bookmark_borderHowto: Block Windows 11 Upgrade via GPO

Microsoft seems to roll out Windows 11 Upgrades to all Users, even if they have no admin rights on their account. If we want to prevent users from upgrading by mistake, we should make use of a Group Policy Object (GPO).

The Group Policy Object can be set on the following path: Computer configuration -> Administrative Templates -> Windows Components -> Windows Update -> Windows Update for Business. The template is called Select the target Feature Update version.

Unfortunately the Group Policy is outdated on Server 2019 and 2022 and is missing the option “Which Windows product version would you like to receive feature updates for”. Since Windows 10 and Windows 11 have the same names for their Feature Updates, we need this option to make sure, we are staying on Windows 10. In Server 2016 we are missing the GPO is even missing completly.

GPO without updated Admx-Template

To get the full options available we need to update our Admx-Templates. You can download the newest version (as of 2022-05-27) from here.

The Admx-Templates need to be extracted to a local file location. After the files have been extracted, open Explorer and navigate to the path: C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2021 Update (21H2). Copy the folder “PolicyDefinitions” and paste it to the following UNC-path: \\domain.local\sysvol\domain.local\Policies.

After the files have been copied, open the group policy editor and once again navigate to the path Computer configuration -> Administrative Templates -> Windows Components -> Windows Update -> Windows Update for Business and open the Template “Select the target Feature Update version“.

We need to enter “Windows 10” into the first box and “21H2” into the second box.

GPO with updated Admx-Template

Please note: As soon as you want your PCs to upgrade to a newer Feature Update than 21H2 you need to change the value in this GPO. Otherwise the PCs will stay on 21H2.

After the clients have rebootet they should not show any signs of Windows 11 anymore.


Block Windows 11 Upgrade on a single computer without domain

With help of the GPO we can even tell a single computer to not upgrade to Windows 11 (and stop showing us the Windows 11 Upgrade stuff in Windows Updates and in our Taskbar). Just open “gpedit.msc” from Windows Search and navigate to the path Computer configuration -> Administrative Templates -> Windows Components -> Windows Update -> Windows Update for Business and open the Template “Select the target Feature Update version“.

Similar to the GPO for domains we need to enter “Windows 10” in the first and “21H2” into the second box. One reboot later the Windows 11 Upgrade information should be gone.