- Configuring Defender Antivirus: Exclusions, real-time protection, scans, and remediations - Mon, Sep 26 2022
- Get updates for Windows Server 2022 in WSUS - Mon, Sep 19 2022
- Microsoft Defender: Control updates for malware signatures using Group Policy or PowerShell - Thu, Sep 15 2022
Although Microsoft promises a smooth update from Windows 10 to 11, most organizations will still need some time until they migrate their PCs to Windows 11. On the one hand, existing applications must be checked for compatibility with the new OS; on the other hand, users need to be prepared for the revamped interface.
Existing hardware as an obstacle ^
The significantly increased hardware requirements will mean that most companies will first have to get an overview of which PCs meet these requirements. The (possible) installation of this operating system on unsupported hardware is usually not an option in a professional environment.
For users who cannot or do not want to switch to Windows 11 for the time being, Microsoft is offering a final upgrade for Windows 10 with 21H2. The OS is supposed to receive support until 2025, but the release information does not yet indicate the versions and editions to which this will apply.
Updates requested by users ^
In unmanaged environments, users can trigger an upgrade to Windows 11 on compatible hardware by checking for available updates in the Settings app under Update & Security.
If a company manages updates via WSUS, then an admin has, as usual, full control over which updates to release. In WSUS, Windows 11 is its own product, which you have to subscribe to in the first place to get updates for.
However, if companies use Windows Update for Business (WUfB), as recommended by Microsoft, the situation is a little more confusing. In this case, admins could prevent end users from triggering updates manually by hiding the corresponding option.
The setting Remove access to use all Windows Update features achieves this goal. It can be found under Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update.
This prevents unauthorized upgrades to Windows 11, but leaves it up to Microsoft to decide when the new OS is installed. However, according to the latest change in update logic, a feature update will occur automatically only when the installed version of Windows 10 is nearing the end of support. This currently applies to the 2004 release, for example.
Define the target version for the feature update ^
In this case, you can also use Group Policy to control the version of the feature update you want to get next. The option Select the target Feature Update version, introduced with Windows 10 2004 (under Windows Update for Business), is intended for this purpose.
Until now, however, it was only possible to enter the release of Windows 10 there (for example, 21H1) to specifically request this version. However, this is no longer sufficient, because the first release of Windows 11 has the same version number as the last Windows 10, namely 21H2.
The cumulative update for September extended the ADMX template so that you can now enter the operating system. If you use a central store for the administrative templates, you must first update them there because the ADMX downloaded for 21H1 is no longer up-to-date.
In the new template, under product version, you enter Windows 10 and 21H2 for target version if you want to avoid the update to Windows 11 and receive the last iteration of Windows 10. Conversely, a corresponding entry ensures an upgrade to Windows 11.
If your organization wants to avoid premature upgrades of supported PCs to Windows 11, you can simply postpone the subscription of Windows 11 as a product in WSUS.
Subscribe to 4sysops newsletter!
However, if you use Microsoft's preferred solution, WUfB, then you may disable access to update functions in the Settings app to avoid all kinds of update requests by the users. To get the exact OS version you want, define it as a target feature update in the respective Group Policy setting.