Back to Intelligence

Defending Against Disruption: Managing and Detecting Windows 11 25H2 Force Upgrades

SA
Security Arsenal Team
April 3, 2026
6 min read

Introduction

This week, Microsoft initiated a significant change to its update mechanism for Windows 11. For organizations relying on "unmanaged" devices—specifically those running Windows 11 24H2 Home and Pro editions not governed by corporate policy—Microsoft has begun force-upgrading these systems to Windows 11 version 25H2.

While keeping endpoints updated is a fundamental security hygiene practice, the forced, uncontrolled deployment of feature updates introduces operational risk. For defenders, this highlights the critical distinction between "patching" (security fixes) and "upgrading" (feature changes). Uncontrolled upgrades can lead to application incompatibility, unexpected downtime, and configuration drift—threats to availability that are just as damaging as malware.

Technical Analysis

The security issue here is not a vulnerability in the traditional sense (e.g., a CVSS-scored buffer overflow), but rather a configuration management risk. Microsoft is delivering Windows 11 25H2 as an "Enablement Package" (specifically KB504... updates). Technically, these packages are small and act as a switch to unlock features already dormant in the 24H2 codebase.

However, because Microsoft is classifying this delivery as a cumulative update rather than a traditional feature update, it bypasses the standard safeguards and deferral periods that IT teams might have set on unmanaged endpoints.

  • Affected Systems: Unmanaged Windows 11 devices (Home/Pro) currently on version 24H2.
  • Mechanism: Windows Update Agent (usoclient.exe) automatically fetches and applies the enablement package.
  • Risk: Sudden shifts to Build 26100+ (25H2) without validation testing for business-critical software.

Defensive Monitoring

To defend your environment against unauthorized OS changes and configuration drift, Security Arsenal recommends the following detection rules and queries. These tools will help your SOC team identify when the upgrade process initiates and when the OS version changes.

SIGMA Detection Rules

YAML
---
title: Windows Update Agent Performing Upgrade Operations
id: 6c7f8e90-1a2b-3c4d-5e6f-7a8b9c0d1e2f
status: experimental
description: Detects the Windows Update Agent (usoclient.exe) initiating update installations which may include forced enablement packages for OS upgrades.
references:
  - https://learn.microsoft.com/en-us/windows/deployment/update/windows-update-logs
author: Security Arsenal
date: 2025/03/29
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\usoclient.exe'
    CommandLine|contains:
      - 'StartInstall'
      - 'ScanInstallWait'
      - 'ResumeUpdate'
falsepositives:
  - Legitimate administrative software updates
level: medium
---
title: Windows OS Build Version Changed to 25H2
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects registry modifications indicating the OS build has changed to Windows 11 25H2 (Build 26100+), suggesting a force upgrade occurred.
references:
  - https://support.microsoft.com/en-us/topic/windows-11-release-information-3f4bb753-bce1-4fe3-9e6f-5bb79c65980b
author: Security Arsenal
date: 2025/03/29
tags:
  - attack.persistence
  - attack.t1542.001
logsource:
  category: registry_set
  product: windows
detection:
  selection:
    TargetObject|contains: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentBuild'
    Details|contains: '26100'
condition: selection
falsepositives:
  - Authorized IT upgrades
level: high
---
title: Windows Setup Executable Started
id: 9f8e7d6c-5b4a-3c2d-1e0f-9a8b7c6d5e4f
status: experimental
description: Detects the execution of Windows Setup components, often involved during force OS upgrades or enablement packages.
references:
  - https://attack.mitre.org/techniques/T1547/001/
author: Security Arsenal
date: 2025/03/29
tags:
  - attack.privilege_escalation
  - attack.t1548.002
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\setupprep.exe'
  condition: selection
falsepositives:
  - Planned Windows upgrades by administrators
level: medium

KQL Queries (Microsoft Sentinel/Defender)

Use these queries to detect the upgrade activity in your logs.

KQL — Microsoft Sentinel / Defender
// Detect Windows Update Agent initiating forced installations
DeviceProcessEvents
| where FolderPath endswith @"\usoclient.exe"
| where ProcessCommandLine contains "StartInstall" or ProcessCommandLine contains "ScanInstallWait" or ProcessCommandLine contains "ResumeUpdate"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc


// Hunt for devices reporting Build 26100 (25H2)
DeviceInfo
| where OSVersion contains "26100"
| project Timestamp, DeviceName, OSVersion, OSPlatform
| order by Timestamp desc

Velociraptor VQL Hunt Queries

These VQL artifacts help you hunt for endpoints that have already been upgraded or are in the process of upgrading.

VQL — Velociraptor
-- Hunt for Windows 11 25H2 (Build 26100) installations via Registry
SELECT 
  OSPath,
  Mtime,
  Data.value AS BuildNumber
FROM glob(globs="C:\Windows\System32\Config\SYSTEM")
WHERE parse_xml(file=read_file(filename=OSPath)).
      // Note: This is a simplified logical check for VQL illustration.
      // In practice, use the registry() plugin for direct access.
      TRUE
-- Actual practical query for registry:
SELECT 
  Key.FullPath, 
  Key.Data.Value AS CurrentBuild
FROM registry(globs='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion')
WHERE Name = "CurrentBuild" AND Value = "26100"


-- Hunt for active Windows Update processes
SELECT Pid, Name, CommandLine, Exe, Username
FROM pslist()
WHERE Name =~ "usoclient" OR Name =~ "wuauclt" OR Name =~ "setupprep"

PowerShell Remediation/Verification

This script checks the current version and allows you to set policies to defer updates (on supported editions).

PowerShell
<#
.SYNOPSIS
    Check Windows Version and Defer Feature Updates if possible.
#>

# 1. Check Current Build
$buildInfo = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion"
Write-Host "Current Product Name: $($buildInfo.ProductName)"
Write-Host "Current Build Number: $($buildInfo.CurrentBuild)"

if ($buildInfo.CurrentBuild -ge 26100) {
    Write-Warning "System is already on Windows 11 25H2 (Build 26100+)."
} else {
    Write-Host "System is on a pre-25H2 build."
}

# 2. Attempt to Defer Feature Updates (Requires Windows Pro/Enterprise and Admin Rights)
try {
    $policyPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"
    if (-not (Test-Path $policyPath)) { New-Item -Path $policyPath -Force }
    
    # Set DeferFeatureUpdates to 1 (Enable deferral)
    Set-ItemProperty -Path $policyPath -Name "DeferFeatureUpdates" -Value 1 -Type DWord
    Set-ItemProperty -Path $policyPath -Name "DeferFeatureUpdatesPeriodInDays" -Value 365 -Type DWord
    
    Write-Host "Successfully configured policy to defer feature updates for 365 days."
} catch {
    Write-Error "Failed to set update deferral policy. Ensure you are running as Administrator."
}

Remediation

To protect your organization from the operational risks of forced upgrades, Security Arsenal recommends the following remediation steps:

  1. Inventory Classification: Immediately identify all "unmanaged" devices. Any device not checking in to Intune, WSUS, or SCCM is at risk.
  2. Enroll in Management: The most effective defense is to bring devices under management. Enroll Windows 10/11 Pro devices into Microsoft Intune or connect them to your Active Directory for Group Policy management.
  3. Configure Update Rings: In Intune, create "Update Rings" for Windows 11 feature updates. Set these to "Semi-Annual Channel" and configure a deferral period (e.g., 30-180 days) to allow your security team to validate the 25H2 build before deployment.
  4. Registry Hardening (For Standalone Pro): For devices that cannot be immediately managed, use the PowerShell script provided above or manually edit HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate to enable DeferFeatureUpdates.
  5. Testing: Before authorizing 25H2, validate it in a pilot group to ensure compatibility with your security stack (EDR agents, DLP, and VPN clients).

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

vulnerabilitycvepatchwindowsmicrosoftpatch-managementendpoint-securityconfiguration-drift

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action