How to use Group Policy to deploy a Known Issue Rollback

This article discusses how to configure Group Policy to use a Known Issue Rollback (KIR) policy definition that activates a KIR on managed devices.

Summary

Microsoft has developed a new Windows servicing technology that's named KIR for Windows Server 2019 and Windows 10, versions 1809 and later versions. For the supported versions of Windows, a KIR rolls back a specific change that was applied as part of a nonsecurity Windows Update release. All other changes that were made as a part of that release remain intact. By using this technology, if a Windows update causes a regression or other problem, you don't have to uninstall the entire update and return the system to the last known good configuration. You roll back only the change that caused the problem. This rollback is temporary. After Microsoft releases a new update that fixes the problem, the rollback is no longer necessary.

Microsoft manages the KIR deployment process for nonenterprise devices. For enterprise devices, Microsoft provides KIR policy definition .msi files. Enterprises can then use Group Policy to deploy KIRs in hybrid Microsoft Entra ID or Active Directory Domain Services (AD DS) domains.

The KIR process

If Microsoft determines that a nonsecurity update has a critical regression or similar issue, Microsoft generates a KIR. Microsoft announces the KIR in the Windows Health Dashboard, and adds the information to the following locations:

• The Known Issues section of the applicable Windows Update KB article
• The Known Issues list on the Windows Health Release Dashboard at https://aka.ms/windowsreleasehealth for the affected versions of Windows (for example, Windows 10, version 20H2 and Windows Server, version 20H2)

For nonenterprise customers, the Windows Update process applies the KIR automatically. No user action is required.

For enterprise customers, Microsoft provides a policy definition .msi file. Enterprise customers can propagate the KIR to managed systems by using the enterprise Group Policy infrastructure.

To see an example of a KIR .msi file, download Windows 10 (2004 & 20H2) Known Issue Rollback 031321 01.msi.

A KIR policy definition has a limited lifespan (a few months, at most). After Microsoft publishes an amended update to address the original issue, the KIR is no longer necessary. The policy definition can then be removed from the Group Policy infrastructure.

Apply KIR to a single device by using Group Policy

To use Group Policy to apply a KIR to a single device, follow these steps:

1. Download the KIR policy definition .msi file to the device.

   Important

   Make sure that the operating system that is listed in the .msi file name matches the operating system of the device that you want to update.

2. Run the .msi file on the device. This action installs the KIR policy definition in the Administrative Template.
3. Open the Local Group Policy Editor. To open the editor, select Start, and then enter gpedit.msc.
4. Select Local Computer Policy > Computer Configuration > Administrative Templates > KB ####### Issue XXX Rollback > Windows 10, version YYMM.

   Note

   In this step, ####### is the KB article number of the update that caused the problem. XXX is the issue number, and YYMM is the Windows 10 version number.

5. Right-click the policy, and then select Edit > Disabled > OK.
6. Restart the device.

For more information about how to use the Local Group Policy Editor, see Working with the Administrative Template policy settings using the Local Group Policy Editor.

Apply a KIR to devices in a hybrid Microsoft Entra ID or AD DS domain by using Group Policy

To apply a KIR policy definition to devices that belong to a hybrid Microsoft Entra ID or AD DS domain, follow these steps:

1. Download and install the KIR .msi files
2. Create a Group Policy Object (GPO).
3. Configure the GPO.
4. Monitor the GPO results.

1. Download and install the KIR .msi files

1. Check the KIR release information or the known issues lists to identify which operating system versions you have to update.
2. Download the KIR policy definition .msi files that you require to update to the computer that you use to manage Group Policy for your domain.
3. Run the .msi files. This action installs the KIR policy definition in the Administrative Template.

   Note

   Policy definitions are installed in the C:\Windows\PolicyDefinitions folder. If you implemented the Group Policy Central Store, you must copy the .admx and .adml files to the Central Store.

2. Create a GPO

1. Open Group Policy Management Console, and then select Forest: DomainName > Domains.
2. Right-click your domain name, and then select Create a GPO in this domain, and link it here.
3. Enter the name of the new GPO (for example, KIR Issue XXX), and then select OK.

For more information about how to create GPOs, see Create a Group Policy Object.

3. Configure the GPO

Edit your GPO to use the KIR activation policy:

1. Right-click the GPO that you created previously, and then select Edit.
2. In the Group Policy Editor, select GPOName > Computer Configuration > Administrative Templates > KB ####### Issue XXX Rollback > Windows 10, version YYMM.
3. Right-click the policy, and then select Edit > Disabled > OK.

For more information about how to edit GPOs, see Edit a Group Policy object from GPMC.

4. Monitor the GPO results

In the default configuration of Group Policy, managed devices should apply the new policy within 90 to 120 minutes. To speed up this process, you can run gpupdate on affected devices to manually check for updated policies.

Make sure that each affected device restarts after it applies the policy.

Deploy a KIR activation using Microsoft Intune ADMX policy ingestion to the managed devices

Group Policy policies and GPOs aren't compatible with mobile device management (MDM)-based solutions, such as Microsoft Intune. These instructions guide you through how to use Intune custom settings for ADMX ingestion and configure ADMX-backed MDM policies to perform a KIR activation without requiring a GPO.

To perform a KIR activation on Intune managed devices, follow these steps:

1. Download and install the KIR .msi file to get ADMX files.
2. Create a custom configuration profile in Microsoft Intune.
3. Monitor KIR activation.

1. Download and install the KIR .msi file to get ADMX files

1. Check the KIR release information or the known issues lists to identify which operating system (OS) versions you must update.

2. Download the required KIR policy definition .msi files on the device that you use to sign in to Microsoft Intune.

   Note

   You must have access to the contents of a KIR activation ADMX file.

3. Run the .msi files. This action installs the KIR policy definition in the Administrative Template.

   Note

   Policy definitions are installed in the C:\Windows\PolicyDefinitions folder.

   If you want to extract the ADMX files to another location, use the msiexec command together with the TARGETDIR property. For example:

   msiexec /i c:\admx_file.msi /qb TARGETDIR=c:\temp\admx
   

2. Create a custom configuration profile in Microsoft Intune

To configure devices to perform a KIR activation, you have to create a custom configuration profile for each OS of your managed devices. To create a custom profile, follow these steps:

1. Select properties and add basic information of the profile.
2. Add custom configuration setting to ingest ADMX files for KIR activation.
3. Add custom configuration setting to set new KIR activation policy.
4. Assign devices to the KIR activation custom configuration profile.
5. Use applicability rules to target devices to receive KIR custom configuration settings by OS.
6. Review and create KIR activation custom configuration profile.

A. Select properties and add basic information about the profile

1. Sign in to the Microsoft Intune admin center.

2. Select Devices > Configuration profiles > Create profile.

3. Select the following properties:

   • Platform: Windows 10 and later
   • Profile: Templates > Custom

4. Select Create.

5. In Basics, enter the following properties:

   • Name: Enter a descriptive name for the policy. Name your policies so you can easily identify them later. For example, a good policy name is "04/30 KIR Activation – Windows 10 21H2."
   • Description: Enter a description for the policy. This setting is optional but recommended.

   Note

   Platform and Profile type should already have values selected.

6. Select Next.

Before you proceed to the next two steps, open the ADMX file in a text editor (for example, Notepad) within the folder in which the file was extracted. The ADMX file should be in the path, C:\Windows\PolicyDefinitions, if you installed it as an .msi file.

Here's an example of the ADMX file:

  <policies>  
    <policy name="KB5011563_220428_2000_1_KnownIssueRollback" … >  
      <parentCategory ref="KnownIssueRollback_Win_11" />  
      <supportedOn ref="SUPPORTED_Windows_11_0_Only" />  
      <enabledList…> … </enabledList>  
      <disabledList…>…</disabledList>  
    </policy>  
  </policies>

Record the values for policy name and parentCategory. This information is in the "policies" node at the end of the file.

B. Add custom configuration setting to ingest ADMX files for KIR activation

This configuration setting is used to install the KIR activation policy on target devices. Follow these steps to add the ADMX ingestion settings:

1. In Configuration settings, select Add.

2. Enter the following properties:

   • Name: Enter a descriptive name for the configuration setting. Name your settings so that you can easily identify them later. For example, a good setting name is "ADMX Ingestion: 04/30 KIR Activation – Windows 10 21H2."

   • Description: Enter a description for the setting. This setting is optional but recommended.

   • OMA-URI: Enter the string ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/KIR/Policy/<ADMX Policy Name>.

     Note

     Replace <ADMX Policy Name> with the value of the recorded policy name from the ADMX file. For example, "KB5011563_220428_2000_1_KnownIssueRollback."

   • Data type: Select String.

   • Value: Open the ADMX file with a text editor (for example, Notepad). Copy and paste the entire contents of the ADMX file that you intend to ingest into this field.

3. Select Save.

C. Add custom configuration setting to set new KIR activation policy

This configuration setting is used to configure the KIR activation policy that's defined in the previous step.

To add the KIR activation configuration settings, follow these steps:

1. In Configuration settings, select Add.

2. Enter the following properties:

   • Name: Enter a descriptive name for the configuration setting. Name your settings so that you can easily identify them later. For example, a good setting name is "KIR Activation: 04/30 KIR Activation – Windows 10 21H2."

   • Description: Enter a description for the setting. This setting is optional but recommended.

   • OMA-URI: Enter the string ./Device/Vendor/MSFT/Policy/Config/KIR~Policy~KnownIssueRollback~<Parent Category>/<ADMX Policy Name>.

     Note

     Replace <Parent Category> with the parent category string recorded in the previous step. For example, "KnownIssueRollback_Win_11." Replace <ADMX Policy Name> with the same policy name that you used in the previous step.

   • Data type: Select String.

   • Value: Enter <disabled/>.

3. Select Save.

4. Select Next.

D. Assign devices to the KIR activation custom configuration profile

After you define what the custom configuration profile does, follow these steps to identify which devices you'll configure:

1. In Assignments, select Add all devices.
2. Select Next.

E. Use applicability rules to target devices to receive KIR custom configuration settings by OS

To target the devices by OS that are applicable to the GP, add an applicability rule to check the device OS Version (Build) before applying this configuration. You can look up the build numbers for the supported OS on the following pages:

• Windows 11 release information
• Windows 10 release information
• Windows Server release information

The build numbers that are shown in the pages are formatted as MMMMM.mmmm (M= major version and m= minor version). The OS Version properties use the major version digits. The OS Version values that are entered into the Applicability Rules should be formatted as "10.0.MMMMM" (for example, "10.0.22000").

To set the correct Applicability Rules for your KIR activation, follow these steps:

1. In Applicability Rules, create an applicability rule by entering the following properties on the blank rule that's already on the page:

   • Rule: Select Assign profile if from the dropdown list.
   • Property: Select OS Version from the dropdown list.
   • Value: Enter the Min and the Max OS version numbers formatted as "10.0.MMMMM."

2. Select Next.

F. Review and create KIR activation custom configuration profile

Review your settings of the custom configuration profile, and select Create.

3. Monitor KIR activation

Your KIR activation should be in progress now. Follow these steps to monitor the configuration profile progress:

1. Go to Devices > Configuration profiles, and select an existing profile. For example, select a macOS profile.

2. Select the Overview tab. In this view, the Profile assignment status includes the following statuses:

   • Succeeded: Policy is applied successfully.
   • Error: The policy didn't apply. The message typically displays an error code that links to an explanation.
   • Conflict: Two settings are applied to the same device, and Intune can't sort out the conflict. An administrator should review the conflict.
   • Pending: The device hasn't checked in with Intune to receive the policy yet.
   • Not applicable: The device can't receive the policy. For example, the policy updates a setting specific to iOS 11.1, but the device is using iOS 10.

For more information, see Monitor device configuration profiles in Microsoft Intune.

More information

• Local Group Policy Editor
• Working with the Administrative Template policy settings using the Local Group Policy Editor
• Group Policy Overview
• GPMC How To
• Create WMI Filters for the GPO (Windows 10) - Windows security
• Edit a Group Policy object from GPMC
• Create and manage group policy in Microsoft Entra Domain Services
• Use Windows 10/11 templates to configure group policy settings in Microsoft Intune