Unvoluntary update to Windows 11 24H2

Topic

New Reply

Got a nasty surprise this morning, logging on to my office pc. It had updated from Windows 10 to Windows 11 24H2. In fact _all_ pc’s in the domain had updated from Windows 10 to 11. I thought domain-joined pc’s wouldn’t do this on their own. And I have a group policy ‘Select the target Feature Update version’ set at Windows 10, 22H2, so this should keep the machines at that version. In theory.

So I wonder what happened?

 

1 user thanked author for this post.

Alex5723

Reply | Quote

Replies

what editions of Windows do you have installed on those PCs, Simon?

should have also used GRC’s InControl app along with setting that “group policy” to ensure those PCs do not get unexpectedly updated to Win11 24H2

AND NOT let that KB4023057 update health tools thing and the KB5001716 update (like block/hide any version of KB4023057 and KB5001716) get installed at all

Reply | Quote

I had / have Windows 10 22H2 installed.

Regarding my initial post – I was wrong about _all_ machines. It’s about half/half, adding to the mystery. Batches of the exact same make and model – some got Windows 11 and some stayed on Windows 10. Had a talk to a supplier and he sees the same thing with his clients. Some machines get kicked to Windows 11 and some not.

Is this Microsoft at play?

Reply | Quote

When I’ve seen this occur before there was

a. a WSUS server that had an approval of the next feature release done inadvertently

b. or — group policy wasn’t controlling machines as they thought.

How to use RSoP to check and troubleshoot group policy settings – Active Directory Pro

When it comes to Microsoft updating I have honestly never seen them override a setting IF it was set right and everything was honky dory in the network.  I have seen updating happen when the settings just weren’t quite right and after time was spent digging to the settings it was found that something was overlooked.

Remember you have 10 days to roll back.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Or

C did people get a “grab the focus” pop up and they approved it? It shouldn’t have done it with 22H2 feature release setting… but….

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

again, check if Microsoft Update Health Tools is installed or not on those PCs

how to remove kb4023057 it will not install on my PC? – Microsoft forum

when the KB4023057 Update Health Tools & KB5001716 updates are installed, it’s “fair game” for Microsoft to update PCs with KB4023057 & KB5001716 updates installed without any user intervention to newer Windows version

need to hide/block both the KB4023057 and KB5001716 updates in order to keep the currently installed Windows version

Reply | Quote

You can’t use that tool in a domain setting.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

again, check if Microsoft Update Health Tools is installed or not on those PCs

They are not installed on the Windows 10 machines. For the machines migrated to Windows 11, I don’t see them either, but maybe they have been removed as part of the migration?

Reply | Quote

a. a WSUS server that had an approval of the next feature release done inadvertently

b. or — group policy wasn’t controlling machines as they thought.

Well that’s the thing – all machines use the same policies?

Could very well be there’s a setting incorrect; I wonder which settings I have to check?

Reply | Quote

Can you run the tool?

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Can you run the tool?

You mean RSoP? Displays the same policy settings for both Windows 10 and 11.

Reply | Quote

Which is?  What I’m looking for is if there is a setting that is overriding the feature release setting.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

The Windows Update policy in the attachment. It hasn’t changed for years.

Reply | Quote

https://learn.microsoft.com/en-us/windows/deployment/update/waas-wufb-group-policy

I’ve seen folks connect a machine to Intune and Intune takes over the settings.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

1. The group policy should appear like this in the registry of each desktop.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

How does it look in the machines that did and didn’t upgrade?

2. Are you using a third-party patching tool? I had this happen on one machine when N-able RMM incorrectly overrode those registry settings and forced an upgrade.

Reply | Quote

Are these Dell computers? What models? See

https://www.dell.com/community/en/conversations/xps/windows-11-24h2-upgrade-killed-pin-login-entra-id-mess-anyone-else/67d14a7eb041596ebbfcd124

Reply | Quote

 I had this happen on one machine when N-able RMM incorrectly …

Funny you should mention. We’re about to undertake some drastic changes this year. Like migrating our on-premise Exchange 2016 server to Exchange Online; a new Windows server running Window Server 2022 / 2025 and incorporating a bunch of online services like Intune. And moving Windows 10 to 11.

The Microsoft online stuff is quite convoluted and not done in a rainy afternoon, so I decided to call in outside help. A couple of companies inventoried the whole network. And one of them used N-able stuff. And wouldn’t you know – the Windows 11-thing started the next day after they ran their N-able Agent. But they insured me the update wasn’t triggered by their software.

I doubt that. It seems too much of a coincident. And having ruled out things like a mis configured group policy, it more and more points to that N-able Agent. But I can’t prove it.

Machines involved are indeed Dell machines, but not the ones mentioned in the article. We use Precision 3630, 3640, 3650 and 3660 machines. Most of them run Windows 11 by now, but at least one of each type still runs Windows 10.

Now I must say – the migration was as smooth as a babies bottom. No problems with hardware / drivers / applications whatsoever. It’s personal things like the Explorer Shortcut menu and the ‘you can have your taskbar anywhere as long as it’s the bottom of the screen’ that annoy people. Most of those things are solvable, except the Taskbar.

So while I don’t like such uncontrolled upgrades, I’m pleasantly surprised it all went so well…

Reply | Quote

If they installed N-able N-sight Patch Management (an optional feature) and their patch policy approved the Win11 upgrade, I would say it could be related. I went through an extensive support case last fall trying to track down a Win11 upgrade that I did NOT approve in policy. In the end, N-able said the logs were inconclusive and I would need to duplicate the issue.

The almost-smoking gun IMO are entries in QueryManager.log like this showing that N-able N-sight manipulates the registry keys I mentioned in my previous post. In other words, they intentionally override the group policy settings so they can control the updates:

[11] 2024-09-11 03:26:30,573 DEBUG RestoreRegKey => restoring registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ProductVersion] with data [Windows 10]
[11] 2024-09-11 03:26:30,573 DEBUG RestoreRegKey => restoring registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\TargetReleaseVersion] with data [1]
[11] 2024-09-11 03:26:30,573 DEBUG RestoreRegKey => restoring registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\TargetReleaseVersionInfo] with data [22H2]

1 user thanked author for this post.

Simon_Weel

Reply | Quote