Skip to main content

I understand it might be a bit early but do you plan releasing details about enabling/blocking the Windows 11 upgrade?

Came here to ask the same question - A little gutted you have yet to have a reply with the update around a month away.


Hey there, sorry about the delay! This is usually something you would block/enable at the user level, so Automox would not handle the upgrade. My team did mention that you can enable/disable the update at the registry level:



HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate


This Workout essentially does the same thing: https://community.automox.com/t/set-preferred-windows-10-version/2136



Can anyone confirm is this will work for blocking the Windows 11 upgrade?


This will set it to where Automox will not see it as this is what sets the feature update that will show in the standard patching channel for Windows Updates.



This does not block Windows 11, however. If the user has the Authority to install updates themselves, they can just utilize the feature channel and install it themselves.



Automox will not see this feature update natively unless the current os the Devices are on is at EOL. In that case, it can show up as an available patch within Automox.


I apologize if this question has been answered already, but has anyone identified HOW Windows 11 is being defined via Windows Updates when you click Check for Updates? Is it a Feature Update? If so, couldn’t we just add a specific text string to Exempt it from patching policies? Any additional feedback would be helpful 🙂. I do appreciate @Brittany registry info.


This Workout essentially does the same thing: https://community.automox.com/t/set-preferred-windows-10-version/2136

 

Can anyone confirm is this will work for blocking the Windows 11 upgrade?

 

This link does not appear to work anymore.  Can someone point me to the right link?  Thank you.


Hello, Automox has all critical patches for Win 11, do we need to include it manually to policies?


Hey there, sorry about the delay! This is usually something you would block/enable at the user level, so Automox would not handle the upgrade. My team did mention that you can enable/disable the update at the registry level:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

 

 

So would it be something like? :-

  • go to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU set NoAutoUpdate to 0,
  • reboot,
  • run Windows update manually,
  • run the windwos 11 package it offers
  • after it finishes set it back to 1

This is what I’ve put in place to prevent the Windows 11 installation based on what I found here.

 

Evaluation:

<#
.SYNOPSIS
This Test script checks to see if the listed registry values are present
.DESCRIPTION
This script queries the registry for the required values to prevent
Windows 11 from installing.
.Notes
File Name :Prevent_w11_Eval.ps1
Original Author :TJ Coppola
Prerequisite :PowerShell V2 over win7 and upper
#>

#define variables
$path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"
$wu = Get-ItemProperty -Path $path

#check keys
if($wu.ProductVersion -match "Windows 10" -and $wu.TargetReleaseVersion -eq 1 -and $wu.TargetReleaseVersionInfo -match "21H2"){exit 0}
else{exit 1}

 

 

Remediation:

<#
.SYNOPSIS
This script creates registry values to prevent Windows 11 from
installing.
.DESCRIPTION
This script queries the registry for the required values to prevent
Windows 11 from installing then creates them if they are not
present.
.Notes
File Name :Prevent_w11.ps1
Original Author :TJ Coppola
Prerequisite :PowerShell V2 over win7 and upper
#>

#Handle Exit codes:
trap {$host.ui.WriteErrorLine($_.Exception); exit 90 }

#define variables
$path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"
$wu = Get-ItemProperty -Path $path

#create key
if(!($wu)){New-Item -Path $regPath -Name $key}
else{write-host $path "already exists."}

#create values
Try{
if(-not $wu.ProductVersion){New-ItemProperty -Path $path -Name "ProductVersion" -Value "Windows 10"}
else{write-host "Value of" $wu.Productversion "already exists."}
if(-not $wu.TargetReleaseVersion){New-ItemProperty -Path $path -Name "TargetReleaseVersion" -Value 1}
else{write-host "Value of" $wu.TargetReleaseVersion "already exists."}
if(-not $wu.TargetReleaseVersionInfo){New-ItemProperty -Path $path -Name "TargetReleaseVersionInfo" -Value "21H2"}
else{write-host "Value of" $wu.TargetReleaseVersionInfo "already exists."}
}
Catch{exit 1}

 

 


This is what I’ve put in place to prevent the Windows 11 installation based on what I found here.

 

Evaluation:

<#
.SYNOPSIS
This Test script checks to see if the listed registry values are present
.DESCRIPTION
This script queries the registry for the required values to prevent
Windows 11 from installing.
.Notes
File Name :Prevent_w11_Eval.ps1
Original Author :TJ Coppola
Prerequisite :PowerShell V2 over win7 and upper
#>

#define variables
$path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"
$wu = Get-ItemProperty -Path $path

#check keys
if($wu.ProductVersion -match "Windows 10" -and $wu.TargetReleaseVersion -eq 1 -and $wu.TargetReleaseVersionInfo -match "21H2"){exit 0}
else{exit 1}

 

 

Remediation:

<#
.SYNOPSIS
This script creates registry values to prevent Windows 11 from
installing.
.DESCRIPTION
This script queries the registry for the required values to prevent
Windows 11 from installing then creates them if they are not
present.
.Notes
File Name :Prevent_w11.ps1
Original Author :TJ Coppola
Prerequisite :PowerShell V2 over win7 and upper
#>

#Handle Exit codes:
trap {$host.ui.WriteErrorLine($_.Exception); exit 90 }

#define variables
$path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"
$wu = Get-ItemProperty -Path $path

#create key
if(!($wu)){New-Item -Path $regPath -Name $key}
else{write-host $path "already exists."}

#create values
Try{
if(-not $wu.ProductVersion){New-ItemProperty -Path $path -Name "ProductVersion" -Value "Windows 10"}
else{write-host "Value of" $wu.Productversion "already exists."}
if(-not $wu.TargetReleaseVersion){New-ItemProperty -Path $path -Name "TargetReleaseVersion" -Value 1}
else{write-host "Value of" $wu.TargetReleaseVersion "already exists."}
if(-not $wu.TargetReleaseVersionInfo){New-ItemProperty -Path $path -Name "TargetReleaseVersionInfo" -Value "21H2"}
else{write-host "Value of" $wu.TargetReleaseVersionInfo "already exists."}
}
Catch{exit 1}

 

 

My code is wrong! It worked for me, but for the wrong reasons. I used Booleans incorrectly. The if statements that check for the key properties and key path should be the following

 

if(Test-Path $path)

#and

if(-not $wu.ProductVersion -match "Windows 10")
#adjust other property checks for consistency

 


Reply