![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
1,922 questions
Hello Handsome Zhou,
thank you for posting on the Microsoft Community Forums.
To set the Group Policy on DC to stop clients from upgrading to 24H2 but still allow monthly security patches, you can follow these steps:
- Open the Group Policy Management Console on your DC.
- Create a new Group Policy Object (GPO) or edit an existing one that applies to the clients you want to target.
- Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Update.
- Locate the policy "Configure Automatic Updates" and enable it.
- Set the "Configure automatic updating" option to "3 - Auto download and notify for install".
- Set the "Allow automatic updates immediate installation" option to "Disabled".
- Set the "Specify deadline before auto-restart for update installation" option to "Enabled" and set the deadline to a time that is convenient for your clients.
- Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business.
- Locate the policy "Select the target Feature Update version" and enable it.
- Set the "Target Feature Update version" option to "20H2".
- Click "OK" to save the changes.
These settings will prevent clients from upgrading to 24H2 automatically but still allow monthly security patches to be installed. Clients will be notified when updates are available, but they will not be automatically installed until the user initiates the installation.
Hope it helps.
Best regards,
Lei