With the introduction of Windows 11, Microsoft Endpoint Manager is ready for you to manage your device upgrades to Windows 11 and continues to enable you to deliver quality and feature updates with the same tools. In fact, Windows 10 and Windows 11 devices can co-exist in your Windows Update policies so that you don’t have to break them out and manage them separately. This article walks through the steps and things you need to know to upgrade to Windows 11 and manage Windows updates. Another great place to get more background into planning for Windows 11 is this article by Steve Dispensa: Planning for Windows 11: best practices for organizations.
Common Themes
There are some common themes for upgrading to Windows 11 in both Microsoft Intune and Configuration Manager. The experience is mostly the same as any other Windows 10 feature update; select the target update and assign to devices. When using Update Rings for Windows, which doesn’t have a way of selecting a target update, it’s also very simple to enable devices to upgrade to Windows 11. More details on that later in this article.
Upgrading managed devices to Windows 11 requires an explicit approval from an administrator and will not upgrade without this approval when scanning for updates from Windows Update. Enterprise and Education editions will not show Windows 11 as an optional update in Windows settings either, so end users won’t be offered the option to upgrade on their own. This article describes the tools Microsoft Endpoint Manager is providing to manage which devices can upgrade to Windows 11 and when.
Windows 11 includes a new license agreement, which can be viewed at launch at https://www.microsoft.com/en-us/useterms/. The license agreement is automatically accepted by an organization by submitting a policy to deploy Windows 11. Endpoint Manager includes a reminder and links to the license agreement when Windows 11 is targeted. End users will not see or need to accept the license agreement, making the upgrade process seamless. Once devices are upgraded to Windows 11, the same policies and tools can be used to keep them up to date with the latest quality updates because Windows 10 and Windows 11 share the same policies on the devices.
Windows 11 readiness reporting with Endpoint analytics
The first step in preparing for a Windows 11 upgrade is to ensure your devices meet the minimum system requirements for Windows 11. Using Endpoint analytics in Microsoft Endpoint Manager, you can easily determine which of your devices meet the hardware requirements – and if some of your devices do not meet all the requirements, you can see exactly which ones are not met.
If you’re already using Endpoint analytics, simply navigate to the Work from anywhere report, and then click on the Windows score category to view aggregate Windows 11 readiness information. For more granular details, go to the Windows tab at the top of the report where you’ll see device-by-device readiness information. Note that these insights require devices to be Intune-managed, co-managed, or have ConfigMgr client version 2107 or newer with your tenant attach enabled.
If you’re not yet using Endpoint analytics, it’s easy to get started. We recommend onboarding today as the first step in your Windows 11 deployment.
Feature Update Policies in Microsoft Intune
To upgrade devices to Windows 11 using Feature update policies in Intune, simply select the Windows 11 build from the Feature update to deploy drop down as shown in the image below. You can also see the reminder that when a Windows 11 build is selected, submitting this policy is considered an acceptance of the License Agreement terms.
Reporting for Feature update policies continues to work the same way. The Feature update report provides a summary of success, in-progress, and devices with errors. And the Feature update failures report under Devices -> Monitor provides specific error alerts with recommended remediations.
We are working on additional capabilities which will make it easier to manage your Windows 11 rollout. Soon you will have two new scheduling options beyond today’s “Start all devices now” approach. Feature update policies will be able to specify a start date for all devices which gives organizations the ability to create update rings using specific start dates for each policy and their assigned devices. This will replace the deferral options in Update rings and makes it much easier to schedule a rollout versus needing to calculate the required deferral days based on the publish date of the update.
In addition, a gradual rollout option will be available which distributes when the update is made available to the assigned devices over the specified start and end dates. This will make it easier to distribute resource loads, such as network bandwidth or even helpdesk calls. We also plan to enable you to set the number of days between new groups of devices being made available. For example, if 100 devices are assigned to the policy, and a start date of Jan 1st is selected, and an end date of Jan 29th is selected, with 7 days between new groups of devices, then new groups will be offered each week with a total of 5 available dates. This means that every 7 days 20 more devices will receive the update on their next regular Windows Update scan.
One valuable point to remember is that these dates aren't necessarily the dates a device will receive the update. The update will download and install after the system approves the update in Windows Update and the next time the device scans for updates. This can vary by device based on usage, connectivity, and so on.
By default, the distribution of devices is random. An “intelligent” distribution can be enabled by enabling the AllowWUfBCloudProcessing policy. This policy gives Microsoft processor permission under GDPR to collect device telemetry and analyze it to create a distribution plan that optimizes the rollout in order to discover potential issues as early as possible. To do this, devices are selected that maximize the variations with the fewest set of devices and places those devices early in the deployment. As the deployment continues past the first few available dates, confidence increases that the rest of the rollout will be smooth and successful. To set the AllowWUfBCloudProcessing policy, create a Configuration profile in Endpoint Manager. Then, using the Settings catalog Profile Type, search for AllowWUfBCloudProcessing and enable that policy. Assign the same devices assigned to the Feature update policy and submit. Note that it can take 1-2 days to collect and analyze the data to intelligently optimize the device available dates, so setting this up in advance is recommended.
Whether using the default or the intelligent gradual rollout, the Feature update reports will have a field available for the predicted date the update will be available to each device. This can change due to service recalculations.
Another feature that will make your updates to Windows 11 easier to track and manage is the addition of Safeguard holds to the Feature update failures report. Microsoft occasionally places Safeguard holds when a component (software or driver) that causes a poor experience post upgrade is detected on the device, until that issue is resolved. Safeguard holds are added as a new Alert in the Feature update failures report, and the Deployment Error Code is the Safeguard hold ID. By going to http://aka.ms/WindowsReleaseHealth, more details can be found about the issue and resolution ETA for most Safeguard Holds. By understanding which devices are prevented from receiving the feature update, and why, organizations can better understand and manage their feature update rollouts. Read more about Safeguard holds here: Safeguard holds - Windows Deployment | Microsoft Docs.
Using gradual rollout along with pilot, early adopter, and broad deployment rings, (http://aka.ms/WUfBDeploymentRings ) is a powerful way to configure a full organizational rollout that you can set and then monitor, and only make adjustments if issues arise that need more time to investigate before the next ring starts deployment.
For more information and details, please read the documentation here: https://docs.microsoft.com/en-us/mem/intune/protect/windows-10-feature-updates
Update Rings for Windows
Coming soon to Endpoint Manager is support for updating devices to Windows 11 with Update Rings. Using Update rings is as easy as enabling the setting to Upgrade Windows 10 devices to Latest Windows 11 release, as shown below:
The Upgrade to Windows 11 toggle was added to make managing the upgrade very easy.
One consequence of making this easy and avoiding unexpected results, is that when using Update rings devices can upgrade to only the latest Windows 11 release. For example, if the next feature update for Windows 11 were released and named 22H2, then devices on Windows 10 assigned to this policy will be updated to Windows 11 22H2, rather than Windows 11 21H2. To specifically control which Windows 11 build a device receives, Feature update policies are recommended.
Similar to Feature update profiles, when the Upgrade to Windows 11 toggle is enabled, a reminder about accepting License Terms is displayed, with a link to those terms. Saving the policy settings is an acceptance of the license terms.
Whether the Upgrade to Windows 11 setting is enabled or not, Windows 10 and Windows 11 devices can coexist in the same policy, controlling deadline, user experience, and quality update settings, as well as future Feature update deferrals. Organizations can continue to use their existing configurations and policies to manage Windows updates without having to build out an entire new set of device or user groups and policies.
Microsoft Endpoint Configuration Manager
The upgrade process is the same as a Windows 10 to Windows 10 feature update, except now the License Agreement acceptance dialog will be shown. Since Windows 11 is a new product classification, devices will not upgrade to Windows 11 until that product is synced and a Windows 11 build is targeted to devices.
Once Windows 11 is published to Windows Server Update Services (WSUS) then the next time the software update synchronization occurs, the Windows 11 product classification should be available. In the Software Update Point Component Properties, go to the Classifications tab and ensure that Upgrades is checked, and then go to the Products tab and ensure the Windows 11 product is checked. Once you do this, the next software update synchronization will now pick up the Windows 11 upgrades.
When you are ready to deploy the upgrade to devices, go to Software Library / Windows Servicing / All Windows Feature Updates.
Right click the “Upgrade to Windows 11” item you want to deploy and select “Deploy”. This will guide you through the standard deployment workflow including the license agreement, upgrade package download, and settings you’ve used to deploy Windows 10 Feature updates in the past.
After the upgrade, all the same tools and policies you used to manage monthly quality updates and also feature updates apply. For example, if you are using Automatic Deployment Rules or Servicing Plans, you do need to update the Classification and Products included in the rules to include Windows 11 quality and feature updates.
Windows 10 and Windows 11 devices can coexist with the same settings, making it easy to keep using the Windows Updates settings you’ve built over the years. As you can see, upgrading devices to Windows 11 using familiar tools helps make deployments easier to manage. Additional capabilities that are coming soon such as new scheduling options in Feature update profiles, will further simplify Windows updates.
As always, we want to hear from you! Tweet your feedback using the hashtag #MEMpowered. If you have questions about this article, add a comment below or reach out to @IntuneSuppTeam on Twitter. Feel free to add an idea for a new feature to UserVoice and keep up with ongoing developments on Endpoint Manager by following the Microsoft Endpoint Manager Blog and @MSIntune on Twitter.