TL;DR
- WSUS remains a supported Windows Server role, allowing organizations to centrally download, approve, and distribute Windows 11 updates while reducing internet bandwidth and maintaining administrative control over patch deployment.
- The Windows 11 update process with WSUS includes synchronizing updates from Microsoft, organizing devices into computer groups, approving updates, deploying them through Group Policy, monitoring installation status, and generating compliance reports.
- Successful Windows 11 update management requires proper WSUS configuration, client-side Group Policy settings, update classifications, maintenance routines, and regular database cleanup to maintain performance and reliability.
- Organizations should understand WSUS limitations, including Microsoft’s deprecation announcement, Windows-only support, reliance on on-premises infrastructure, limited automation, and lack of native cloud management for remote devices.
- Modern endpoint management platforms can address these limitations by providing cloud-native patch management, automated third-party application updates, vulnerability remediation, real-time reporting, remote endpoint management, and support for hybrid work environments.
- The guide also covers WSUS architecture, installation requirements, synchronization settings, client configuration, troubleshooting common Windows 11 update issues, reporting capabilities, security considerations, and migration planning for organizations evaluating modern alternatives.
Windows Server Update Services (WSUS) is a Microsoft update management solution that enables organizations to download, approve, and distribute Windows updates from a centralized server instead of allowing every Windows endpoint to connect directly to Microsoft update servers over the internet. While Microsoft has formally announced the deprecation of WSUS, it remains fully supported on Windows Server 2022 and Windows Server 2025 as a server role; however, no further feature development for WSUS will be available. WSUS is a free solution available as a server role on Windows Server products; it synchronizes update metadata and content files from Microsoft’s servers to a local Windows Internal Database (WID) or a dedicated SQL database (SUSDB). Then Administrators approve updates for their target Windows endpoint fleet, and updates are distributed through either Group Policy or registry-based configurations. WSUS enables administrators to control which updates are approved, when they are deployed, and to which computer groups, providing granular control over patch management. For example, administrators can approve a cumulative update for a pilot group of Windows 11 test machines before rolling it out to production endpoints.
Despite newer cloud-native alternatives from Microsoft being available, WSUS is widely used because it’s free, already available as a server role on Windows servers, and doesn’t require additional licensing or infrastructure costs. This guide explains the complete process of managing Windows 11 updates with WSUS, from the requirements phase to approve/deploy, automation with PowerShell, deployment strategies, and troubleshooting techniques.
Requirements for Windows Client Servicing with WSUS
Before deploying Windows 11 updates through WSUS, administrators must verify that both the WSUS infrastructure and client devices meet Microsoft’s requirements for this update’s deployment model, i.e., the WSUS host server OS must run an active, fully supported version of Windows Server, such as Windows Server 2019, 2022, or 2025. Managing Windows 11 clients from a legacy or extended-support server, such as Windows 2016 or 2012, can result in severe performance problems and service failures due to outdated IIS web handling components. Apart from compatibility, the WSUS server must also be patched with the latest monthly cumulative security updates to ensure it has the structural updates necessary to decrypt and process modern operating system updates.
WSUS downloads metadata only for products that administrators explicitly select for synchronization. To service Windows 11 devices, the Windows 11 product category must be enabled; otherwise, Windows 11 updates will never appear in the WSUS console regardless of successful synchronization.
To deliver Windows 11 feature updates and version-to-version upgrades through WSUS, administrators must enable the upgrades and update classifications. Upgrade classifications cover Windows 10 to 11, Windows 11 to 11, and package-based upgrades. Similarly, Update classifications such as “Security Updates” and “Critical Updates” must be enabled. “Definition updates” and “Update Rollups” must also be explicitly enabled. The “Upgrades” classifications are responsible for downloading the feature packages that transition an existing OS build to a new build, such as upgrading an endpoint from Windows 11 23H2 to 24H2 or 25H2. Leaving the Upgrades option unchecked is one of the most common reasons admins do not see Windows 11 feature updates in the WSUS console, even after full synchronization completes successfully.
Alongside classifications, the correct product category must be selected for the applicable “Windows 11 client” product for the target OS versions and any associated upgrade or driver product needed to support the in-place upgrades. As WSUS product entries are versioned per OS release, e.g., 23H2, 24H2, 25H2, administrators must add newer product categories as Microsoft ships them; otherwise, upgrade-eligible OS builds will silently stop appearing. This process differs from Windows 10, where the product list was stable for years with no newer version-specific entries getting added. For example, administrators only syncing “Windows 11, version 24H2” will never see a 25H2 upgrade package until the specific product category is enabled and synchronized.
Beyond Server-side configuration, client computers must also meet Microsoft hardware baseline requirements, including a 64-bit processor, at least 4 GB of RAM, 64 GB of disk space, and a Trusted Platform Module (TPM) 2.0 chip with UEFI Secure Boot enabled at the firmware level. As WSUS cannot bypass these requirements, a device that is not eligible for Windows 11 will not receive the upgrade, regardless of its update approval status. Apart from basic Windows 11 requirements, endpoints should be joined to the organization’s management environment, such as Active Directory, to get Group Policy updates for up-to-date Server configuration, proper network connectivity, DNS resolution, and correct Windows Update policy settings. Misconfigured clients may not connect to the correct WSUS server to scan for or install approved updates. Verifying client readiness before updates deployment reduces installation failures and reporting inconsistencies.
| Requirement | Windows 10 | Windows 11 |
| Supported WSUS server |
Supported WSUS on supported Windows Server versions with current updates i.e. 2016, 2019, 2022 Windows servers |
Supported WSUS on supported Windows Server versions with current updates; keeping the server fully patched is especially important for modern feature updates i.e. 2019, 2022, 2025 Servers |
| Product selection | Enable the Windows 10 product category | Enable the Windows 11 product category; enable both categories if managing mixed environments. New version-specific product entries added per release (23H2, 24H2,25H2) — must be enabled as released |
| Hardware eligibility check | Standard Windows 10 hardware compatibility | Strict enforcement of TPM 2.0, Secure Boot, supported CPU list |
| Required Classifications | Security Updates, Critical Updates, and Upgrades. | Security Updates, Critical Updates, and Upgrades. |
| Delivery Framework | Utilizes standard cabinet (.cab) and file compression delivery. | Core dependencies rely on Unified Update Platform (UUP) and .esd files. |
Approve and Deploy Windows 11 Feature Updates
Approving Windows 11 feature updates is one of the most important administrative tasks in WSUS because feature updates are significantly larger and more time-consuming than monthly cumulative updates. Choosing an approval method for Windows 11 updates should be based on the Windows device fleet and risk tolerance rather than convenience alone, since update failure rates differ across approval methods, such as automatic approval rules, manual approval, and forced deployment deadlines. Auto-approval rules require less manual effort from administrators, but they provide minimal control over staged deployments or rolling back updates. The manual approval process provides maximum control and is suitable for mid-level to large fleets. It does not guarantee successful installation unless paired with deployment deadlines, as users can indefinitely defer or ignore the “Restart required” prompt after an update is installed.
Automatically Approve and Deploy Feature Updates
Automatic approval allows WSUS to approve eligible updates immediately after synchronization from Microsoft update servers, based on predefined rules. Administrators can configure auto-approval rules within the WSUS Administration Console by selecting the desired classification, products, and target computer groups.
Configure Automatic Approvals with the following steps:
- Open the WSUS administration console, expand Options, and select Automatic Approvals.
- Create a new approval rule, select the Upgrades classification and Windows 11 product category.
- Choose the computer groups that should automatically receive approvals.
- Save the rule and run it after a successful synchronization interval.
Applying automatic approval rules to major operating system upgrades across the organization may represent a significant risk, because feature updates replace the underlying core system files and trigger automatic system reboots on hundreds or thousands of endpoints. In large organizations, automatically approving an operating system upgrade without proper testing can affect thousands of computers simultaneously. If any compatibility issue occurs, it may result in significant helpdesk tickets and production downtime. In enterprise environments, automatic approvals are most commonly applied to quality updates, while feature update deployments are manually controlled.
Manually Approve and Deploy Feature Updates
The manual approval process gives administrators complete control over when and where Windows 11 feature updates are deployed. Instead of immediately auto-approving an update after synchronization, an administrator reviews the available feature update, selects the appropriate computer group, and approves deployment in stages. This process significantly reduces organizational risk because compatibility testing can be completed before production devices receive the update.
Steps to manually approve a feature update:
- Open the WSUS administration console, navigate to Updates and then All updates.
- Filter updates by upgrades and locate the required Windows 11 feature update.
- Right-click on the update and select Approve.
- Then choose a pilot computer group (to run the updates on test devices first).
- Monitor installation success and user feedback.
- Approve the same update again for additional production groups after successful validation of the update on the pilot group.
A staged deployment process allows administrators to test and detect driver conflicts, application compatibility issues, or deployment failures before the update is rolled out across the organization. After validating successful installation and stable system performance in the pilot group, administrators can gradually deploy it to other computer groups until the update is deployed across all managed endpoints. For example, administrators first deploy Windows 11 version 25H2 to 30 pilot computers before approving the update for 2000 production devices.
| Feature | Auto-Approve | Manual Approve | WSUS Deadline |
| How it works | Automatically approves updates based on predefined rules immediately after synchronization. | Administrator reviews, tests, and manually approves each update before deployment. | The administrator approves updates and sets a deadline by which clients must automatically install them. |
| Administrator involvement | Very Low | High | Moderate |
| Deployment speed | Fastest | Slowest | Fast but controlled |
| Control over updates | Limited | Maximum | High |
| Compliance enforcement | Limited | Depends on administrator action | Strong because updates become mandatory after the deadline |
| Best suited for | Small businesses and standard workstation updates | Critical servers, regulated industries, and change-controlled environments | Medium to large enterprises with compliance or security requirements |
| Risk of deploying a problematic update | High | Low | Medium |
| Risk Rating – Mid-size (101–3,000 endpoints) | Medium Risk | Low Risk | Low Risk |
| Risk Rating – Large (3,000+ endpoints) | High Risk | Medium Risk | Low Risk |
Setting WSUS Deadlines to Force Installation
Approving an update alone does not force installation because Windows clients may wait for a maintenance window or user interaction. WSUS deadlines allow administrators to specify the exact date and time by which an approved feature update must be installed. Once the deadline is reached, Windows attempts to install the approved upgrade automatically according to the policy, even if the user has not selected the Install Now option. This approach is particularly important when organizations need every managed device to complete an operating system upgrade within a defined period of time for compliance purposes.
Configure a WSUS Installation deadline through the following steps:
- Open the WSUS Administration Console, locate the required Windows 11 feature update.
- Right-click the update and select Approve.
- Select the appropriate computer group.
- Choose Install as the approval action.
- Configure a deadline by specifying the required installation date and time.
- Apply the approval and allow clients to detect the updated deployment policy.
While deadlines guarantee high patch compliance, they can introduce user experience issues by forcibly interrupting user productivity. When the deadline expires, Windows 11 triggers the installation script and does not allow users to defer or ignore it. It is recommended to schedule deadlines outside of business hours to minimize downtime and productivity interruption. For example, IT sets a Friday evening deadline for updates so that all approved Windows 11 feature updates install automatically over the weekend before employees return on Monday.
PowerShell Commands and Silent Deployment Issues
Administrators also use PowerShell modules such as PSWindowsUpdate to automate Windows patch installation, but Windows 11 feature updates behave differently from standard security or quality updates. Feature updates are published by WSUS under “Upgrades” classification and are processed through the Windows Update servicing engine rather than as ordinary software updates. As a result, commands such as Get-WindowsUpdate and Install-WindowsUpdate may successfully install monthly patches but fail to trigger an operating system upgrade delivered through WSUS. To programmatically force a silent Windows 11 feature update installation from WSUS, administrators must leverage the native Windows Update client binaries built into the operating system via command line.
Common Windows Update commands
# Start a scan for updates
UsoClient StartScan
# Download approved updates
UsoClient StartDownload
# Begin installation
UsoClient StartInstall
# Refresh Windows Update detection (legacy)
wuauclt /detectnow
# Report status back to WSUS (legacy)
wuauclt /reportnow
These Windows native commands force the local agent to bypass standard idle timers and connect directly to the defined intranet WSUS path, scan the approved upgrade metadata, and immediately begin downloading the modern UUP payload files. For example, after approving a Windows 11 feature update in WSUS, an administrator runs the “UsoClient StartScan” command, followed by “UsoClient StartInstall,” at an elevated command prompt to initiate detection and installation, allowing the Windows operating system to complete the upgrade according to its servicing rules.
WSUS Scalability and Architecture
As the organization grows, a single WSUS server may no longer provide the performance, bandwidth efficiency, or administrative flexibility required to manage hundreds or thousands of Windows devices. WSUS supports scalable deployment architectures that allow administrators to distribute update content across multiple WSUS servers while maintaining centralized control over approvals and synchronization from Microsoft servers. One or more WSUS servers act as upstream servers that connect with Microsoft Update servers and synchronize updates, whereas multiple downstream servers connect to upstream servers to download update metadata, approvals, or update files on the intranet and distribute updates to clients in their network segments. Organizations with multiple regional offices commonly deploy downstream servers to improve update performance and reduce WAN bandwidth consumption. Downstream servers can be configured as either “replica” or “autonomous” mode, which fundamentally changes how administrators control each site and update configurations.
Replica mode is a special downstream WSUS configuration in which the downstream server copies not only update metadata but also computer groups, approvals, and administrative settings from the upstream server. Administrators cannot independently approve or decline updates on a replica server because all management decisions are inherited from the parent WSUS server. This approach ensures consistent update policies across every site while reducing administrative overhead. Replica mode is ideal when branch offices require local distribution of updates, while centralized control must remain on the headquarters server. Unlike replica WSUS downstream servers, autonomous downstream servers synchronize updates from an upstream server but maintain their own approval settings and computer groups. Site administrators can decide which updates to approve and what to approve, allowing each location to follow its own maintenance schedule or testing process.
Selecting the appropriate WSUS architecture depends on the organization’s size, geographic distribution, available bandwidth, and administrative model. Small organizations with a single office typically require only one WSUS server, while enterprises with multiple locations can benefit from upstream and downstream deployments. Replica mode downstream servers work best when centralized IT manages updates across all locations, whereas autonomous mode provides flexibility for independent regional IT teams.
Windows 11 feature updates require substantially more storage than monthly cumulative updates because they contain operating system installation files. Organizations managing both Windows 10 and Windows 11 must allocate sufficient disk space for update metadata, downloaded content, and future releases, especially when multiple feature update versions are in play. Storage planning is critical in large enterprises where multiple operating system versions are simultaneously running on different devices. Microsoft also recommends placing the WSUS content directory on a dedicated storage volume to improve performance and simplify maintenance. Regular cleanup of superseded and expired updates also helps in preventing unnecessary storage growth over time and improves performance.
Similarly, feature updates generate significantly more network traffic than routine monthly quality updates because they deliver an entire operating system upgrade package. A Windows 11 feature update typically requires several gigabytes of download data, making bandwidth planning particularly important for branch offices connected through slower WAN links. Organizations can reduce bandwidth consumption by scheduling synchronization during off-peak hours, using a downstream WSUS server to distribute updates locally, and configuring Windows 11 Delivery Optimization (DO) to establish local peer-to-peer (P2P) caching networks within each physical subnet.
Configure Automatic Updates and Update Service Location
To receive updates from WSUS instead of Microsoft update servers, Windows clients must be configured with appropriate Group Policy settings or equivalent registry values. In Active Directory environments, Group Policy objects (GPOs) are the recommended configuration method because they provide centralized management, automatic policy enforcement, and consistent settings across all domain-joined devices. Registry-based configuration is used only for standalone computers, troubleshooting issues, scripted deployments, or environments without Active Directory. The primary Group Policy is located at “Computer Configuration → Administrative Templates → Windows Components → Windows Update → Manage end user experience → Configure Automatic Updates” in the Group Policy Management Editor. This Group Policy determines how Windows clients check for updates, download approved content, and schedule installation. Administrators should also configure another Group Policy to define the WSUS URL that clients will use to connect with WSUS. In gpmc, configure the WSUS URL at policy “Specify intranet Microsoft update service location, found under Windows Update → Manage updates offered from Windows Server Update Service”, for example, “http://WSUS-01:8530” or https://WSUS-01:8731 enable the policies and then refresh polices on one client machine by force update and perform a Windows update scan to verify communication with WSUS. Behind the scenes, these GPO settings write directly to registry keys under “HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate”
| Registry Setting | GPO Path | Effect |
| WUServer | Computer Configuration → Administrative Templates → Windows Components → Windows Update → Specify intranet Microsoft update service location | Specifies the WSUS server URL that clients use to download approved updates. |
| WUStatusServer | Same policy as above | Specifies the WSUS server that receives update detection and installation status reports from clients. |
| UseWUServer | Enabled automatically when the intranet update service policy is configured | Instructs Windows Update to use WSUS instead of Microsoft Update (1 = WSUS, 0 = Microsoft Update). |
| AUOptions | → Windows Update → Manage end user experience → Configure Automatic Updates | Determines how updates are downloaded and installed, such as automatic installation or administrator notification. |
| ScheduledInstallDay | Same policy as above | Specifies the day on which automatic update installations should occur when scheduled installation is enabled. |
| ScheduledInstallTime | Same policy as above | Defines the installation time for scheduled automatic updates on managed clients. |
Create Computer Groups in the WSUS Administration Console
Computer groups in WSUS allow administrators to organize managed devices into logical collections, so updates can be approved for a specific set of computers rather than all endpoints in an environment. Administrators can create individual target groups such as IT, Finance, Marketing, and Remote workers. This approach supports staged deployments, e.g., department-wise or branch-wise, allowing updates to be validated first on a smaller test group and then rolled out on a per-group basis.
Create computer groups in WSUS console:
- Open the WSUS administration console, expand computers in the left navigation pane.
- Right-click All computers and select Add computer group.
- Enter a descriptive group name, click Add to create the group.
Once the computer groups are created, the next step is to add computers to these groups to create logical grouping. This can be done in two ways: server-side targeting and client-side targeting. Server-side targeting requires an administrator to create computer groups and manually move individual devices into their respective containers. This method allows administrators to better control computer group membership without requiring any adjustments to Active Directory structure. However, because it lacks automation, any newly provisioned device remains in a generic “Unassigned computers” pool until it is manually added to a group. Client-side targeting allows Windows computers in different Active Directory organizational units to automatically join a specific WSUS computer group based on Group Policy Settings. Administrators configure the “Enable Client-Side targeting” Group Policy and specify the target computer group name; all computers in that organizational unit will be assigned to that group. When the Windows 11 client initiates its routine handshake with the WSUS web server, it sends the specific computer group name set in its registry by GPO to inform it which computer group it belongs to. For example, all computers in the Finance organizational Unit register in the Finance Computers WSUS group through the Group Policy and get updates according to that computer group configuration.
Use the WSUS Console to Populate Deployment Rings
A Deployment Ring approach is a phased update strategy that divides managed devices into groups, allowing updates to be released gradually rather than to every endpoint at once. Instead of deploying a Windows feature update organization-wide on the first day, administrators first deploy it in a pilot group where the update is tested for any potential compatibility issues and then deployed to a group where technical users further evaluate the experience; after that, the update is deployed to general production endpoints and, in the end, on critical servers. Recommended group sizing generally depends on the total fleet size, but common baselines are 1 to 5 percent for the pilot group, 80 percent for production endpoints, and 10 to 15 percent for critical servers.
For example, an organization with 2000 devices may deploy Windows 11 version 25H2 first to 40 to 60 IT-managed devices as the pilot group and then 1500 to 1800 general production devices, i.e., laptops, desktops, virtual machines, non-critical servers, and in the final stage deploy the update to 100 to 140 critical servers that host applications, infrastructure, etc. The effectiveness of the deployment ring strategy not only depends on group membership but also on allowing sufficient time between approvals. Each evaluation period allows administrators to review WSUS reports, investigate failures, monitor application compatibility, and collect user feedback before expanding deployment to the next stage. A common time frame is roughly 3 to 5 business days for the pilot group to monitor immediate stability issues or any installation failures; after that, 7 to 10 days are usually reserved for the general production devices group before moving to critical infrastructure, with a 14-day hold period to ensure the safe deployment of updates.
Manually Assign Unassigned Computers to Groups
When new Windows clients first report to WSUS, they appear in the Unassigned computers group until an administrator places them into the appropriate deployment ring or computer group. Manual assignment is commonly used in environments that rely on server-side targeting, and assigning computers to the correct group ensures they receive only the updates approved for the specific deployment ring.
Steps to manually assign computers
- Open the WSUS Administration Console, expand Computers, and select Unassigned Computers.
- Locate the required computer(s)
- Right-click the selected device and choose Change Membership
- Select the destination computer group, i.e., Pilot, General Deployment, or Production
- Click OK to complete the assignment.
Search for Multiple Computers to Add to Groups
Managing computers individually becomes inefficient when the number of devices increases; WSUS provides search and filtering capabilities to locate multiple computers by name, OS version, or last contact date, rather than scrolling through unassigned computers one by one.
Search and assign multiple computers:
- Open the WSUS Administration Console, navigate to Computers.
- User the Search option to locate computers by name or naming pattern.
- Select multiple computers, right-click the selected devices, and choose Change membership
- Select the required computer group to change assignment.
Use Group Policy to Populate Deployment Rings
Group Policy is the recommended method for automatically placing Windows devices into WSUS deployment rings because it centralizes configuration and eliminates the need to manually assign computers in the WSUS administration console. Administrators configure Group Policy objects (GPOs) for different Organizational Units, allowing computers to register in the correct WSUS computer group during their next Group Policy update. For example, Administrators must enable “Enable client-side targeting” from gpmc.msc. In modern Windows 10/11 administrative templates, this is found under: “Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Manage end user experience”. In the Target group name, provide the exact computer group name, i.e., “Finance computers,” as configured in WSUS. In the same GPO editor window, enable “Specify intranet Microsoft Update Server location” and enter the WSUS server URL, e.g., https://WSUS-02:8531. This setting requires two registry settings, WUServer and WUStatusServer, and these settings must point to the same WSUS server. The WUServer value specifies the server from where clients download update metadata and approved updates, while WUStatusServer specifies where they send update detection and installation status reports. Technically, these settings can point to two different servers, but maintaining identical values for both settings ensures clients download updates and report status to the same server. Mismatch of these two settings is a common WSUS configuration problem that can cause clients to behave unexpectedly; for example, a client may download updates from one WSUS server while attempting to report installation status to a different server that does not recognize the device, which may lead to missing compliance status and incorrect status reports.
To fully leverage client-side targeting through Group Policy, administrators must build and link multiple distinct Group Policy objects for different Organizational Units (OUs), each containing computer objects. For example, GPO1 is linked to the Finance OU, which contains all the computers of the Finance department, and to the Finance computer group in the WSUS console. Similarly, GPO2 is linked to the Sales OU, which contains sales computers, and so on. This structure allows administrators to segregate Update deployment timelines with the Deployment ring strategy, and clients get automatically enrolled in the correct computer group to receive updates according to their deployment ring.
Windows 11 Clients Appearing as Windows 10 in WSUS
One of the most common problems is Windows 11 clients appearing in the WSUS console labeled as “Windows 10” operating systems. One of the primary reasons for this behavior is the Product Name registry value located under the Windows operating system information key at location “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion”. Microsoft preserves historical markers inside the operating system to maintain backward compatibility for older enterprise applications, and some Windows 11 installations retain the value Windows 10 Pro or Windows 10 Enterprise. Applications that rely on this registry entry therefore display the operating system as Windows 10, and because WSUS references this information, administrators see misleading OS names despite successful Windows 11 update servicing. Administrators should also understand that ProductName is primarily descriptive and should not be considered as the sole indicator of the installed operating system version. Other information, such as the build number and feature update level, provides more accurate information about the device’s actual operating system. For example, the registry contains ProductName = Windows 10 Pro, while the system build number may confirm the device is running Windows 11 version 24H2.
Before changing any configuration, administrators should first confirm whether the device is running Windows 11 or 10. The OS version can be verified in Settings, in System Information (msinfo32), or via a PowerShell command. For example, run this PowerShell command “Get-ComputerInfo | Select WindowsProductName, WindowsVersion, OsBuildNumber” and verify from Settings → System → About.
It’s technically possible to manually change the ProductName value in the registry and have WSUS immediately reflect the correct OS label, but this fix does not persist because Windows resets the value to an older version (e.g., Windows 10) on the next reboot, since the OS actively maintains this string itself. Also, manually editing this key is not recommended by Microsoft, as the side effects of altering a core OS identification value outside the official update path are unsupported.
Since the underlying registry value cannot be permanently corrected, the practical approach is to identify Windows 11 machines by another attribute. Administrators can change the “All computers” view with a filter to show both the OS version and Description fields alongside the default device name. This configuration adjustment ensures that actual operating system build numbers are visible at a glance, making it easy for administrators to identify Windows 11 systems. To correctly place Windows 11 devices into their respective deployment rings, Administrators can create targeted, dynamic WSUS computer groups or Active Directory GPOs that segregate machines strictly by their hardware and OS build attributes. By leveraging WMI filters that query the active operating system build threshold, such as “(SELECT BuildNumber FROM Win32_OperatingSystem WHERE BuildNumber >= “22000” AND BuildNumber LIKE “%%” AND ProductType=”1″‘)”, this way the client-side targeting engine will automatically place the endpoints with Windows 11 OS into the Windows 11 Deployment ring. This approach will ensure that even if a machine displays the incorrect OS description in WSUS, it will continue to receive the Windows 11 updates approved for Windows 11.





