Full Report
Microsoft says the October 2025 updates trigger incorrect end-of-support warnings on Windows 10 systems with active security coverage or still under active support. [...]
Analysis Summary
# Incident Report: Incorrect Windows 10 End-of-Support Notifications
## Executive Summary
A configuration defect introduced via the October 2025 Windows updates caused erroneous "End of Support" warnings to appear on various Windows 10 systems still under active security support, including LTSC and ESU-enrolled devices. The incident was purely cosmetic, as security updates continued to be delivered correctly. Microsoft has deployed a cloud configuration update to resolve the issue automatically, while IT administrators can apply a manual workaround via Known Issue Rollback (KIR).
## Incident Details
- Discovery Date: November 2025 (following October 2025 Patch Tuesday)
- Incident Date: Occurred after the deployment of October 2025 Windows Updates
- Affected Organization: Global Windows 10 users, specifically those on supported versions.
- Sector: Information Technology/Software Vendor
- Geography: Global
## Timeline of Events
### Initial Access
- Date/Time: Late October 2025 (Post-October 2025 Updates)
- Vector: Routine Software Update/Configuration Deployment
- Details: The deployment of the October 2025 updates appears to have contained a logic flaw causing incorrect state assessment regarding support timelines.
### Lateral Movement
- Not Applicable. This was an internally generated software/configuration issue, not an external breach requiring lateral movement.
### Data Exfiltration/Impact
- Not Applicable. Windows updates continued to function correctly; the impact was purely related to display/user perception.
### Detection & Response
- Date/Time: Early November 2025 (Post widespread user reports, including Reddit)
- Details: Microsoft confirmed the issue based on user reports and acknowledged it as a cosmetic bug.
- Response actions taken: Deployment of a cloud configuration update (OneSettings) and the release of a fix via Known Issue Rollback (KIR).
## Attack Methodology
- Initial Access: Software Update Delivery Mechanism (OS Patching/Configuration Push)
- Persistence: Not Applicable
- Privilege Escalation: Not Applicable
- Defense Evasion: Not Applicable
- Credential Access: Not Applicable
- Discovery: Not Applicable
- Lateral Movement: Not Applicable
- Collection: Not Applicable
- Exfiltration: Not Applicable
- Impact: Displaying erroneous (though alarming) notifications to end-users and administrators.
## Impact Assessment
- Financial: Minor administrative overhead dealing with false alarms and applying KIR policies, but no direct service disruption costs identified.
- Data Breach: None.
- Operational: Minor operational overhead for IT administrators addressing false positive security alerts.
- Reputational: Minor negative impact due to generating user alarm regarding critical system support status.
## Indicators of Compromise
- Behavioral indicators: Display of the message "Your version of Windows has reached the end of support" in Windows Update Settings on supported OS versions (W10 22H2 ESU, LTSC 2021, LTSC IoT 2021).
## Response Actions
- Containment measures: Microsoft deployed a cloud configuration update (OneSettings) targeted at resolving the notification error automatically.
- Eradication steps: For devices not receiving the cloud update, administrators could manually apply the Known Issue Rollback (KIR) mechanism by configuring Group Policy associated with KB5066791 251020\_20401 to "Disabled."
- Recovery actions: A permanent fix is scheduled to be included in a future standard Windows update.
## Lessons Learned
- Regression Testing: Increased scrutiny is required for update configurations that check and display End-of-Life (EOL) status, especially across varied licensing and support models (e.g., ESU, LTSC).
- Configuration Management Reliability: Over-reliance on dynamic updates (like OneSettings) means endpoints that are offline or have restrictive GPOs applied require documented secondary remediation paths (KIR proved essential here).
## Recommendations
- Prioritize the rollout of the permanent fix via scheduled servicing updates to remove reliance on manual KIR configuration.
- Ensure all update rollout quality checks explicitly validate EOL/support status messaging across all active servicing channels (ESU, LTSC).