KB5068787 for Windows Server 2022 (OS Build 20348.4405): Complete Deployment and Verification Guide
KB5068787 (OS Build 20348.4405) is a Windows Server 2022 cumulative security update. This guide walks you through a safe rollout strategy for WSUS servers and domain controllers, multiple installation methods, post-patch verification, and a rollback plan if something breaks.
The Problem
KB5068787 is a cumulative update for Windows Server 2022. On production servers, the technical challenge is rarely clicking Install - it is rolling the patch out safely across critical roles (WSUS, domain controllers, IIS, application servers) while preserving service continuity, replication health, and endpoint protection telemetry.
This guide follows a controlled escalation path:
- Confirm the OS/build and applicability
- Prepare backups and a maintenance window
- Patch the highest-risk roles first (WSUS, then domain controllers)
- Verify installation and core role health (AD replication, WSUS sync, HTTP.sys/IIS behavior, Defender/MDE status)
- Keep a rollback plan ready (DISM removal, snapshot restore)
Before you start
- Use a staging ring if you have more than a handful of servers.
- If you manage servers via WSUS/SCCM, validate classifications and approvals.
- If you must do offline image servicing, ensure prerequisites for servicing stack requirements are met (per Microsoft guidance).
What success looks like
- KB5068787 shows as installed on target servers
- No unexpected boot loops or service failures
- WSUS sync and client reporting still function
- Domain controllers replicate and authenticate normally
- Defender for Endpoint telemetry (where applicable) remains healthy
- IIS and reverse proxies do not experience new parsing or request handling issues
Step-by-Step Guide
Confirm applicability: Windows Server 2022 and current build
Avoid patching the wrong OS or chasing the wrong KB.
On the target server, confirm you are running Windows Server 2022 and identify the current OS build.
- Open Windows Terminal or PowerShell as Administrator.
- Run the build check command.
If you are not on Windows Server 2022 (20348.x), stop here and identify the correct cumulative update for your OS release.
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" |
Select-Object ProductName, DisplayVersion, CurrentBuildNumber, UBRDecide your rollout order (WSUS first, domain controllers next)
Reduce blast radius while patching the highest-impact roles early.
Use this deployment order when you operate WSUS and domain controllers:
- WSUS servers (if internet-exposed, treat as highest priority)
- Domain controllers (staggered)
- Internet-facing IIS/reverse proxies
- Critical app servers
- General member servers
In large environments, patch in batches using rings (pilot, broad, then full).
Pre-patch checklist: snapshot, backup, and change control
Make rollback possible under pressure.
Before installing KB5068787:
- Take a VM snapshot (preferred) or a full backup.
- Record current OS build, installed updates, and key service status.
- Confirm you have console access (iLO/iDRAC/Hypervisor) in case of boot issues.
- Notify stakeholders for downtime (especially for WSUS and DC maintenance).
If you run offline image servicing, follow Microsoft prerequisites guidance for servicing stack requirements.
Choose the installation channel (Windows Update, WSUS/SCCM, or Update Catalog)
Use a method that fits your environment and minimizes surprises.
Pick the most appropriate channel:
- Windows Update / Windows Update for Business: typical for standalone or cloud-managed servers
- WSUS/SCCM: standard for enterprise rings and reporting
- Microsoft Update Catalog: best for manual installs and break-glass scenarios
If using WSUS, confirm product/classification match your Server 2022 fleet and that the update is approved for the target group.
Patch WSUS servers (safe service stop and restart)
Reduce risk during install and stabilize WSUS after reboot.
On WSUS servers, use a controlled maintenance approach:
- Stop WSUS-related services.
- Install KB5068787 via your chosen method.
- Reboot.
- Start services and validate sync/health.
If you rely on WSUS error details in the console, be aware Microsoft documents changes in error detail reporting behavior in later updates tied to mitigation work (plan alternate monitoring).
Stop-Service WsusService -Force
Stop-Service W3SVC -Force
# Install KB via WSUS/SCCM or run the standalone installer from Catalog
Start-Service W3SVC
Start-Service WsusServicePatch domain controllers in a staggered sequence
Maintain authentication and replication capacity while updating DCs.
Patch domain controllers one at a time (small environment) or in small batches (large forest):
- Validate replication health before patching.
- Install KB5068787.
- Reboot.
- Validate replication and SYSVOL/GPO processing.
If you use Microsoft Defender for Endpoint on DCs, include verification that telemetry/health indicators remain normal after the update.
repadmin /replsummary
repadmin /showreplPatch IIS and proxy-facing servers: watch HTTP.sys behavior
Catch request parsing or compatibility issues quickly after patching.
If the server is IIS-facing or sits behind reverse proxies:
- Patch one canary server first.
- After reboot, test critical application routes.
- Monitor for spikes in 400-series errors or abnormal request handling.
If strict parsing is required for security posture, implement it only after validating compatibility in staging.
Verify the update is installed (and document the new baseline)
Confirm deployment success with an auditable check.
After reboot, verify KB5068787 is installed:
- Use Get-HotFix for a quick confirmation.
- Record the post-patch OS build.
- Capture a short change log entry (server, time, result, any issues).
Get-HotFix -Id KB5068787
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" |
Select-Object CurrentBuildNumber, UBRPost-patch role validation: WSUS, DC, and security telemetry
Prove the business-critical functions still work.
Use a role-based validation checklist:
WSUS
- Confirm WSUS console loads
- Confirm synchronization completes
- Confirm clients can scan and download updates
Domain Controllers
- Confirm logons succeed
- Confirm replication health
- Confirm SYSVOL and GPO processing
Security
- Confirm Defender status is healthy
- Confirm endpoint/security telemetry (where applicable) is not degraded
Get-MpComputerStatus | Select-Object AMServiceEnabled, AntispywareEnabled, RealTimeProtectionEnabled, NISEnabledTroubleshoot installation failures (CBS logs, prerequisites, offline servicing)
Resolve common failure modes without random rollback loops.
If the update fails to install:
- Check Windows Update error codes and Event Viewer.
- Review CBS.log for missing assemblies or servicing stack related issues.
- If servicing an offline image, ensure prerequisites are met per Microsoft documentation.
If your environment blocks Windows Update, prefer the Update Catalog package and verify that the servicing baseline is consistent across your fleet.
Rollback plan: remove the LCU using DISM (not wusa)
Recover safely if the patch causes an outage or regression.
If you must remove the update:
- Microsoft notes that wusa /uninstall may not work for combined SSU + LCU packages.
- Use DISM remove-package with the LCU package name.
Preferred rollback approach in production is usually:
- VM snapshot restore (fastest)
- DISM removal (when snapshot is not available)
- Full backup restore (last resort)
DISM /Online /Get-Packages | findstr /i 5068787
# Copy the exact package identity from the output, then:
DISM /Online /Remove-Package /PackageName:<PACKAGE_ID>
Restart-ComputerDo not stop at KB5068787: move to the latest Server 2022 cumulative update when possible
Stay current on security fixes beyond the November 2025 baseline.
KB5068787 is a specific baseline. In most environments, the best practice is to install the newest available cumulative update for Windows Server 2022 after validation.
- Check Windows Update and your WSUS/SCCM approvals.
- Update your pilot ring first.
- Promote to broader rings after stable validation.
Document the final baseline you standardize on for the month.
Frequently Asked Questions
KB5068787 is the Windows Server 2022 cumulative update released for the November 2025 Patch Tuesday cycle, bringing the OS to Build 20348.4405 and including security fixes plus quality improvements.
Yes. WSUS is a high-leverage role: if it is compromised or unstable, it can impact update delivery and monitoring across the entire organization. Patch WSUS early, then validate health before continuing.
Use Get-HotFix -Id KB5068787 and confirm the OS build baseline via the CurrentVersion registry values. In environments with WMI issues, validate using DISM package listing as a fallback.
Microsoft documents that WSUS error detail reporting may be temporarily removed in later updates to address mitigation needs for a WSUS remote code execution vulnerability. Plan alternate monitoring and verification workflows.
Not reliably. Microsoft notes that combined servicing packages may not uninstall via wusa. Use DISM /Remove-Package with the correct package identity, or revert via snapshot/backup when available.
Comments
Want to join the discussion?
Create an account to unlock exclusive member content, save your favorite articles, and join our community of IT professionals.
New here? Create a free account to get started.