![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 7.000000000000001%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEW%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 16%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
Hi Emilia Weber,
The unexpected upgrades to Windows 11 happened for one of two reasons: either a registry configuration omission or a policy conflict in Intune.
First, for the upgrade block to work, the local registry keys at HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate must specify both the target version as 22H2 and the product version explicitly as Windows 10. If the product version field was left blank in your Intune policy, the local update agent naturally looked for the highest available matching release, which allowed Windows 11 version 22H2 to install.
Second, this behavior can be triggered by policy precedence. Explicit deployments created within the Feature Updates for Windows 10 and Later node override standard settings catalogs or device restriction profiles. If a Windows 11 feature update was accidentally deployed to a broad group like "All Devices," it would override your Windows 10 cap. To fix this, audit your Intune Feature Update deployments for overlapping group assignments and ensure your primary restriction policy explicitly defines Windows 10 alongside the 22H2 release info.
Hope this answer has brought you some useful information. If it did, please hit “accept answer”. Should you have any questions, feel free to leave a comment.
VPHAN