Making sense of out-of-band Windows updates and KIRs

For many years, the term “out-of-band Microsoft update” meant that Microsoft was releasing a special patch for a security issue identified as being under active attack. The patch was urgent enough to be released outside the normal “Patch Tuesday” security updates released the second Tuesday of every month.

But recently Microsoft has been releasing out-of-band updates that fix issues that were introduced with the monthly security updates. Often people install the monthly security updates without realizing that there are additional ways that Microsoft fixes issues introduced by its patches.

Because Windows 10 and 11 updates are cumulative, when you install an update it’s an all or nothing deployment. There is no way to install some components of the update without installing all of it. Depending on where the underlying problem with a patch lies, Microsoft can use either an out-of-band update or a Known Issue Rollback to introduce a fix to the system. Let’s explore both of these methods.

Out-of-band Windows updates

Recently we’ve seen a bumper crop of out-of-band updates fixing issues introduced in previous patch releases. For example, the October 28 KB5020853 update for Windows 10 22H2 is an out-of-band release fixing issues introduced by earlier updates. It specifically “addresses an issue that causes Microsoft OneDrive to stop working. This occurs after you unlink your device, stop syncing, or sign out of your account.”

Unfortunately, these out-of-band updates are not pushed out via Windows Update or Windows Software Update Services (WSUS). You must manually download and install them on all your systems.

To find out about known issues with updates, I always start with the Windows release health dashboard. There Microsoft lists issues with Windows updates that it has documented or is investigating, along with instructions for mitigating the issues, if available.

For instance, the November 8^th security patches introduced changes to Kerberos handling that caused authentication issues. Microsoft then had to release hotfixes for Windows servers to fix these issues. As noted in the Windows release health dashboard, these patches need to be applied to impacted domain controllers to fix the authentication side effects introduced by the November updates.

Adding to the confusion, Microsoft often introduces changes in out-of-band “Preview” updates that are then rolled into the security updates for the following month. Unfortunately, sometimes the Preview updates themselves cause problems. Case in point: a recent change that was slid into the September 20 update for Windows 10 21H2, named KB5017380 Preview. Buried in the documentation, Microsoft noted that the update “Turns off Transport Layer Security (TLS) 1.0 and 1.1 by default in Microsoft browsers and applications. For more information, see KB5017811.”

This change triggered side effects in older line-of-business applications and in email clients connecting to older mail servers. Without the update, the email client would connect just fine; with the update, the connection would fail.

This KB5017380 Preview update was then rolled into the October 11 security update, KB5018410. So if you suffered any side effects that manifested as TLS or SSL errors after installing the October security update, you might uninstall that update, check the footnotes for the update, and find yourself scratching your head because no TLS or SSL issues were listed. Rather, you had to know that the TLS/SSL issues were introduced in the earlier preview release.

Known Issue Rollbacks

There are times, however, when side effects can be fixed with a process called Known Issue Rollback (KIR), a methodology Microsoft has developed to roll back offending parts of a patch without mandating that you uninstall the entire update. When the code that triggered the side effect can be removed from system without reintroducing a security issue, Microsoft issues a KIR.

As noted on the Windows 10 release health dashboard, for example, a recent side effect introduced with the August KB5016688 update that triggered a disappearing or unresponsive desktop or taskbar was resolved with Microsoft pushing out a rollback. Similarly, the October 25^th update introduced issues with Direct Access, a Microsoft technology that allows for secure remote access to a network. Microsoft fixed this issue via Known Issue Rollback as well.

First stop: The Windows release health dashboard

Understanding how to deal with update side effects while still keeping security updates installed can often lead to digging into the Windows release health dashboard to see if a side effect you are experiencing has been noted and documented. When issues are widespread, they will be documented on this site. For those issues that are outliers, you often have to dig a bit more.

One thing to keep in mind with issues you encounter is that there are many other pieces of software that update on your computers, often around the same time that Windows security updates are installed. Thus, should you suddenly notice issues with your computers, don’t just assume the issue is caused by a Microsoft update; there may be additional updates from other software that trigger issues.

Bottom line: changes to your operating system occur not only with the OS updates but also with browser, extension, and antivirus updates. On a regular basis, your system has changes made to it. Make sure you review the various resources and look out for any out-of-band fixes that Microsoft may be releasing. The bugs introduced by the monthly security updates may be fixed with another update. Before you uninstall an update, review the Windows release health dashboard to see if it’s already been fixed with a rollback or an out-of-band update.