How To Setup, Upgrade From Wsus Windows 10 To Windows 11
How To Setup, Upgrade From Wsus Windows 10 To Windows 11
a
Windows Servicing Upgrades from WSUS
– Windows 10 & Windows 11
If you are going to handle Windows Servicing Upgrades, known as Windows as a Service
(WaaS) with WSUS, there are some things you need to know. Windows Servicing
(Windows 10 version upgrades:
RTM>1507>1511>1609>1703>1709>1803>1809>1903>1909>2004>20H2>21H1>21H2>2
2H2 and Windows 11 version Upgrades (21H2>22H2) is only available with Server 2012
and higher. As of now, Server 2008 and Server 2008R2 are end of life, are not receiving
any security patches, and cannot even synchronize with Microsoft’s systems as WSUS 3.0
has been deprecated due to the lack of support of TLS 1.2. While it is deprecated and on
an unsupported operating system, it technically still can be used as a downstream system
server to a Server 2012+ upstream system, although you should be upgrading your system
to a server version that is in support – preferably the latest Server 2022.
To do this: Open IIS Manager > Select the server name > From the “IIS” section in the
centre of IIS Manager, open “MIME Types” > Click “Add…” >
File Name Extension: = .esd
MIME type: application/octet-stream
). If KB3159706 still applies to you and is installed, perform ALL OF THE STEPS BELOW
including the ones for SSL (which is Microsoft’s best practice anyways; more on that in
Part 7).
The easiest way to deploy these registry keys is by using a Group Policy Preferences
(GPP) Registry Preference Policy with the Action set to Update and with Item-Level
Targeting (ILT) to Operating System – Windows 7, Windows 8 or Windows 8.1 with the
following keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\WindowsUpdate\OSUpgrade]
"AllowOSUpgrade"=dword:00000001
"OSUpgradeInteractive"=dword:00000001
"OSUpgradeRunOnceCount"=dword:00000001
Apply this GPP to your clients that you wish to have updated to Windows 10. Once your
systems have updated to Windows 10, be sure to remove these registry keys. The easiest
way to remove them is to create a new GPP with the Action set to Delete with ILT to
Operating System – Windows 10. You can now apply this and it will delete them from the
updated systems.
Upgrading to Windows 11 from Windows 7 or Windows 8 would also need these keys, but
likely your systems will not meet the new Windows 11 System Requirements (likely the
Processor requirement) so this upgrade would likely be done through hardware attrition.
Apply this using GPP to your clients if you need to do this to multiple clients at one time.
[HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup]
"AllowUpgradesWithUnsupportedTPMOrCPU"=dword:00000001
After this registry entry is added, your system will now be able to upgrade to Windows 11
even though it doesn’t meet the system requirements. Your system still MUST have a TPM
1.2 chip though.
3. Install the ‘HTTP Activation’ feature under .NET Framework 4.5 Features using an
Administrative PowerShell prompt
Get-WindowsFeature -Name NET-WCF-HTTP-Activation45 | Add-
WindowsFeature -Restart:$False -Verbose -Source 'Windows Update'
bindingConfiguration=”ClientWebServiceBinding”
contract=”Microsoft.UpdateServices.Internal.IClientWebService” />
<endpoint address=”secured”
binding=”basicHttpBinding”
bindingConfiguration=”ClientWebServiceBinding”
contract=”Microsoft.UpdateServices.Internal.IClientWebService” />
</service>
</services><serviceHostingEnvironment aspNetCompatibilityEnabled=”true”
multipleSiteBindingsEnabled=”true” />
5. Restart WSUS Services
Get-Service -Name WsusService | Restart-Service -Verbose
https://docs.microsoft.com/en-US/troubleshoot/windows-client/group-policy/create-and-
manage-central-store
Get the latest one, even if it’s not for the OS you are installing. These are backwards
compatible and cumulative meaning that the latest one will have all the updates from each
of the preceding admx files. Install these Administrative Templates in your Central
PolicyDefinitions folder on your Domain Controller.
1. When you download the Administrative Templates installer, install the definition files
locally on your workstation. It will install the files to a folder in C:\Program Files
(x86)\Microsoft Group Policy\[Downloaded Version]\PolicyDefinitions\. Open this folder and
copy all admx files (in the root folder) and the appropriate language folder (eg. en-US) and
copy these to your Domain Controller into a temporary folder like
C:\Temp\NewPolicyDefinitions).
2. Take a backup of your existing policies in case you need to revert them later for
whatever reason. Copy the entire PolicyDefinition folder from your domain controller’s
C:\Windows\SYSVOL_DFSR\domain\Policies\PolicyDefinitions
(\\domain.com\SYSVOL\domain.com\policies\PolicyDefinitions) to another folder like
C:\Temp and rename the folder to the current date.
3. Take the admx files and the language folder you copied to
C:\Temp\NewPolicyDefinitions and COPY (not move) them, and paste them into
C:\Windows\SYSVOL_DFSR\domain\Policies\PolicyDefinitions, overwriting files as
required. Do not worry, these Administrative Templates are inclusive of all the prior
versions of Windows but now with updated descriptions and applies to fields that are
actually very good and very accurate. Delete the files and folders in
C:\Temp\NewPolicyDefinitions to finish the cleanup.
4. Uninstall the Administrative Templates from your local workstation as you no longer
require this to be installed.
1. Re-create the GPO policy from scratch. Sometimes the easiest way is to simply re-
create the policy copying the settings from the old policy manually into the new one,
applying it, and deleting the old policy.
2. Put back the original ADMX templates that you set these policies on and adjust the
policy to Not Configured. Therefore, you should be keeping the ADMX file backups of your
PolicyDefinitions folder because you may end up needing a working copy of what you had
before, especially if you are adding custom ADMX files to the central store.
3. Use PowerShell from a workstation with GPMC to remove the values from the GPO
making sure it is running as a user that has modify permissions on the GPO.
Using the GPMC settings report, you will see the registry key and value to remove under
the “setting” column in the report.
If the setting is under the User Configuration portion of the GPO, it will relate to the hive
HKEY_CURRENT_USER (HKCU).
If the setting is under the Computer Configuration portion of the GPO, it will relate to the
hive HKEY_LOCAL_MACHINE (HKLM).
Essentially it is creating the appropriate folder on the domain controller, placing the
admx/adml files into it, and that is it. GPMC.msc and Windows DFSR handles the rest
(DFS replication of SYSVOL to other domain controllers). If you have not set up DFS
Replication and are still on an older 2008R2 or lower FRS methodology, first migrate to
DFSR for SYSVOL.