Managing Windows 11 Updates: Downgrading from 23H2 to 22H2 using remediation and Safeguard hold Policies

Introduction:

Microsoft has recently rolled out Windows 11, Version 23H2, which is available as an enablement package for Windows 11, Version 22H2 OS. For more information https://learn.microsoft.com/en-us/windows/whats-new/whats-new-windows-11-version-23h2

In this blog post, we'll discuss a scenario where a customer needed to downgrade from Windows 11 23H2 to 22H2 for internal security reasons. Additionally, we'll explore the steps taken to implement safeguard hold policies using Microsoft Intune for effective Windows device management.

The customer utilizing Microsoft Intune for managing Windows devices encountered challenges when their devices automatically upgraded to Windows 11 23H2, impacting internal security.

To address this (Downgrading Windows 11 23H2 to 22H2 ) the following steps were taken:

1.Identification of Upgraded Devices

2.Creation of Remediation Script

3.Creation of Safeguard Hold Policy for Windows 11 22H2

1.Identification of Upgraded Devices:

  • A dynamic Azure AD (Entra ID) group was created based on the OS version for Windows 11 23H2 (10.0.22631).
  • Query: (device.deviceOSVersion -startsWith "10.0.22631") -and (device.DeviceOSType -eq "Windows") -and (device.deviceTrustType -ne "Workplace")

2.Creation of Remediation Script:

  • A remediation script was developed to detect and remove the Windows 11 23H2 update.
  • Detection Script:

<#
Name:Detection_Win11_23H2.ps1
Description: This script will detect if windows 11 23H2 was installed as part of the enablement package.
#>

$logFilePath = "C:\programdata\OrgName\InstallLogs\Detection_Win11_23H2.log"
function Log-Message {
param([string]$Message, [string]$LogFile)
Add-Content -Path  $logFilePath -Value "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') - $Message"
}

$KBs = @(
"Package_for_KB5027397~31bf3856ad364e35~amd64~~22621.2355.1.1"
)

foreach ($KB in $KBs) {
$data = Get-WindowsPackage -Online | Where-Object { $_.PackageName -like "*$KB*" }
if ($data) {
Log-Message -Message "Patch $KB found on the device, continuing to remediate..." -LogFile $logFilePath
Write-host "Win11 23H2 detected, Remediation required"
exit 1
}
else
{
Log-Message -Message "Patch $KB NOT found on the device, All good..." -LogFile $logFilePath
Write-Host "Win11 23H2 is NOT detected"
Exit 0
}
}

In the above script, I have used Package Identity for KB, which you can get it using the following DISM command line.

replace the org name to create output log file.

dism /online /get-packages

Find the package identity and update it in the script.

  • Remediation Script:

<#
Name:Remediation_Win11_23H2.ps1
Description: This script identify and remove windows 11 23H2 KB which was installed.
#>

$logFilePath = "C:\programdata\OrgName\InstallLogs\Remediation_Win11_23H2.log"
function Log-Message {
param([string]$Message, [string]$LogFile)
Add-Content -Path  $logFilePath -Value "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') - $Message"
}

$KBs = @(
"Package_for_KB5027397~31bf3856ad364e35~amd64~~22621.2355.1.1"
)

foreach ($KB in $KBs) {
$data = Get-WindowsPackage -Online | Where-Object { $_.PackageName -like "*$KB*" }
if ($data) {
Log-Message -Message "Patch $KB found on the device, continuing to remove..." -LogFile $logFilePath
try {
Remove-WindowsPackage -Online -PackageName $KB -NoRestart
Log-Message -Message "Patch $KB uninstalled successfully from the device with pending reboot." -LogFile $logFilePath
}
catch
{
$errorMessage = $_.Exception.Message
Log-Message -Message "Error occurred while uninstalling $KB : $errorMessage" -LogFile $logFilePath
Write-Host "Win11 23H2 failed to remove"
}
if (!(( Get-WindowsPackage -Online | Where-Object { $_.PackageName -like "*$KB*" })))
{
Write-Host "Win11 23H2 is removed"
Exit 0
}
}
else
{
Log-Message -Message "Patch $KB is not present on the device." -LogFile $logFilePath
Write-Host "Win11 23H2 Not found"
}
}

Both detection and remediation scripts will create a log file in the program data folder with output.

You can use this method to uninstall any other windows security updates.

3.Creation of Safeguard Hold Policy for Windows 11 22H2

  • A dynamic Azure AD (Entra ID) group was created for Windows 11 22H2.
  • Query: (device.deviceOSVersion -startsWith "10.0.22621") -and (device.DeviceOSType -eq "Windows") -and (device.deviceTrustType -ne "Workplace") -and (device.displayName -notContains "_Windows_")
  • A feature update policy was created and targeted to this group. https://learn.microsoft.com/en-us/windows/deployment/update/safeguard-holds

image

If you plan to upgrade windows 11 OS to 23H2, create a group and add it in the excluded group in windows 11 22H2 policy and create 23H2 policy and assign the group to receive latest OS.

Conclusion:

This blog post outlines the challenges faced by a customer upgrading to Windows 11 23H2 and the subsequent steps taken to downgrade to 22H2 for security reasons. Additionally, safeguard hold policies were implemented using Microsoft Intune to control the feature updates and ensure a more controlled and secure Windows device environment.

Leave a Reply