So, at long last someone did something smart with Winwows 10 update.. Not exactly breaking news as it happened a year or so ago, but hey -now I needed it…
Anyhow, it is now possible to freeze a Windows 10 build – you COULD (to some degree) do this before also, but it was anything but trivial.
Anyhow, what you need to do is to upgrade your ADMX (Group policy templates) to 21H1, you do this by downloading them from here;
after unpacking (installing) them, copy them to your DC (most likely here);
And now we are ready to rock’n roll.
Open: “Group Policy Management Editor”.
Navigate to: Computer Configuration – Policies – Administrative Templates – Windows Components – Windows Update – Windows Update for Business
Here you select: “Select the target Feature Update version”
Now you can set the “Target Version”:
I would expect this to freeze Windows 10 at the 21H1 version and hopefully block automatic upgrades to Windows 11 – but after the Windows 10 bonanza, who knows.
The above settings will trigger these registry settings on the target machine:
I am not quite sure how these new settings work with existing Windows Update (and or wsus) settings, as you may see we have some WSUS settings below.
One question you may ask yourself, with Windows 11 comming why bother? Well, there is a reason I am looking at this now, and that is precisely Windows 11 – as you may have heard Windows 11 is about to hit-the-fan around October 2021, and we DONT want company machines going berserk upgrading left and right.. So looking for ways to combat automatic upgrades (you may remember the horrific Windows 10 upgrade circus – where Microsoft did anything but to put a gun to your face to trick you into clicking upgrade-now). The above policy ought to help block this (if Microsoft is true to the spirit of the policies).
So what does these new settings mean?
Well the “TargetReleaseVersion” is more or less a toggle switch that tell Windows you wish to control the Windows Version/build. Whereas the “TargetReleaseVersionInfo” tell Windows WHICH version you are aiming at.
If you enter a “TargetReleaseVersionInfo” that is higher than the currently installed build, windows will attempt to upgrade to this build. If you set a version number that is NOT the latest, Windows will attempt to upgrade to this and will stay there at least until “end of service” – it is unclear if Windows will autoupgrade to a later build after “end of service” is reached, but I would not suspect so.
Where can I read about Windows builds available and their status (end of service dates)?
or this link: https://docs.microsoft.com/en-us/windows/release-health/release-information
Anyhow, dont take my word for it alone, here are links to a few other sites on the subject..
Bad news for the Windows server admins, it would appear that at zero day exploit has surfaced that is extraordinary bad if you have Domain Controllers with the print-spooler service running (eg. printer role). The exploit allow an attacker to execute code as system via a normal domain user account. As of this post there is no patch available.
Stop and disable the “Printer Spooler” service on servers where it is not required (especially DC’s).
Read more here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1675
and here: https://www.theverge.com/2021/7/2/22560435/microsoft-printnightmare-windows-print-spooler-service-vulnerability-exploit-0-day
According to people testing the leaked Windows 11 developers build, it seem that the “Blue Screen of Death” is about to become “Black Screen of Death” when we eventually upgrade to Windows 11. The acronym BSOD will remail the same though 😉 – Source: https://www.bbc.com/news/technology-57695586