Microsoft has already started rolling out Windows 11 via Windows Update and WSUS. It is not entirely clear when individual PCs will receive the upgrade, but most companies currently do not want it anyway. This upgrade can be blocked or specifically requested using a GPO setting.

Although Microsoft promises a smooth update from Windows 10 to 11, most organizations will still need some time until they migrate their PCs to Windows 11. On the one hand, existing applications must be checked for compatibility with the new OS; on the other hand, users need to be prepared for the revamped interface.

Existing hardware as an obstacle ^

The significantly increased hardware requirements will mean that most companies will first have to get an overview of which PCs meet these requirements. The (possible) installation of this operating system on unsupported hardware is usually not an option in a professional environment.

For users who cannot or do not want to switch to Windows 11 for the time being, Microsoft is offering a final upgrade for Windows 10 with 21H2. The OS is supposed to receive support until 2025, but the release information does not yet indicate the versions and editions to which this will apply.

Updates requested by users ^

In unmanaged environments, users can trigger an upgrade to Windows 11 on compatible hardware by checking for available updates in the Settings app under Update & Security.

User can request unwanted feature updates in the Settings app

User can request unwanted feature updates in the Settings app

If a company manages updates via WSUS, then an admin has, as usual, full control over which updates to release. In WSUS, Windows 11 is its own product, which you have to subscribe to in the first place to get updates for.

For upgrades to Windows 11 you first have to subscribe to the new OS as a product in WSUS.

For upgrades to Windows 11 you first have to subscribe to the new OS as a product in WSUS.

However, if companies use Windows Update for Business (WUfB), as recommended by Microsoft, the situation is a little more confusing. In this case, admins could prevent end users from triggering updates manually by hiding the corresponding option.

The setting Remove access to use all Windows Update features achieves this goal. It can be found under Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update.

A GPO can be used to prevent users from retrieving the update to Windows 11

A GPO can be used to prevent users from retrieving the update to Windows 11

This prevents unauthorized upgrades to Windows 11, but leaves it up to Microsoft to decide when the new OS is installed. However, according to the latest change in update logic, a feature update will occur automatically only when the installed version of Windows 10 is nearing the end of support. This currently applies to the 2004 release, for example.

Define the target version for the feature update ^

In this case, you can also use Group Policy to control the version of the feature update you want to get next. The option Select the target Feature Update version, introduced with Windows 10 2004 (under Windows Update for Business), is intended for this purpose.

Until now, however, it was only possible to enter the release of Windows 10 there (for example, 21H1) to specifically request this version. However, this is no longer sufficient, because the first release of Windows 11 has the same version number as the last Windows 10, namely 21H2.

The update for the ADMX template provides a field for the operating system.

The update for the ADMX template provides a field for the operating system.

The cumulative update for September extended the ADMX template so that you can now enter the operating system. If you use a central store for the administrative templates, you must first update them there because the ADMX downloaded for 21H1 is no longer up-to-date.

In the new template, under product version, you enter Windows 10 and 21H2 for target version if you want to avoid the update to Windows 11 and receive the last iteration of Windows 10. Conversely, a corresponding entry ensures an upgrade to Windows 11.

Conclusion ^

If your organization wants to avoid premature upgrades of supported PCs to Windows 11, you can simply postpone the subscription of Windows 11 as a product in WSUS.

Subscribe to 4sysops newsletter!

However, if you use Microsoft's preferred solution, WUfB, then you may disable access to update functions in the Settings app to avoid all kinds of update requests by the users. To get the exact OS version you want, define it as a target feature update in the respective Group Policy setting.

  1. Jason Sandys 1 month ago

    The above is not correct with respect to WUfB. Devices will never be offered the upgrade to Win 11 until or unless you (the admin) explicitly opt them into getting the upgrade using one of the targeting mechanisms. Thus, doing nothing will not opt-in any devices and will prevent them from being offered Win 11 -- users cannot work around this (unless they use media). This is explicitly called out in the official docs at

  2. Author

    Jason, thanks for you link to the Microsoft documentation! Their explanation seems strange, who would use deferrals to get an upgrade to Windows 11? Even if this means that you'll not get an automatic update to Windows 11, I would not rely on Microsoft's ever changing policies and poor documentation. Rather define explicitly the target version you want in order to block or force the upgrade to Windows 11.

  3. Jason Sandys 1 month ago

    Sorry, not following. Deferrals are completely unrelated to upgrading to Win 11 and are only for controlling feature update delivery for the existing OS version on a device. Our policies on this are not changing or ever-changing and our guidance has been explicit and constant since before Win 11 released.

    If a device is WUfB managed and you (the IT admin) do nothing, the device will not be offered Win 11. Full Stop. No caveats. No action means no Win 11. You *must* take action to get Win 11.

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2021


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account