How to Block Windows 11 24H2 update using GPO (AD).
If you want to block the Windows 11 24H2 update on your domain environment through a GPO, then this guide is for you.
Since October 1, 2024 when the 24h2 update of Windows 11 became available, many users are experiencing serious problems either during or after its installation. In particular, many users report that their computer has become unusable after installing the Windows 11 24H2 version because it keeps crashing with blue screens of death (BSOD), or can't connect to the network, or freezes and becomes unresponsive, etc..
So because of these reports, in a previous article I described how to block the installation of Windows 11 24H2 on personal computers and in this article I will show you how to do the same in a domain environment (AD) using a GPO.
In this guide, you will find detailed instructions to prevent the installation of the 24H2 update of Windows 11 and stay on version 23H2 in Active Directory by using a GPO (Group Policy).
How to Disable Windows 11 v24H2 upgrade through GPO (Group Policy).
1. On your domain server, open the Group Policy Management.
2. Under the 'Domains' object, right-click on your domain and select Create a GPO in this domain and Link it here.
3. Type a name for the new GPO (e.g. "Block_Windows11_24H2_Update") and click OK.
4. Then Edit the new GPO.
5. In Group Policy Management Editor window, go to:
- Computer Configuration > Preferences > Windows Settings > Registry
6. Then right-click at the Registry item and select New > Registry Item.
7. At the 'New Registry Properties' windows, do the following:
a. Set Action to: Create
b. At Key path click the three dots button 
and…
c. …navigate to the following path and select the "WindowsUpdate" folder.
-
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
d. Now, at Value name type "TargetReleaseVersion", then change the Value type to REG_DWORD, and type "1" at Value Data. When done click Apply > OK.
8. Repeat again the same steps to create a new registry item at the same key path, but this time create a new REG_SZ value with name TargetReleaseVersionInfo and value data: 23H2
9. Finally, repeat once more the same procedure to create a new registry item at the same key path, and create a new REG_SZ value with name "ProductVersion" and value data: "Windows 11"
10. After you are finished, you should see the following screen.
11. Close the Group Policy Management Editor and restart any domain computer to apply the GPO and to block the Windows 11 24H2 update.*
Notes:
1. To see if the GPO (registry change) has been applied:
1. Open the Registry Editor (on any client computer) and navigate to the following path:
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
2. See in the right pane if the added values exist and you're done!
2. To unblock the Windows 11 24H2 update:
- Edit the GPO you created above (e.g. the "Block_Windows11_24H2_Update" in this example).
- Navigate to: Computer Configuration > Preferences > Windows Settings > Registry
- Open one by one the three (3) registry items you created above, set the Action to Delete and click OK.
- Restart the domain computers to apply GPO and remove the registry items that have been added to their registry.
That's it! Let me know if this guide has helped you by leaving your comment about your experience. Please like and share this guide to help others.
Frequently Asked Questions
What problems are reported with the Windows 11 24H2 update?
Many users are experiencing serious issues such as blue screens of death (BSOD), network connectivity problems, and systems freezing and becoming unresponsive after installing the Windows 11 24H2 update.
How can I block the Windows 11 24H2 update in a domain environment?
You can block the Windows 11 24H2 update by creating a Group Policy Object (GPO) on your domain server and editing the registry items under the path HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate.
What registry changes should I make to block the update?
Create a new REG_DWORD value named 'TargetReleaseVersion' with data '1', a REG_SZ value named 'TargetReleaseVersionInfo' with data '23H2', and a REG_SZ value named 'ProductVersion' with data 'Windows 11' under the WindowsUpdate registry path.
How do I confirm that the GPO changes have been applied?
You can confirm the GPO changes by opening the Registry Editor on a client computer, navigating to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate, and checking if the values you added exist in the right pane.
February 6, 2025 @ 8:10 am
Instructions are worded really well thanks. Do you know if these registry settings will apply to workstations in a domain with updates deployed from a WSUS server?
January 31, 2025 @ 9:30 pm
Very precise directions. I just applied them to a clients Windows server, keeping my fingers crossed. Thank you.