The technology that underpins Known Issue Rollback first appeared in Windows 10 version 2004. Known Issue Rollback, or KIR for short, lets Microsoft and IT administrators quickly roll back non-security fixes that are causing functionality issues in Windows.
Known Issue Rollback is designed to help Microsoft and organizations keep Windows devices secure but make sure users remain productive. Because security and non-security fixes are bundled together in single monthly cumulative updates, KIR provides a way for Microsoft to disable problematic code in CUs without impacting security fixes or other non-security fixes in an update.
KIR is a Windows servicing feature that lets Microsoft revert non-security fixes applied to Windows that might be impacting devices. Microsoft built KIR in response to customer feedback about Windows Update. In each monthly cumulative update (CU) that Microsoft releases for Windows, many of the included fixes support KIR. So, if a serious regression is discovered, instead of uninstalling a CU from Windows, KIR can be applied to effectively turn off the problematic code without affecting other improvements, fixes, and security updates in a CU.
KIR works at the code level. Windows developers keep the old code in place and add the required fix. If a fix needs to be reverted, KIR evaluates a policy to decide whether Windows should execute the old code path instead of the updated code that contains a fix or improved behavior. Fixes in monthly CUs are enabled by default. But Microsoft can change a policy setting, using Azure hosted services and Windows, to change the policy setting on a device and disable the fix, setting Windows to run the old code execution path.
If Microsoft needs to revert of fix in an update because of reported problems, it makes a change in the cloud that is picked up by devices configured to use Windows Update or Windows Update for Business. The devices then apply the change at the next reboot and start executing the old code path. While the old code may also be problematic in some way, it is less likely to impact the device than the updated code pushed out in the latest CU for Windows.
The need to reboot before a fix is rolled back may seem problematic but Microsoft says that in most cases, the regression is detected, and the rollback is applied before the CU is installed. So, most users won’t need to reboot their systems or ever know that there was a problem with the CU. And additionally, the information collected from devices opted into providing diagnostic data allows Microsoft to see how well rollback is working across the ecosystem.
Enterprises can manage KIR themselves. If Microsoft detects a regression in a CU that can be reverted using KIR, it publishes a Group Policy setting that is used to apply the rollback policy to devices managed by Windows Server Active Directory. If a Group Policy setting is available to roll back a fix, it is included in the Windows Update KB article and release notes as a mitigation for a known issue. Each Group Policy setting listed in a Windows Update KB article is unique to a specific issue.
KIR policy settings aren’t intended to be deployed long-term. Once Microsoft has addressed the problem in a CU it is reissued and the KIR policy setting, if enabled, can be removed from devices.
Windows 10 version 2004, later versions of Windows 10, and Windows 11 support KIR. KIR was first designed to revert issues with user-mode processes. But newer versions of Windows support KIR rollback for the Windows kernel and boot loader, letting Microsoft revert fixes for kernel-mode processes.
Windows 10 versions 1809 and 1909 have limited support for KIR. Microsoft enables KIR rollback policy for Windows 10 versions 1809 and 1909 whenever possible.
KIR goes some way to address concerns that IT departments have voiced since Microsoft started pushing out all fixes as a single monthly update. In the past, organizations were able to pick and choose which security fixes and non-security fixes they wanted to apply. But while a single monthly CU has some benefits, until the advent of KIR, if a fix caused a problem, in most cases all other security and non-security fixes needed to be removed from a system to fix a regression. Potentially leaving devices exposed to security threats.
Microsoft is planning to integrate KIR with Mobile Device Management (MDM) services, like Intune. And KIR will also soon support Hyper-V, Windows Defender Application Guard (WDAG), and System Guard processes.