How to Block Windows 11 24H2 update using GPO (AD).
If you want to block the Windows 11 24H2 update on your domain environment through a GPO, then this guide is for you.
Since October 1, 2024 when the 24h2 update of Windows 11 became available, many users are experiencing serious problems either during or after its installation. In particular, many users report that their computer has become unusable after installing the Windows 11 24H2 version because it keeps crashing with blue screens of death (BSOD), or can't connect to the network, or freezes and becomes unresponsive, etc..
So because of these reports, in a previous article I described how to block the installation of Windows 11 24H2 on personal computers and in this article I will show you how to do the same in a domain environment (AD) using a GPO.
In this guide, you will find detailed instructions to prevent the installation of the 24H2 update of Windows 11 and stay on version 23H2 in Active Directory by using a GPO (Group Policy).
How to Disable Windows 11 v24H2 upgrade through GPO (Group Policy).
1. On your domain server, open the Group Policy Management.
2. Under the 'Domains' object, right-click on your domain and select Create a GPO in this domain and Link it here.
3. Type a name for the new GPO (e.g. "Block_Windows11_24H2_Update") and click OK.
4. Then Edit the new GPO.
5. In Group Policy Management Editor window, go to:
- Computer Configuration > Preferences > Windows Settings > Registry
6. Then right-click at the Registry item and select New > Registry Item.
7. At the 'New Registry Properties' windows, do the following:
a. Set Action to: Create
b. At Key path click the three dots button 
and…
c. …navigate to the following path and select the "WindowsUpdate" folder.
-
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
d. Now, at Value name type "TargetReleaseVersion", then change the Value type to REG_DWORD, and type "1" at Value Data. When done click Apply > OK.
8. Repeat again the same steps to create a new registry item at the same key path, but this time create a new REG_SZ value with name TargetReleaseVersionInfo and value data: 23H2
9. Finally, repeat once more the same procedure to create a new registry item at the same key path, and create a new REG_SZ value with name "ProductVersion" and value data: "Windows 11"
10. After you are finished, you should see the following screen.
11. Close the Group Policy Management Editor and restart any domain computer to apply the GPO and to block the Windows 11 24H2 update.*
Notes:
1. To see if the GPO (registry change) has been applied:
1. Open the Registry Editor (on any client computer) and navigate to the following path:
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
2. See in the right pane if the added values exist and you're done!
2. To unblock the Windows 11 24H2 update:
- Edit the GPO you created above (e.g. the "Block_Windows11_24H2_Update" in this example).
- Navigate to: Computer Configuration > Preferences > Windows Settings > Registry
- Open one by one the three (3) registry items you created above, set the Action to Delete and click OK.
- Restart the domain computers to apply GPO and remove the registry items that have been added to their registry.
That's it! Let me know if this guide has helped you by leaving your comment about your experience. Please like and share this guide to help others.
February 6, 2025 @ 8:10 am
Instructions are worded really well thanks. Do you know if these registry settings will apply to workstations in a domain with updates deployed from a WSUS server?
January 31, 2025 @ 9:30 pm
Very precise directions. I just applied them to a clients Windows server, keeping my fingers crossed. Thank you.