Table of Contents
- Is Your Enterprise Safe from the Shocking Windows 11 25H2 Forced Restart Bug?
- The Core Problem: Administrative Override
- Field Observations & Symptoms
- Technical Analysis: The Failing Policies
- Root Cause Hypotheses
- The “Dual Scan” Trap
- Legacy Policy Deprecation
- Current Configuration Baseline
- Call to Action for Administrators
Is Your Enterprise Safe from the Shocking Windows 11 25H2 Forced Restart Bug?
Critical Alert: Windows 11 24H2/25H2 GPO Failures Causing Forced Restarts
Date: November 22, 2025
Affected Systems: Windows 11 Enterprise (Versions 24H2, 25H2), Windows Server 2025
Primary Trigger: Cumulative Update KB5068861
An alarming trend has emerged in managed enterprise environments following the November 2025 patch cycle. Multiple system administrators have confirmed that Windows 11 versions 24H2 and 25H2 are ignoring established Group Policy Objects (GPOs) designed to prevent automatic restarts.
While these policies functioned flawlessly in Windows 10 and earlier iterations of Windows 11, the latest cumulative update (KB5068861) appears to override local administrative controls, forcing reboots even when users are logged in and active.
The Core Problem: Administrative Override
In a standard enterprise configuration, IT administrators utilize WSUS (Windows Server Update Services) and GPOs to strictly control update behavior. The primary goal is to ensure security compliance without disrupting business operations.
However, reports indicate that KB5068861 bypasses these constraints. Instead of waiting for user approval or a designated maintenance window, the Windows Update client initiates a forced restart sequence, resulting in data loss for users running long-term tasks (such as rendering, calculations, or code compilation).
Field Observations & Symptoms
Based on verified reports from three independent administrators between November 14 and November 19, 2025, the issue manifests in the following ways:
- The “Silent” Killer: Devices are restarting automatically without prior announcements or recovery dialogs, even while users are actively logged into the system.
- The “15-Minute” Loop: Users receive a prompt: “We have an update for you… We will perform a restart at [Time].” While a “Not Now” option exists, the prompt aggressively reappears. If a user steps away from their desk, the system restarts automatically after the timer expires.
- Violation of Active Hours: Restarts are occurring during designated “Active Hours” (e.g., 9:00 AM), directly contradicting configured policies.
Technical Analysis: The Failing Policies
The specific GPOs that are effectively “breaking” under the 24H2/25H2 architecture include:
- No auto-restart with logged-on users for scheduled automatic updates installations: Status: IGNORED.
- Turn off auto-restart for updates during active hours (7:00 AM – 4:00 PM): Status: IGNORED.
- WSUS Management: Despite settings restricting updates to WSUS approval, feature updates and cumulative patches appear to be leaking through via the standard Windows Update channel.
Root Cause Hypotheses
The IT community is currently investigating two primary causes for this regression:
The “Dual Scan” Trap
Even with WSUS configured, Windows 11 may be inadvertently triggering “Dual Scan,” allowing it to pull instructions directly from Microsoft Update rather than the local WSUS server. This often overrides local deferral policies.
Legacy Policy Deprecation
There is concern that Microsoft has altered how Windows 11 24H2 interprets “Legacy Policies” found under Windows Components > Windows Update. Policies that worked for Windows 10 22H2 may no longer be respected by the modern Windows 11 servicing stack.
Current Configuration Baseline
For reference, the following GPO configuration—which previously guaranteed stability—is now failing to stop restarts:
- Legacy Policies: Enabled “No auto-restart with logged on users.”
- End User Experience: Enabled “Configure Automatic Updates (Option 4: Auto download)” and Enabled “Turn off auto-restart during active hours.”
- WSUS Settings: Enabled “Specify intranet Microsoft update service location” and “Specify source service for specific classes of Windows Updates.”
Call to Action for Administrators
If you are managing Windows 11 24H2 or 25H2 environments, immediate testing of KB5068861 in a sandbox environment is recommended before wide deployment. Verify if your specific GPO combinations are respected, or if your users are at risk of unexpected interruptions.