Use Windows Update and other tools you use every day for easier upgrades to Windows 11.

With the introduction of Windows 11, Microsoft Endpoint Manager is ready for you to manage your device upgrades to Windows 11 and continues to enable you to deliver quality and feature updates with the same tools. In fact, Windows 10 and Windows 11 devices can co-exist in your Windows Update policies so that you don’t have to break them out and manage them separately. This article walks through the steps and things you need to know to upgrade to Windows 11 and manage Windows updates. Another great place to get more background into planning for Windows 11 is this article by Steve Dispensa: Planning for Windows 11: best practices for organizations.

Common Themes

There are some common themes for upgrading to Windows 11 in both Microsoft Intune and Configuration Manager.  The experience is mostly the same as any other Windows 10 feature update; select the target update and assign to devices. When using Update Rings for Windows, which doesn’t have a way of selecting a target update, it’s also very simple to enable devices to upgrade to Windows 11. More details on that later in this article.    

Upgrading managed devices to Windows 11 requires an explicit approval from an administrator and will not upgrade without this approval when scanning for updates from Windows Update. Enterprise and Education editions will not show Windows 11 as an optional update in Windows settings either, so end users won’t be offered the option to upgrade on their own. This article describes the tools Microsoft Endpoint Manager is providing to manage which devices can upgrade to Windows 11 and when.

Windows 11 includes a new license agreement, which can be viewed at launch at https://www.microsoft.com/en-us/useterms/.  The license agreement is automatically accepted by an organization by submitting a policy to deploy Windows 11. Endpoint Manager includes a reminder and links to the license agreement when Windows 11 is targeted. End users will not see or need to accept the license agreement, making the upgrade process seamless. Once devices are upgraded to Windows 11, the same policies and tools can be used to keep them up to date with the latest quality updates because Windows 10 and Windows 11 share the same policies on the devices.

Windows 11 readiness reporting with Endpoint analytics

The first step in preparing for a Windows 11 upgrade is to ensure your devices meet the minimum system requirements for Windows 11. Using Endpoint analytics in Microsoft Endpoint Manager, you can easily determine which of your devices meet the hardware requirements – and if some of your devices do not meet all the requirements, you can see exactly which ones are not met.

If you’re already using Endpoint analytics, simply navigate to the Work from anywhere report, and then click on the Windows score category to view aggregate Windows 11 readiness information. For more granular details, go to the Windows tab at the top of the report where you’ll see device-by-device readiness information. Note that these insights require devices to be Intune-managed, co-managed, or have ConfigMgr client version 2107 or newer with your tenant attach enabled.

If you’re not yet using Endpoint analytics, it’s easy to get started. We recommend onboarding today as the first step in your Windows 11 deployment.

Feature Update Policies in Microsoft Intune

To upgrade devices to Windows 11 using Feature update policies in Intune, simply select the Windows 11 build from the Feature update to deploy drop down as shown in the image below.  You can also see the reminder that when a Windows 11 build is selected, submitting this policy is considered an acceptance of the License Agreement terms.

Figure 1: Feature update profile in Endpoint Manager for Windows 11

Reporting for Feature update policies continues to work the same way. The Feature update report provides a summary of success, in-progress, and devices with errors. And the Feature update failures report under Devices -> Monitor provides specific error alerts with recommended remediations.

We are working on additional capabilities which will make it easier to manage your Windows 11 rollout. Soon you will have two new scheduling options beyond today’s “Start all devices now” approach. Feature update policies will be able to specify a start date for all devices which gives organizations the ability to create update rings using specific start dates for each policy and their assigned devices. This will replace the deferral options in Update rings and makes it much easier to schedule a rollout versus needing to calculate the required deferral days based on the publish date of the update.

Figure 2: Option to make update available on a specific date

In addition, a gradual rollout option will be available which distributes when the update is made available to the assigned devices over the specified start and end dates. This will make it easier to distribute resource loads, such as network bandwidth or even helpdesk calls. We also plan to enable you to set the number of days between new groups of devices being made available.  For example, if 100 devices are assigned to the policy, and a start date of Jan 1^st is selected, and an end date of Jan 29^th is selected, with 7 days between new groups of devices, then new groups will be offered each week with a total of 5 available dates. This means that every 7 days 20 more devices will receive the update on their next regular Windows Update scan.

One valuable point to remember is that these dates aren't necessarily the dates a device will receive the update. The update will download and install after the system approves the update in Windows Update and the next time the device scans for updates. This can vary by device based on usage, connectivity, and so on.

Figure 3: Gradual rollout settings

By default, the distribution of devices is random.  An “intelligent” distribution can be enabled by enabling the AllowWUfBCloudProcessing policy. This policy gives Microsoft processor permission under GDPR to collect device telemetry and analyze it to create a distribution plan that optimizes the rollout in order to discover potential issues as early as possible. To do this, devices are selected that maximize the variations with the fewest set of devices and places those devices early in the deployment. As the deployment continues past the first few available dates, confidence increases that the rest of the rollout will be smooth and successful.  To set the AllowWUfBCloudProcessing policy, create a Configuration profile in Endpoint Manager. Then, using the Settings catalog Profile Type, search for AllowWUfBCloudProcessing and enable that policy. Assign the same devices assigned to the Feature update policy and submit. Note that it can take 1-2 days to collect and analyze the data to intelligently optimize the device available dates, so setting this up in advance is recommended.  

Whether using the default or the intelligent gradual rollout, the Feature update reports will have a field available for the predicted date the update will be available to each device. This can change due to service recalculations.

Another feature that will make your updates to Windows 11 easier to track and manage is the addition of Safeguard holds to the Feature update failures report. Microsoft occasionally places Safeguard holds when a component (software or driver) that causes a poor experience post upgrade is detected on the device, until that issue is resolved. Safeguard holds are added as a new Alert in the Feature update failures report, and the Deployment Error Code is the Safeguard hold ID. By going to http://aka.ms/WindowsReleaseHealth, more details can be found about the issue and resolution ETA for most Safeguard Holds. By understanding which devices are prevented from receiving the feature update, and why, organizations can better understand and manage their feature update rollouts. Read more about Safeguard holds here: Safeguard holds - Windows Deployment | Microsoft Docs.

Using gradual rollout along with pilot, early adopter, and broad deployment rings, (http://aka.ms/WUfBDeploymentRings ) is a powerful way to configure a full organizational rollout that you can set and then monitor, and only make adjustments if issues arise that need more time to investigate before the next ring starts deployment.

For more information and details, please read the documentation here: https://docs.microsoft.com/en-us/mem/intune/protect/windows-10-feature-updates

Update Rings for Windows 

Coming soon to Endpoint Manager is support for updating devices to Windows 11 with Update Rings. Using Update rings is as easy as enabling the setting to Upgrade Windows 10 devices to Latest Windows 11 release, as shown below:

Figure 4: Update to Windows 11 setting in Update Rings

The Upgrade to Windows 11 toggle was added to make managing the upgrade very easy.

One consequence of making this easy and avoiding unexpected results, is that when using Update rings devices can upgrade to only the latest Windows 11 release.  For example, if the next feature update for Windows 11 were released and named 22H2, then devices on Windows 10 assigned to this policy will be updated to Windows 11 22H2, rather than Windows 11 21H2. To specifically control which Windows 11 build a device receives, Feature update policies are recommended.

Similar to Feature update profiles, when the Upgrade to Windows 11 toggle is enabled, a reminder about accepting License Terms is displayed, with a link to those terms. Saving the policy settings is an acceptance of the license terms.

Whether the Upgrade to Windows 11 setting is enabled or not, Windows 10 and Windows 11 devices can coexist in the same policy, controlling deadline, user experience, and quality update settings, as well as future Feature update deferrals. Organizations can continue to use their existing configurations and policies to manage Windows updates without having to build out an entire new set of device or user groups and policies.

Microsoft Endpoint Configuration Manager

The upgrade process is the same as a Windows 10 to Windows 10 feature update, except now the License Agreement acceptance dialog will be shown. Since Windows 11 is a new product classification, devices will not upgrade to Windows 11 until that product is synced and a Windows 11 build is targeted to devices.

Once Windows 11 is published to Windows Server Update Services (WSUS) then the next time the software update synchronization occurs, the Windows 11 product classification should be available.  In the Software Update Point Component Properties, go to the Classifications tab and ensure that Upgrades is checked, and then go to the Products tab and ensure the Windows 11 product is checked.  Once you do this, the next software update synchronization will now pick up the Windows 11 upgrades. 

Figure 5: Option to select Windows 11 in Endpoint Configuration Manager

When you are ready to deploy the upgrade to devices, go to Software Library / Windows Servicing / All Windows Feature Updates.

Figure 6: Configuration Manager options to Upgrade to Windows 11

Right click the “Upgrade to Windows 11” item you want to deploy and select “Deploy”. This will guide you through the standard deployment workflow including the license agreement, upgrade package download, and settings you’ve used to deploy Windows 10 Feature updates in the past.

After the upgrade, all the same tools and policies you used to manage monthly quality updates and also feature updates apply.  For example, if you are using Automatic Deployment Rules or Servicing Plans, you do need to update the Classification and Products included in the rules to include Windows 11 quality and feature updates.

Windows 10 and Windows 11 devices can coexist with the same settings, making it easy to keep using the Windows Updates settings you’ve built over the years. As you can see, upgrading devices to Windows 11 using familiar tools helps make deployments easier to manage. Additional capabilities that are coming soon such as new scheduling options in Feature update profiles, will further simplify Windows updates.

As always, we want to hear from you! Tweet your feedback using the hashtag #MEMpowered. If you have questions about this article, add a comment below or reach out to @IntuneSuppTeam on Twitter. Feel free to add an idea for a new feature to UserVoice and keep up with ongoing developments on Endpoint Manager by following the Microsoft Endpoint Manager Blog  and @MSIntune on Twitter. 

With the introduction of Windows 11, Microsoft Endpoint Manager is ready for you to manage your device upgrades to Windows 11 and continues to enable you to deliver quality and feature updates with the same tools. In fact, Windows 10 and Windows 11 devices can co-exist in your Windows Update policies so that you don’t have to break them out and manage them separately. This article walks through the steps and things you need to know to upgrade to Windows 11 and manage Windows updates. Another great place to get more background into planning for Windows 11 is this article by Steve Dispensa: Planning for Windows 11: best practices for organizations.

Common Themes

There are some common themes for upgrading to Windows 11 in both Microsoft Intune and Configuration Manager.  The experience is mostly the same as any other Windows 10 feature update; select the target update and assign to devices. When using Update Rings for Windows, which doesn’t have a way of selecting a target update, it’s also very simple to enable devices to upgrade to Windows 11. More details on that later in this article.    

Upgrading managed devices to Windows 11 requires an explicit approval from an administrator and will not upgrade without this approval when scanning for updates from Windows Update. Enterprise and Education editions will not show Windows 11 as an optional update in Windows settings either, so end users won’t be offered the option to upgrade on their own. This article describes the tools Microsoft Endpoint Manager is providing to manage which devices can upgrade to Windows 11 and when.

Windows 11 includes a new license agreement, which can be viewed at launch at https://www.microsoft.com/en-us/useterms/.  The license agreement is automatically accepted by an organization by submitting a policy to deploy Windows 11. Endpoint Manager includes a reminder and links to the license agreement when Windows 11 is targeted. End users will not see or need to accept the license agreement, making the upgrade process seamless. Once devices are upgraded to Windows 11, the same policies and tools can be used to keep them up to date with the latest quality updates because Windows 10 and Windows 11 share the same policies on the devices.

Windows 11 readiness reporting with Endpoint analytics

The first step in preparing for a Windows 11 upgrade is to ensure your devices meet the minimum system requirements for Windows 11. Using Endpoint analytics in Microsoft Endpoint Manager, you can easily determine which of your devices meet the hardware requirements – and if some of your devices do not meet all the requirements, you can see exactly which ones are not met.

If you’re already using Endpoint analytics, simply navigate to the Work from anywhere report, and then click on the Windows score category to view aggregate Windows 11 readiness information. For more granular details, go to the Windows tab at the top of the report where you’ll see device-by-device readiness information. Note that these insights require devices to be Intune-managed, co-managed, or have ConfigMgr client version 2107 or newer with your tenant attach enabled.

If you’re not yet using Endpoint analytics, it’s easy to get started. We recommend onboarding today as the first step in your Windows 11 deployment.

Feature Update Policies in Microsoft Intune

To upgrade devices to Windows 11 using Feature update policies in Intune, simply select the Windows 11 build from the Feature update to deploy drop down as shown in the image below.  You can also see the reminder that when a Windows 11 build is selected, submitting this policy is considered an acceptance of the License Agreement terms.

Figure 1: Feature update profile in Endpoint Manager for Windows 11

Reporting for Feature update policies continues to work the same way. The Feature update report provides a summary of success, in-progress, and devices with errors. And the Feature update failures report under Devices -> Monitor provides specific error alerts with recommended remediations.

We are working on additional capabilities which will make it easier to manage your Windows 11 rollout. Soon you will have two new scheduling options beyond today’s “Start all devices now” approach. Feature update policies will be able to specify a start date for all devices which gives organizations the ability to create update rings using specific start dates for each policy and their assigned devices. This will replace the deferral options in Update rings and makes it much easier to schedule a rollout versus needing to calculate the required deferral days based on the publish date of the update.

Figure 2: Option to make update available on a specific date

In addition, a gradual rollout option will be available which distributes when the update is made available to the assigned devices over the specified start and end dates. This will make it easier to distribute resource loads, such as network bandwidth or even helpdesk calls. We also plan to enable you to set the number of days between new groups of devices being made available.  For example, if 100 devices are assigned to the policy, and a start date of Jan 1^st is selected, and an end date of Jan 29^th is selected, with 7 days between new groups of devices, then new groups will be offered each week with a total of 5 available dates. This means that every 7 days 20 more devices will receive the update on their next regular Windows Update scan.

One valuable point to remember is that these dates aren't necessarily the dates a device will receive the update. The update will download and install after the system approves the update in Windows Update and the next time the device scans for updates. This can vary by device based on usage, connectivity, and so on.

Figure 3: Gradual rollout settings

By default, the distribution of devices is random.  An “intelligent” distribution can be enabled by enabling the AllowWUfBCloudProcessing policy. This policy gives Microsoft processor permission under GDPR to collect device telemetry and analyze it to create a distribution plan that optimizes the rollout in order to discover potential issues as early as possible. To do this, devices are selected that maximize the variations with the fewest set of devices and places those devices early in the deployment. As the deployment continues past the first few available dates, confidence increases that the rest of the rollout will be smooth and successful.  To set the AllowWUfBCloudProcessing policy, create a Configuration profile in Endpoint Manager. Then, using the Settings catalog Profile Type, search for AllowWUfBCloudProcessing and enable that policy. Assign the same devices assigned to the Feature update policy and submit. Note that it can take 1-2 days to collect and analyze the data to intelligently optimize the device available dates, so setting this up in advance is recommended.  

Whether using the default or the intelligent gradual rollout, the Feature update reports will have a field available for the predicted date the update will be available to each device. This can change due to service recalculations.

Another feature that will make your updates to Windows 11 easier to track and manage is the addition of Safeguard holds to the Feature update failures report. Microsoft occasionally places Safeguard holds when a component (software or driver) that causes a poor experience post upgrade is detected on the device, until that issue is resolved. Safeguard holds are added as a new Alert in the Feature update failures report, and the Deployment Error Code is the Safeguard hold ID. By going to http://aka.ms/WindowsReleaseHealth, more details can be found about the issue and resolution ETA for most Safeguard Holds. By understanding which devices are prevented from receiving the feature update, and why, organizations can better understand and manage their feature update rollouts. Read more about Safeguard holds here: Safeguard holds - Windows Deployment | Microsoft Docs.

Using gradual rollout along with pilot, early adopter, and broad deployment rings, (http://aka.ms/WUfBDeploymentRings ) is a powerful way to configure a full organizational rollout that you can set and then monitor, and only make adjustments if issues arise that need more time to investigate before the next ring starts deployment.

For more information and details, please read the documentation here: https://docs.microsoft.com/en-us/mem/intune/protect/windows-10-feature-updates

Update Rings for Windows 

Coming soon to Endpoint Manager is support for updating devices to Windows 11 with Update Rings. Using Update rings is as easy as enabling the setting to Upgrade Windows 10 devices to Latest Windows 11 release, as shown below:

Figure 4: Update to Windows 11 setting in Update Rings

The Upgrade to Windows 11 toggle was added to make managing the upgrade very easy.

One consequence of making this easy and avoiding unexpected results, is that when using Update rings devices can upgrade to only the latest Windows 11 release.  For example, if the next feature update for Windows 11 were released and named 22H2, then devices on Windows 10 assigned to this policy will be updated to Windows 11 22H2, rather than Windows 11 21H2. To specifically control which Windows 11 build a device receives, Feature update policies are recommended.

Similar to Feature update profiles, when the Upgrade to Windows 11 toggle is enabled, a reminder about accepting License Terms is displayed, with a link to those terms. Saving the policy settings is an acceptance of the license terms.

Whether the Upgrade to Windows 11 setting is enabled or not, Windows 10 and Windows 11 devices can coexist in the same policy, controlling deadline, user experience, and quality update settings, as well as future Feature update deferrals. Organizations can continue to use their existing configurations and policies to manage Windows updates without having to build out an entire new set of device or user groups and policies.

Microsoft Endpoint Configuration Manager

The upgrade process is the same as a Windows 10 to Windows 10 feature update, except now the License Agreement acceptance dialog will be shown. Since Windows 11 is a new product classification, devices will not upgrade to Windows 11 until that product is synced and a Windows 11 build is targeted to devices.

Once Windows 11 is published to Windows Server Update Services (WSUS) then the next time the software update synchronization occurs, the Windows 11 product classification should be available.  In the Software Update Point Component Properties, go to the Classifications tab and ensure that Upgrades is checked, and then go to the Products tab and ensure the Windows 11 product is checked.  Once you do this, the next software update synchronization will now pick up the Windows 11 upgrades. 

Figure 5: Option to select Windows 11 in Endpoint Configuration Manager

When you are ready to deploy the upgrade to devices, go to Software Library / Windows Servicing / All Windows Feature Updates.

Figure 6: Configuration Manager options to Upgrade to Windows 11

Right click the “Upgrade to Windows 11” item you want to deploy and select “Deploy”. This will guide you through the standard deployment workflow including the license agreement, upgrade package download, and settings you’ve used to deploy Windows 10 Feature updates in the past.

After the upgrade, all the same tools and policies you used to manage monthly quality updates and also feature updates apply.  For example, if you are using Automatic Deployment Rules or Servicing Plans, you do need to update the Classification and Products included in the rules to include Windows 11 quality and feature updates.

Windows 10 and Windows 11 devices can coexist with the same settings, making it easy to keep using the Windows Updates settings you’ve built over the years. As you can see, upgrading devices to Windows 11 using familiar tools helps make deployments easier to manage. Additional capabilities that are coming soon such as new scheduling options in Feature update profiles, will further simplify Windows updates.

As always, we want to hear from you! Tweet your feedback using the hashtag #MEMpowered. If you have questions about this article, add a comment below or reach out to @IntuneSuppTeam on Twitter. Feel free to add an idea for a new feature to UserVoice and keep up with ongoing developments on Endpoint Manager by following the Microsoft Endpoint Manager Blog  and @MSIntune on Twitter. 

 Use Windows Update and other tools you use every day for easier upgrades to Windows 11.

An issue with this is delay in the Reports, where it states Scan Time... what scan is that? Upgraded machines have run multiple Windows Update scans and OMA scans but the report is still more than 24 hour out of date. It's very difficult to make use of the Reports for Feature Update rings when the data is incorrect.

David_Guyer  beside the AllowWUfBCloudProcessing policy, does the telemetry needs to be set as well

David_Guyer

An update for the thread. Both machines in my test group got the update to Windows 11 yesterday and today. 1 week delay but here we are 😃

I did not delete and recreate the policy as some others suggested. Just waited.

Endpoint Manager / Reports / Windows Updates (preview) also shows 2 devices in progress (bit slow. One finished Win11 fine yesterday).

Thank you for your support David!

Rodawing ,

Thank you for the question.  Our expectation is to release Windows 11 support in Update Ring policies before the end of the year.  We are doing final validations now.  I do know it wasn't quite ready for the Intune 2110 release.

HTH,

-David

JimmyWork ,

For the device that is compatible, please check that it is included in a policy that enable the Windows Update scope for Windows Health Monitoring (WHM), as described in the article above.  Otherwise, once the server has made it available and it reaches OfferReady, the client telemetry that indicates downloading, installing, success and errors is not sent or processed.  That is a common reason for not seeing progress.

If WHM is enabled, please reach out to me in a direct message, and I can collect some info to allow us to investigate further.

For the device that is not compatible with Windows 11, the deployment service doesn't know which devices are compatible, so it will attempt to offer to the the device, and that is what you are seeing with the OfferReady state.

HTH,

-David

Do you know when the Upgrade Windows 10 devices to Latest Windows 11 toggle will be available for the Update Rings?

Not sure what to make of this.

Both devices same group, one device is getting it and that's the device with unsupported CPU, the device with everything supported is not getting it.

I'm logged into the the pilot devices with the same account not sure if that's causing an issue. 

Henrik Mai I tried this and one of my two test devices instantly got the update, but could not be installed due to old CPU (It was excepted not work for the device with the old CPU) But the test device that is new is not getting the Windows 11 update. 

Not sure if anyone here knows how I can move forward or if I should create a case with Microsoft, it's only one test device. Any registry files I can check?

This is really strange.

I had the same problem in our tenent.

Ended up in deleating the policy and recreate it. Now the Pilot Devices are Upgrading 

Hope this helps.

David_Guyer Same here, created the feature update on the 5th, my two test device have not received Windows 11 update.