How to use Group Policy to deploy a Known Issue Rollback
This article describes how to configure Group Policy to use a Known Issue Rollback (KIR) policy definition that activates a KIR on managed devices.
Applies to: Windows Server 2019, version 1809 and later versions; Windows 10, version 1809 and later versions
Microsoft has developed a new Windows servicing technology that's named KIR for Windows Server 2019 and Windows 10, versions 1809 and later versions. For the supported versions of Windows, a KIR rolls back a specific change that was applied as part of a nonsecurity Windows Update release. All other changes that were made as a part of that release remain intact. By using this technology, if a Windows update causes a regression or other problem, you don't have to uninstall the entire update and return the system to the last known good configuration. You roll back only the change that caused the problem. This rollback is temporary. After Microsoft releases a new update that fixes the problem, the rollback is no longer necessary.
KIRs apply to only nonsecurity updates. This is because rolling back a fix for a nonsecurity update doesn't create a potential security vulnerability.
Microsoft manages the KIR deployment process for non-enterprise devices. For enterprise devices, Microsoft provides KIR policy definition MSI files. Enterprises can then use Group Policy to deploy KIRs in hybrid Azure Active Directory (Azure AD) or Active Directory Domain Services (AD DS) domains.
You have to restart the affected computers in order to apply this Group Policy change.
The KIR process
If Microsoft determines that a nonsecurity update has a critical regression or similar issue, Microsoft generates a KIR. Microsoft announces the KIR in the Windows Health Dashboard, and adds the information to the following locations:
- The Known Issues section of the applicable Windows Update KB article
- The Known Issues list on the Windows Health Release Dashboard at https://aka.ms/windowsreleasehealth for the affected versions of Windows (for example, Windows 10, version 20H2 and Windows Server, version 20H2)
For non-enterprise customers, the Windows Update process applies the KIR automatically. No user action is required.
For enterprise customers, Microsoft provides a policy definition MSI file. Enterprise customers can propagate the KIR to managed systems by using the enterprise Group Policy infrastructure.
To see an example of a KIR MSI file, download Windows 10 (2004 & 20H2) Known Issue Rollback 031321 01.msi.
A KIR policy definition has a limited lifespan (a few months, at most). After Microsoft publishes an amended update to address the original issue, the KIR is no longer necessary. The policy definition can then be removed from the Group Policy infrastructure.
Using Group Policy to apply a KIR to a single device
To use Group Policy to apply a KIR to a single device, follow these steps:
- Download the KIR policy definition MSI file to the device.
Make sure that the operating system that is listed in the .msi file name matches the operating system of the device that you want to update.
- Run the .msi file on the device. This action installs the KIR policy definition in the Administrative Template.
- Open the Local Group Policy Editor. To do this, select Start, and then enter gpedit.msc.
- Select Local Computer Policy > Computer Configuration > Administrative Templates > KB ####### Issue XXX Rollback > Windows 10, version YYMM.
In this step, ####### is the KB article number of the update that caused the problem. XXX is the issue number, and YYMM is the Windows 10 version number.
- Right-click the policy, and then select Edit > Disabled > OK.
- Restart the device.
For more information about how to use the Local Group Policy Editor, see Working with the Administrative Template policy settings using the Local Group Policy Editor.
Using Group Policy to apply a KIR to devices in a hybrid Azure AD or AD DS domain
To apply a KIR policy definition to devices that belong to a hybrid Azure AD or AD DS domain, follow these steps:
- Download and install the KIR MSI files
- Create a Group Policy Object (GPO).
- Create and configure a WMI filter that applies the GPO.
- Link the GPO and the WMI filter.
- Configure the GPO.
- Monitor the GPO results.
1. Download and install the KIR MSI files
- Check the KIR release information or the known issues lists to identify which operating system versions you have to update.
- Download the KIR policy definition .msi files that you require to update to the computer that you use to manage Group Policy for your domain.
- Run the .msi files. This action installs the KIR policy definition in the Administrative Template.
Policy definitions are installed in the C:\Windows\PolicyDefinitions folder. If you have implemented the Group Policy Central Store, you must copy the .admx and .adml files to the Central Store.
2. Create a GPO
- Open Group Policy Management Console, and then select Forest: DomainName > Domains.
- Right-click your domain name, and then select Create a GPO in this domain, and link it here.
- Enter the name of the new GPO (for example, KIR Issue XXX), and then select OK.
For more information about how to create GPOs, see Create a Group Policy Object.
3. Create and configure a WMI filter that applies the GPO
Right-click WMI Filters, and then select New.
Enter a name for your new WMI filter.
Enter a description of your WMI filter, such as Filter to all Windows 10, version 2004 devices.
In Query, enter the following query string:
SELECT version, producttype from Win32_OperatingSystem WHERE Version = <VersionNumber>
In this string, <VersionNumber> represents the Windows version that you want the GPO to apply to. The version number must use the following format (exclude the brackets when you use the number in the string):
where xxxxx is a five digit number. Currently, KIRs support the following versions:
Version Build number Windows 10, version 20H2 10.0.19042 Windows 10, version 2004 10.0.19041 Windows 10, version 1909 10.0.18363 Windows 10, version 1903 10.0.18362 Windows 10, version 1809 10.0.17763
For an up-to-date list of Windows releases and build numbers, see Windows 10 - release information.
The build numbers that are listed on the Windows 10 release information page don't include the 10.0 prefix. To use a build number in the query, you must add the 10.0 prefix.
For more information about how to create WMI filters, see Create WMI Filters for the GPO.
4. Link the GPO and the WMI filter
- Select the GPO that you created previously, open the WMI Filtering menu, and then select the WMI filter that you just created.
- Select Yes to accept the filter.
5. Configure the GPO
Edit your GPO to use the KIR Activation Policy
- Right-click the GPO that you created previously, and then select Edit.
- In the Group Policy Editor, select GPOName > Computer Configuration > Administrative Templates > KB ####### Issue XXX Rollback > Windows 10, version YYMM.
- Right-click the policy, and then select Edit > Disabled > OK.
For more information about how to edit GPOs, see Edit a Group Policy object from GPMC.
6. Monitor the GPO results
In the default configuration of Group Policy, managed devices should apply the new policy within 90 to 120 minutes. To speed up this process, you can run
gpupdate on affected devices to manually check for updated policies.
Make sure that each affected device restarts after it applies the policy.
The fix that introduced the issue is disabled after the device applies the policy and then restarts.
- Local Group Policy Editor
- Working with the Administrative Template policy settings using the Local Group Policy Editor
- Group Policy Overview
- GPMC How To
- Create WMI Filters for the GPO (Windows 10) - Windows security
- Edit a Group Policy object from GPMC
- Create and manage group policy in Azure AD Domain Services