- Allow non-admins to access Remote Desktop - Thu, Sep 28 2023
- Which WSUS products to select for Windows 11? - Tue, Sep 26 2023
- Activate BitLocker with manage-bde, PowerShell, or WMI - Wed, Sep 20 2023
Although Microsoft promises a smooth update from Windows 10 to 11, most organizations will still need some time until they migrate their PCs to Windows 11. On the one hand, existing applications must be checked for compatibility with the new OS; on the other hand, users need to be prepared for the revamped interface.
Existing hardware as an obstacle
The significantly increased hardware requirements will mean that most companies will first have to get an overview of which PCs meet these requirements. The (possible) installation of this operating system on unsupported hardware is usually not an option in a professional environment.
For users who cannot or do not want to switch to Windows 11 for the time being, Microsoft is offering a final upgrade for Windows 10 with 21H2. The OS is supposed to receive support until 2025, but the release information does not yet indicate the versions and editions to which this will apply.
Updates requested by users
In unmanaged environments, users can trigger an upgrade to Windows 11 on compatible hardware by checking for available updates in the Settings app under Update & Security.
User can request unwanted feature updates in the Settings app
If a company manages updates via WSUS, then an admin has, as usual, full control over which updates to release. In WSUS, Windows 11 is its own product, which you have to subscribe to in the first place to get updates for.
For upgrades to Windows 11 you first have to subscribe to the new OS as a product in WSUS.
However, if companies use Windows Update for Business (WUfB), as recommended by Microsoft, the situation is a little more confusing. In this case, admins could prevent end users from triggering updates manually by hiding the corresponding option.
The setting Remove access to use all Windows Update features achieves this goal. It can be found under Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update.
A GPO can be used to prevent users from retrieving the update to Windows 11
This prevents unauthorized upgrades to Windows 11, but leaves it up to Microsoft to decide when the new OS is installed. However, according to the latest change in update logic, a feature update will occur automatically only when the installed version of Windows 10 is nearing the end of support. This currently applies to the 2004 release, for example.
Define the target version for the feature update
In this case, you can also use Group Policy to control the version of the feature update you want to get next. The option Select the target Feature Update version, introduced with Windows 10 2004 (under Windows Update for Business), is intended for this purpose.
Until now, however, it was only possible to enter the release of Windows 10 there (for example, 21H1) to specifically request this version. However, this is no longer sufficient, because the first release of Windows 11 has the same version number as the last Windows 10, namely 21H2.
The update for the ADMX template provides a field for the operating system.
The cumulative update for September extended the ADMX template so that you can now enter the operating system. If you use a central store for the administrative templates, you must first update them there because the ADMX downloaded for 21H1 is no longer up-to-date.
In the new template, under product version, you enter Windows 10 and 21H2 for target version if you want to avoid the update to Windows 11 and receive the last iteration of Windows 10. Conversely, a corresponding entry ensures an upgrade to Windows 11.
Conclusion
If your organization wants to avoid premature upgrades of supported PCs to Windows 11, you can simply postpone the subscription of Windows 11 as a product in WSUS.
Subscribe to 4sysops newsletter!
However, if you use Microsoft's preferred solution, WUfB, then you may disable access to update functions in the Settings app to avoid all kinds of update requests by the users. To get the exact OS version you want, define it as a target feature update in the respective Group Policy setting.
The above is not correct with respect to WUfB. Devices will never be offered the upgrade to Win 11 until or unless you (the admin) explicitly opt them into getting the upgrade using one of the targeting mechanisms. Thus, doing nothing will not opt-in any devices and will prevent them from being offered Win 11 — users cannot work around this (unless they use media). This is explicitly called out in the official docs at https://docs.microsoft.com/en-us/windows/whats-new/windows-11-prepare#cloud-based-solutions.
I just got a request to upgrade to Windows 11 automatically. I’m trying to prevent this from happening. I haven’t done anything to suggest I want it.
DO NOT WANT! but microsoft keeps downloading the update and trying to install it every day wasting my processors energy, slowing my machine, wasting my bandwidth, slowing my network, EVERY DAY. I have given no indication that I want it but it won’t stop. Regardless of whether or not I did want the upgrade it is incompatible with my computer but microsoft can’t tell? F***!
I think I saw something about this in Microsoft’s EULA. When you install Windows on a computer, the ownership of the machine, your bandwidth, etc. is transferred to Microsoft. So no worries. Everything is as it is supposed to be. 😉
The reverse is the Apple world, they have a solid process before distributing patch or new OS release. Test is not done using end users computers and waiting a negative feedback from the real world…
Jason, thanks for you link to the Microsoft documentation! Their explanation seems strange, who would use deferrals to get an upgrade to Windows 11? Even if this means that you’ll not get an automatic update to Windows 11, I would not rely on Microsoft’s ever changing policies and poor documentation. Rather define explicitly the target version you want in order to block or force the upgrade to Windows 11.
Sorry, not following. Deferrals are completely unrelated to upgrading to Win 11 and are only for controlling feature update delivery for the existing OS version on a device. Our policies on this are not changing or ever-changing and our guidance has been explicit and constant since before Win 11 released.
If a device is WUfB managed and you (the IT admin) do nothing, the device will not be offered Win 11. Full Stop. No caveats. No action means no Win 11. You *must* take action to get Win 11.
Jason, what “action” must you take to get Win11 then?
Our organization deploys feature updates via SCCM but our users are being “offered” Windows 11 if they click on the “Check for Updates” button under “Windows Update”.
BREAKING NEWS: Microsoft’s guidance is explicit and constant, and not confusing at all, ever.
This astonishing news has shocked the world!
It’s not confusing at all until you try and actually download the latest group policy templates. If there is a sensible way to figure out which are the latest released and where to download them, I can’t find it on Microsoft’s websites.
Found the latest policy templates from Nov, 21H2 from https://www.microsoft.com/en-us/download/details.aspx?id=103667. Installed policy templates to Central Store, which now shows in GPMC as templates from policy store. Still have only the “Windows Updates for Business” folder beneath Windows Update, none of the folders shown in this article.
I have the same issue as Horace Greeley, I also applied the NOV 21H2 ADMX/ADML files to my central store. I STILL only see the “Windows Updates for Business” folder, showing nothing like the screen shot in this article. Some assistance would be appreciated. Just for reference I included the link to MS Central Store https://docs.microsoft.com/en-US/troubleshoot/windows-client/group-policy/create-and-manage-central-store
You have to use the ADMX for Windows 11 in order to get the new folder structure for Windows Update. Check out this article to see if the Windows 11 templates meet your requirements.
So let me see if I understand. You need to install the admin templates for Windows 11 to prevent Windows 10 from upgrading to Windows 11. But with those templates installed, you can’t manage the Windows 10 computers that you installed the templates to prevent being upgraded to Windows 11.
Brilliant. No wonder I only run Linux on my personal devices.
🤣🤣