Windows - Configuration - Set Registry Keys for Latest Windows 11 Feature Upgrades

What the Windows 11 target release pinner does

This Automox Worklet™ pins the Windows 11 feature upgrade target on each endpoint by writing four values under the Windows Update for Business policy hive. The Worklet enforces a single, declared Windows 11 release across your fleet instead of leaving each endpoint to pick whatever Windows Update offers it on its own cadence.

The four values land in HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate. ProductVersion is set to Windows 11 as a String. TargetReleaseVersion is set to 1 as a DWORD to switch on target-release pinning. TargetReleaseVersionInfo is set to the build you pass in winBuild (the script default is 25H2) as a String. DisableWUfBSafeguards is set to 1 as a DWORD so Microsoft safeguard holds do not block the upgrade once your fleet meets the published compatibility floor.

On Windows 10 endpoints at build 19041 or higher, the Worklet runs a PC Health Check before writing anything. It reads TPM presence, IsEnabled and IsActivated state, the TPM SpecVersion major number, Secure Boot UEFI availability, primary disk size, and total RAM. Endpoints that fail the check exit cleanly without registry edits. Windows 10 endpoints below build 19041 are skipped entirely because they have no upgrade path to Windows 11.

Remediation is wrapped in a rollback path. Before writing the four target keys, the script captures the current value and PropertyType of each existing key into an in-memory list. If any New-ItemProperty call fails, the script removes the keys it added and re-adds the captured originals with their original kinds. This Worklet does not download or apply the Windows 11 feature upgrade itself; it sets the registry contract that Windows Update for Business reads when it offers a build to the endpoint.

Why pin a Windows 11 target release

Mixed Windows 10 and Windows 11 fleets drift toward whatever build Microsoft happens to offer on each endpoint. One workstation lands on 23H2, another sits on 22H2, a third stays on Windows 10 because no policy ever pointed it at a Windows 11 release. ProductVersion, TargetReleaseVersion, and TargetReleaseVersionInfo form the registry contract Windows Update for Business reads when picking a build. DisableWUfBSafeguards is the lever that stops Microsoft safeguard holds from indefinitely deferring the upgrade once you have validated compatibility. Pinning these four values turns the version your endpoints are on from a per-endpoint accident into a declared baseline.

The four upgrade-control values under HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate are unusually easy to lose. A new image lands without the keys at all, a sysprep run wipes the Policies hive on the first generalize, an admin writes them once during a pilot and never validates the value matches the next quarter's target build. The Worklet reads ProductVersion, TargetReleaseVersion, TargetReleaseVersionInfo, and DisableWUfBSafeguards on every cycle, compares them to the policy variables, and rewrites with Set-ItemProperty whenever a value is missing or stale, so the next Patch Tuesday cycle does not ship an endpoint to the wrong Windows 11 build.

How Windows 11 target release pinning works

1. Evaluation phase: The script reads HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DisplayVersion and exits 0 if the endpoint already matches winBuild. It then reads [environment]::OSVersion.Version.Build to filter out endpoints below 19041 and to detect Windows 10 (below 22000) for the PC Health Check. On Windows 10 endpoints the Health Check verifies 64-bit OS, TPM presence with IsEnabled and IsActivated, and TPM SpecVersion 2.0 or higher. It also confirms Secure Boot UEFI availability via Confirm-SecureBootUEFI, primary disk ≥ 64 GB, and total RAM ≥ 4 GB. The script then reads each of the four target keys with Get-ItemProperty and Get-ItemPropertyValue; any missing key or value mismatch returns exit code 2 to queue remediation.

2. Remediation phase: The script creates HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate with New-Item if the path does not exist. It captures any existing key values and their PropertyType into the currentKeys list for rollback. It then calls New-ItemProperty four times to write TargetReleaseVersion (DWORD 1), TargetReleaseVersionInfo (String, winBuild), ProductVersion (String, Windows 11), and DisableWUfBSafeguards (DWORD 1). Each successful write is appended to addedKeys. If any write fails, the script invokes RegistryBackout to Remove-ItemProperty the keys it added and re-write the original values it captured before exiting 2.

Windows 11 target release pinning requirements

• Windows 10 build 19041 (version 2004) or higher, or any Windows 11 release below the build named in winBuild

• For Windows 10 endpoints upgrading to Windows 11: 64-bit OS, TPM 2.0 enabled and activated, Secure Boot UEFI available, primary disk ≥ 64 GB, total RAM ≥ 4 GB

• SYSTEM-level execution on the endpoint (the default Automox agent context)

• No competing Windows Update for Business configuration from Intune, Group Policy, or MDM under HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate; Automox recommends disabling those policy sources before scheduling this Worklet

• Set winBuild at the top of evaluation.ps1 and remediation.ps1 to the Windows 11 release you want pinned. The script default is 25H2; valid values follow the build names on Microsoft's Windows 11 release information page (23H2, 24H2, 25H2)

• Deploy the companion Automox "Windows – Feature Upgrades" policy template if you also want the upgrade installed; this Worklet only sets the registry target

Expected Windows 11 target release state

After successful remediation, HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate contains ProductVersion = Windows 11 (String), TargetReleaseVersion = 1 (DWORD), TargetReleaseVersionInfo = <winBuild> (String), and DisableWUfBSafeguards = 1 (DWORD). The endpoint returns exit code 0, and the next Automox evaluation reports the endpoint as compliant without re-running remediation. Windows Update for Business will typically begin offering the pinned Windows 11 release within a few hours, though Microsoft does not guarantee a synchronous publish window.

Validate from an elevated PowerShell prompt with Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' | Select-Object ProductVersion, TargetReleaseVersion, TargetReleaseVersionInfo, DisableWUfBSafeguards. For the in-flight upgrade itself, inspect %windir%\Logs\WindowsUpdate and HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DisplayVersion after the next Windows Update scan.

Endpoints that fail the evaluation phase exit cleanly without registry edits. Windows 10 endpoints below build 19041 log that they are below the Windows 11 compatibility floor and exit 0. Windows 10 endpoints that fail the PC Health Check log which check failed (TpmEnabled, TPMActivated, TPMVer2.0+, DriveSize > 64GB, RAM > 4GB, Secure Boot) and exit 0 from evaluation or 2 from remediation. Use that log output as the working list of endpoints that need hardware remediation before they can accept the Windows 11 target release.