At some point, you may need to lock a computer to a specific version of Windows 11. This could be because of a compatibility issue with a critical app or device, the need to maintain more stability in your environment, or to give yourself more time to test feature changes in new versions of Windows 11.
For organizations using endpoint management services, controlling Windows versions across devices ensures consistency and minimizes compatibility risks.
This blog post will go over three ways to lock-in a version of Windows 11 on a device. These three methods all utilize the same registry settings on a computer and present three different ways to apply them – manually, via Group Policy, and Intune.
You should always test these settings on a pilot group of devices prior to rolling it out. Modifying the registry also comes with inherent risks, so be careful if you go the manual route. You should also keep security/quality updates enabled. This will update the existing operating system but prevent the feature update to the next version of Windows from running.
Registry Settings
The registry key that configures the Windows 11 version is: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate.
The three registry values that set the Windows version are:
- TargetReleaseVersion – DWORD value set to 1 to enable version lock (0 disables version lock)
- TargetReleaseVersionInfo – string value containing the version of Windows 11, such as 23H2, 24H2, etc.
- ProductVersion – string value that contains the product family. This would be either Windows 10 or Windows 11.
Manual
To set the keys manually, you can create/configure the values listed above in the registry key. Here is also a simple PowerShell script that will create/update them:
# Define target values
$TargetReleaseVersionInfo = “23H2”
# Registry path
$RegPath = “HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate”
# Ensure the registry path exists
if (-not (Test-Path $RegPath)) { New-Item -Path $RegPath -Force | Out-Null }
# Set the values
Set-ItemProperty -Path $RegPath -Name “ProductVersion” -Value “Windows 11” -Type String
Set-ItemProperty -Path $RegPath -Name “TargetReleaseVersion” -Value 1 -Type DWord
Set-ItemProperty -Path $RegPath -Name “TargetReleaseVersionInfo” -Value $TargetReleaseVersionInfo -Type String
For this script to work, just change the $TargetReleaseVersionInfo variable to the version of Windows 11 you want, such as 23H2, or 24H2, and run the script on your computers.
Group Policy
To configure this with Group Policy, configure the options for the setting Select the target Feature Update Version located at: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Update. In the first box, enter either Windows 10 or Windows 11, and in the second box, enter the version number (23H2, 24H2, etc.).
Note that in previous versions of the ADMX template, the folder Manage updates offered from Windows Update was called Windows Update for Business.
Intune
For Intune, we will create a configuration profile.
- When creating the profile, select Windows 10 and later as the Platform and Templates as the Profile type.
- Under Template Name, select Custom.
- Under Configuration Settings, add three OMA-URI Settings.
- TargetReleaseVersion:
- Name: TargetReleaseVersion
- OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Update/TargetReleaseVersion
- TargetReleaseVersion:
- Data type: Integer
- Value: 1
- TargetReleaseVersionInfo:
- Name: TargetReleaseVersionInfo
- OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Update/TargetReleaseVersionInfo
- Data type: String
- Value: <Windows version, such as 23H2, 24H2, etc.>
- ProductVersion:
- Name: ProductVersion
- OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Update/ProductVersion
- Data type: String
- Value: Windows 10 or Windows 11
- Finish configuring the policy by assigning it to devices.
Final Thoughts
Configuring the target feature update version for Windows devices can be a crucial step in managing update deployments across your organization. Whether you use manual registry edits, Group Policy, or Intune, each method offers flexibility to ensure your endpoints receive the intended Windows release at the right time.
By leveraging these options, especially when paired with comprehensive endpoint management services.
you can maintain control over the update process, minimize disruptions, and help users stay productive with the latest features and security improvements.
