, IT teams can monitor the changes through diagnostic data and, if needed, make a configuration change to ensure stability.

Requirements for Known Issue Rollback

What are the requirements for configuring and using the Known Issue Rollback process?

  • You need to be running Windows Server 2019, version 1809 and later versions; Windows 10, version 1809 and later versions
  • You need to download the provided ADMX template for the KIR
  • You need to apply a Group Policy Object to target client computers for rollback

Diving Deeper: Setting Up KIR

Microsoft has provided an example KIR MSI file to help administrators become familiar with the process of using the Known Issue Rollback. You can download the MSI file here.

Run the MSI file which will extract the administrative template to the C:\Windows\PolicyDefinitions folder.

Once the ADMX and ADML files are in place, you should see the new policy node in the Administrative templates section of your Group Policy.

After installing the KIR rollback ADMX templateAfter installing the KIR rollback ADMX template

Underneath, you will see the OS and version the KIR applies to. Double-click the KB issue rollback setting.

Modifying the KIR settingsModifying the KIR settings

Once you open the Policy Setting, configure the setting for Disabled. The dialog box does a good job of explaining the difference between Enabled and Disabled. Disabling the setting means you want to roll back a known issue.

Implementing the KIR rollbackImplementing the KIR rollback

Using WMI filtering for computer targeting

Open the Group Policy Editor and navigate to the WMI filtering menu. Set up a new filter for applicable Windows versions using the following query string.

Below, we are creating the new WMI filter to query for devices running Windows 10 2004:

Creating a new WMI filterCreating a new WMI filter

Selecting the GPO you create for the KIR, you can target specific computers using the new WMI query.

Selecting WMI filtering in the properties of a GPOSelecting WMI filtering in the properties of a GPO

You can learn more about the overall process for KIR remediation using Group Policy here: Use Group Policy to deploy a Known Issue Rollback.


After implementing a KIR, admins must monitor the environment and ensure the rollback is working as expected. Additionally, check the Windows Health Dashboard to ensure the rollback functions as expected. Microsoft determines the success of these rollbacks based on user feedback and internal data.

FAQs about Known Issue Rollback

1. How does the Windows Health Dashboard tie into Known Issue Rollback?

The Windows Health Dashboard is a platform where Microsoft publishes details about known issues. If an update results in unforeseen problems, IT administrators can refer to this dashboard to check if Microsoft has recognized the problem. If a Known Issue Rollback (KIR) is initiated, the details and affected versions are often updated here.

2. I’ve experienced a blue screen after an update. Could this be resolved using KIR?

Yes, a blue screen, often resulting from problematic fixes, can potentially be addressed by KIR. If the root cause is a non-security bug fix that went awry, Microsoft could trigger a Known Issue Rollback to revert to the old code path and fix the issue. Always check the Windows Update KB article associated with the update for further details.

3. How do mobile device management tools play a role with Known Issue Rollback?

Mobile device management (MDM) tools can be configured to manage group policy settings, influencing the KIR policy definition. MDMs ensure that devices within an organization follow the desired KIR activation policy, especially in cases where enterprises want more granular control over updates.

4. Are there any menu problems that Known Issue Rollback can’t address?

Known Issue Rollback is designed mainly for non-security bug fixes. If a menu problem or any other issue arises from a security update or feature updates, KIR may not be the solution. In such instances, IT administrators might consider using Windows Update Troubleshooter or even uninstall updates as a temporary measure.

5. With all these updates and rollbacks, how does Microsoft ensure a functionally complete system?

Microsoft tests all updates rigorously before they’re pushed to end-user devices. However, issues can occasionally arise due to the vast range of hardware and software configurations. KIR is one of the tools Microsoft uses to ensure stability. Furthermore, Microsoft generates and analyzes diagnostic data from devices to continuously improve the robustness of the operating system.

Wrapping up

Managing Windows Updates is getting easier with tools like the Known Issue Rollback provided by Microsoft. Organizations can control KIRs using Group Policy Editor and apply the KIRs to specific clients in the environment targeted using WMI filtering if desired. Using the Known Issue Rollback tool, admins can recover from installing bad Windows Updates and quickly eliminate major issues due to patching.


Related materials:

from StarWind Blog

No comments:

Post a Comment