Explore Yubico

Holding back the upgrade to Windows 11 with Intune

Yet another quick one.

With Windows 11 pushing its way towards your environment’s devices, you may find the need to hold back this upgrade to some or maybe all your devices, for any reason.

The update itself us rolling out broad, and you may not get the “control” you want/need, as to when the devices in your environment gets the upgrade, or what users click yes to upgrade.

There may be several reasons for this, like.

  • You want more time to prepare for the new Windows version.
    • Time to create some guides etc. for your users in advance
    • Time to find bugs and caveats to be aware of
    • Get yourself / IT Staff familiar with the changes in functions, menus, options, settings etc.
  • You wait for a later release of Windows 11
    • Wich may include som improvements to performance and bugs
    • Microsoft team has stated that performance improvementes are on the roadmap for 2022
    • SSD performance on Windows 11 have been shown to decrease
  • You have devices you want to lock down to Windows 10, maybe also a specific update release
  • You have devices that does not work optimally with Windows 11 – but are supported.
    • Personally, I have one supported HP X360 laptop, that turned sluggish after getting Windows 11 – it will probably get reinstalled with Win10 because of this.
  • And so on.

If you are using Microsoft Endpoint Manager /Intune, you can achieve this by adding some registry changes to the targeted devices.

You then avoid the upgrade to Windows 11 and can set your targeted release of Windows 10 for the devices.

To do this you can use the following PowerShell script for deployment via Intune

<# Script to disable upgrade to windows 11
edited: 09.12.21 - Geir Dybbugt - Dybbugt.no
#>
# Restart Process using PowerShell 64-bit 
If ($ENV:PROCESSOR_ARCHITEW6432 -eq "AMD64") {
    Try {
        &"$ENV:WINDIR\SysNative\WindowsPowershell\v1.0\PowerShell.exe" -File $PSCOMMANDPATH
    }
    Catch {
        Throw "Failed to start $PSCOMMANDPATH"
    }
    Exit
}
# Variables
    $RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"
    $TargetReleaseVersion = 1
    $ProductVersion = "Windows 10"
    $TargetReleaseVersionInfo = "21H2"
# Disable the windows 11 upgrade with registry settings
    if((Test-Path -LiteralPath $RegPath) -ne $true) {
      New-Item $RegPath -force
        if ($?) {
            New-ItemProperty -LiteralPath "$RegPath" -Name 'TargetReleaseVersion' -Value $TargetReleaseVersion -PropertyType DWORD -Force -ea SilentlyContinue;
            New-ItemProperty -LiteralPath "$RegPath" -Name 'ProductVersion' -Value $ProductVersion -PropertyType String -Force -ea SilentlyContinue;
            New-ItemProperty -LiteralPath "$RegPath" -Name 'TargetReleaseVersionInfo' -Value $TargetReleaseVersionInfo -PropertyType String -Force -ea SilentlyContinue; 
        } else {
            write-host "failed" -ForegroundColor Red
            exit
            }
    } else { 
        New-ItemProperty -LiteralPath "$RegPath" -Name 'TargetReleaseVersion' -Value $TargetReleaseVersion -PropertyType DWORD -Force -ea SilentlyContinue;
        New-ItemProperty -LiteralPath "$RegPath" -Name 'ProductVersion' -Value $ProductVersion -PropertyType String -Force -ea SilentlyContinue;
        New-ItemProperty -LiteralPath "$RegPath" -Name 'TargetReleaseVersionInfo' -Value $TargetReleaseVersionInfo -PropertyType String -Force -ea SilentlyContinue; 
    }

— The script can also be found on my GitHub, here



Hope it helps anyone 🙂

Leave a Reply

%d bloggers like this: