Windows
View all Worklets
WindowsWindows

Windows - Configuration - Windows 11 Feature Update

Pin Windows 11 target feature update version on endpoints by enforcing Windows Update policy registry values

Worklet Details

What the Windows 11 version pinning Worklet does

This Automox Worklet™ pins the Windows 11 target feature update version on Windows endpoints by writing the ProductVersion and TargetReleaseVersion policy values to the Windows Update registry hive. The Worklet enforces the Microsoft-supported policy path under HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate, the same path Group Policy and MDM Intune profiles use to control feature update targeting.

The policy values define two things. ProductVersion tells Windows Update which product line the endpoint should follow – set to "Windows 11" in this Worklet. TargetReleaseVersion names the specific feature update release the endpoint should land on, such as 23H2 or 24H2. Until that release is superseded by Microsoft, Windows Update will not offer a newer feature update on the endpoint, even when a fresh release becomes generally available.

Evaluation reads the current values and reports any endpoint that is missing the keys or is set to a different release than the policy specifies. Remediation writes the correct values and exits. The Worklet is idempotent – once an endpoint matches the policy, subsequent runs no-op, so the policy is safe to schedule on a recurring window.

Why pin the Windows 11 feature update target

Without TargetReleaseVersion in place, Windows Update will pull every endpoint forward to whatever feature update Microsoft is currently shipping. That is fine for a home PC. It is a real operational problem on a managed fleet, where a new Windows 11 release can break vendor agents, VPN clients, or in-house line-of-business apps that have not been certified against the new build. The CIS Microsoft Windows 11 Benchmark and most enterprise change-management policies require IT to control which feature update a fleet runs at any given time, and the registry values under HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate are the supported control plane for that decision.

Microsoft documents the TargetReleaseVersion and TargetReleaseVersionInfo policy in the WindowsUpdate Group Policy templates, but those settings only apply on endpoints that consistently reach a domain controller for refresh. This Worklet writes the same pinned release values under HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate on every cycle, applying the cap consistently across domain-joined desktops, Azure AD-joined laptops, and the unmanaged remote endpoints that never see a Group Policy refresh.

How feature update version pinning works

  1. Evaluation phase: The Worklet checks for the WindowsUpdate policy key at HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate and reads the ProductVersion and TargetReleaseVersion values. The endpoint is compliant only when ProductVersion equals "Windows 11" and TargetReleaseVersion matches the release configured in the Worklet (for example, "23H2" or "24H2"). A missing key, missing value, or mismatched value flags the endpoint for remediation. Evaluation also confirms the endpoint is running Windows 11 so the policy is not pushed to legacy Windows 10 hosts that should follow a separate upgrade path.

  2. Remediation phase: The Worklet creates the policy key if it is absent, then writes ProductVersion as a REG_SZ value of "Windows 11" and TargetReleaseVersion as a REG_SZ value of the configured release. PowerShell commands such as New-Item -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' -Force and New-ItemProperty -Path '...' -Name 'TargetReleaseVersion' -Value '24H2' -PropertyType String -Force handle both fresh writes and value updates in one pass. The Worklet then re-reads the values to confirm the write succeeded and exits 0 on match or non-zero on mismatch, so failures land in the Automox Activity Log instead of going silent.

Windows 11 version pinning requirements

  • Windows 11 endpoint already on a Microsoft-supported feature update release (the policy controls future updates; it does not roll back an endpoint that is already past the target)

  • Local administrator context for the Automox agent so the Worklet can write under HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate (the default agent context already meets this)

  • PowerShell 5.0 or higher (shipped with every supported Windows 11 build)

  • Decide on the TargetReleaseVersion value before the policy ships – use the short identifier Microsoft publishes, such as 23H2 or 24H2, exactly as written in the Microsoft documentation

  • Coordinate with any existing Group Policy or Intune Windows Update for Business profile that targets the same registry path – conflicting policies can race on the same value and produce drift between agent runs

  • Schedule a recurring policy window so the pin is restored quickly if a Group Policy refresh, image redeploy, or admin script clears the values

Expected state after version pinning

After remediation, HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate exists on the endpoint and contains the two REG_SZ values: ProductVersion set to Windows 11 and TargetReleaseVersion set to the configured release. Windows Update will continue to deliver quality updates, security updates, and driver updates as normal, but it will not offer a feature update beyond the pinned target until you change the policy or Microsoft stops supporting the pinned release. The endpoint's WaaSMedicService and UsoSvc do not need to be restarted – the next Windows Update scan picks up the new policy automatically.

Validate on a pilot endpoint with: Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' | Select-Object ProductVersion, TargetReleaseVersion. The output should reflect the values written by the Worklet. For audit evidence, capture the registry export with reg.exe export 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' policy-pin.reg and attach it to the policy run record. To confirm Windows Update is honoring the pin, run UsoClient StartScan and check the resulting offers in the Windows Update settings panel – the endpoint should see cumulative updates for the pinned release only, with no feature update offer above the target.

View in app
evalutation image
remediation image

Consider Worklets your easy button

What's a Worklet?

A Worklet is an automation script, written in Bash or PowerShell, designed for seamless execution on endpoints – at scale – within the Automox platform. Worklets deploy named-CVE mitigations within hours of disclosure, perform configuration, remediation, and install or remove applications and settings across Windows, macOS, and Linux.

do more with worklets