1

I am having issues with users not being able to upgrade to the next version of Windows 11. It seems the version they are on (21H2) is end of service. I did have a GPO set with Windows 10 at 22H2 to try and prevent certain Windows 10 computers from upgrading to Windows 11. I couldn’t figure out how to add Windows 11 to the same GPO so I created another with Windows 11 being the product version and 23H2 being the target version. We are not using WSUS.
The only way I have been able to update these is to log in as the admin, install the Windows 11 update assistant and run it. It fails at first and I have to install the Windows PC Health Check setup, run it, only for it to tell me “Your organization manages updates on this PC”. Then I can refresh the update assistant and it will run. Does anyone know what I could be doing wrong here? Do I need to push out the WindowsPCHealthCheckSetup.msi via GP to all the computers? When the user clicks to check for updates the only thing they receive is “You’re up to date” but there is a red exclamation point and below it says “Your device is missing important security updates. Make sure to keep your device on and plugged in so updates can complete.” However, it never completes.

image
image612×198 12.5 KB
6 Spice ups
2

It could be a number of things, if you’re not using WSUS that makes it a little easier, but have you tried putting a machine in an OU where your W11 policy doesn’t apply and seeing how a device behaves?

Have you looked in event logs or the windowsupdatelog?

get-windowsupdatelog

Do the devices meet the requirements or have they been modified to work?

Are updates paused?

3 Spice ups
3

I have not tried moving a device to another OU where the policy isn’t applied but I will try that next.
I have attached the Windows update log. There seem to be a lot of failures.
Yes, the devices came preloaded with Windows 11 pro.
No, updates are not paused.
WindowsUpdate.txt (3.5 MB)

1 Spice up
4

Ignoring: Cert is not within its validity period when verifying against the current system clock

For this one, I would ensure the date and time are correct against an online time source, if the time or date is in the future, updates wont work.

If you are proxying traffic or have a UTM/Firewall with SSL inspections, make sure the cert is valid or this is disabled for MS websites.

2 Spice ups
5

The 3 commonly set blocking keys to check:

TargetReleaseVersion
ProductVersion
TargetReleaseVersionInfo

Any of these will break updates…

(and yeah, it gets wonky, I am starting to have to deal with this now on machines that people blocked from updates with weird utilities…)

4 Spice ups
6

I have had a big issue with this 22h2/23h2/24h2 rubbish …

as i decided my machine did not work with said updates i decided to stay on 22h2 and sod the rest till its fixed …

Then MS decided to tell me that MSWUS would not move forward and bring me up to date when i thought all was good and the only fix for this was to D/L the latest vers of my O/S which was 24h2 otherwise they would not support my version of windows so …

Go D/L the latest and install it … might not be what you want but you wont go any further with support unless you do …

This is what happens when you tell MS to go fart until you ae happy and by then they tell you to fart elsewhere unless you comply ?

Have fun bro … it works for me - choice is yours ;0)

7

Hi jeremycrites,

I see two options:

(1) You can try forcing the update by going to Microsoft and downloading the Windows 11 Installation Assistant here:

https://www.microsoft.com/en-us/software-download/windows11

(2) There are times when Microsoft knows of hardware compatibilities and will block your access to the update, but going by your error message you’ve got an update system that is blocking the update. This could be WSUS, or a third party remote management system such as N-able RMM / N‑sight.

You can turn this off by going to these registry keys and deleting them, but then you’d lose the ability to stop bad patches with your patch management system.

Go to this location:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\

And delete the whole folder called ‘WindowsUpdate’ which controls the auto-update feature.

8

Deploy this registry change, HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
TargetReleaseVersion (set to 1 to target a specific version)
TargetReleaseVersionInfo (ensure it matches 23H2 or 24H2 for Windows 11)

Check Update channel,
Computer Configuration > Administrative Templates > Windows Components > Windows Update for Business > Select when Preview Builds and Feature Updates are received

1 Spice up
9

How many computers do you need to update? I have recently seen this too - 24H2 does not show up when trying to run Windows Updates. My fix: downloaded the 24H2 ISO and started updating manually. At this point I need to update about 25 laptops. So, it won’t take too long.