Simplify your Windows 11 upgrade experience with Intune
Published Nov 08 2023 12:28 PM 30.2K Views
Microsoft

We’re excited to announce a new capability in Intune and the Windows Update for Business deployment service to simplify your Windows 11 upgrade experience. If determining eligibility for Windows 11 has been a challenge for your organization, and you want to help protect your devices with the latest Windows feature updates, this is a great solution for you. No longer will you need to worry about creating and maintaining eligibility groups. Let’s dive into the details.

Deploy Windows 11 and Windows 10, version 22H2 feature updates together

Previously, you had to consider eligibility when creating a Windows 11 feature update deployment in Intune or Windows Update for Business deployment service via Microsoft Graph API. For any devices in the deployment that were unable to run Windows 11, you created a separate Windows 10 feature update deployment and excluded the Windows 10 devices from the Windows 11 policy.

Today, you can bundle a Windows 11 upgrade and Windows 10, version 22H2 feature update together in a single deployment. Simply create your Windows 11 deployment as usual and opt to install the latest Windows 10 update when a device isn’t eligible for Windows 11. Those devices will automatically get offered the latest Windows 10, version 22H2 update without the need for additional steps.

Note: Windows 10, version 22H2 is the only version of Windows 10 that can be used as a fallback version.

Deploy and monitor Windows updates using Microsoft Intune

If you use Microsoft Intune, simply create your feature update deployment as usual. Find this option in the Microsoft Intune admin center > Devices > Feature Update for Windows 10 and later > Create Profile. Then check the box for “When a device isn’t eligible to run Windows 11, install the latest Windows 10 feature update.” For example, choose Windows 11, version 23H2 and select the checkbox to get your devices to the latest Windows version for which they are eligible.

Screenshot of feature update deployment settings with a checked box under the selected Windows version in the Microsoft Intune admin center.Screenshot of feature update deployment settings with a checked box under the selected Windows version in the Microsoft Intune admin center.

You can monitor the status of your deployments using Intune reports or Windows Update for Business reports. Note that in your Intune report, there’s a new Target Version column. It will help you understand which devices were offered Windows 11 and which devices were offered Windows 10, version 22H2. When you first create the deployment, you’ll see that all devices will be targeted for Windows 11. As devices scan, the target version will change to Windows 10, version 22H2 for devices that cannot run Windows 11.

Screenshot of Intune reports for Windows 10 and later feature updates in the Microsoft admin center, highlighting the Target Version column.Screenshot of Intune reports for Windows 10 and later feature updates in the Microsoft admin center, highlighting the Target Version column.

Deploy Windows using the Microsoft Graph API

If you use the Microsoft Graph API to create and manage your deployments, follow these three steps.

  1. Get the catalog entry ID of the Windows 11 version you wish to deploy:

Element

Entry

Request type

GET

URI

https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries

Screenshot of a request for getting the available versions of Windows to deploy in a feature update deployment in the Microsoft Graph API.Screenshot of a request for getting the available versions of Windows to deploy in a feature update deployment in the Microsoft Graph API.

  1. Create a new feature update deployment:

Element

Entry

Request type

POST

URI

https://graph.microsoft.com/beta/admin/windows/updates/deployments

Monitoring rule of signal

Ineligible
Note: See monitoringRule resource type to learn more.

Action

OfferFallback

Screenshot of a request for creating a Windows 11 feature update deployment in the Microsoft Graph API.Screenshot of a request for creating a Windows 11 feature update deployment in the Microsoft Graph API.

  1. Add devices to the deployment:

Element

Entry

Request type

POST

URI

https://graph.microsoft.com/beta/admin/windows/updates/deployments/{deploymentId}/audience/updateAudience

Screenshot of a request for adding devices and exclusions for the above deployment in the Microsoft Graph API.Screenshot of a request for adding devices and exclusions for the above deployment in the Microsoft Graph API.

Monitor your deployment in Windows Update for Business reports

You can monitor the status of your deployment in Windows Update for Business reports by querying the deployment ID. It’s the number returned upon deployment creation in the Microsoft Graph API (Step 2 above). As with Intune reporting, the target version for all devices in the deployment will initially be the Windows 11 version you selected. It will be updated throughout the deployment to reflect the true version that the device was offered.

Screenshot of a query in Windows Update for Business reports of a deployment with one device targeted for Windows 11 and another for Windows 10.Screenshot of a query in Windows Update for Business reports of a deployment with one device targeted for Windows 11 and another for Windows 10.

Start deploying today

This option is available in Microsoft Intune and the Microsoft Graph API today! You may want to confirm that your tenant and devices meet the prerequisites for Windows Update for Business deployment service. Now you’re set to create a Windows 11 deployment with Windows 10, version 22H2 fallback.


Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X/Twitter. Looking for support? Visit Windows on Microsoft Q&A.

9 Comments
Copper Contributor

Does this feature support GCC High tenants? 

Microsoft

@-Ws6-  Today the Windows Update for Business deployment service is not supported in GCC High environments.  It is something we are working on, there are a number of key dependencies that need to be lined up for this to work as expected.

-HTH,

David

Copper Contributor

For devices that 'aren't eligible to run Windows 11' does this include devices that are marked as medium or high risk in the Windows feature update device readiness report? Or is it just for devices marked as 'replace' in that report?

Steel Contributor

GREAT UPDATE! Makes managing Windows Feature Update Profiles much easier for MSPs using Intune!

Microsoft

@ConorB1645 , technically it will be devices that Windows Update finds are not eligible for Windows 11.  That should be those identified as "replace device" in the Device Readiness report.  Those marked red are applicable, but have a temporary block, like an incompatible driver or app.  So they won't fall back to Windows 10 feature update in that case.

HTH

Steel Contributor

@David_Guyer, Every Tenant I have gone to has this option greyed out. I am setup for Windows Update for Business and have been using Feature Update Profiles since they became available. What am I missing to get this working? 

David_Swenson_0-1699900388694.png

 

Microsoft

@David_Swenson,  the option is only available for new policies, and isn't an editable setting for an existing setting.  The reason is that setting necessitates creating a new deployment, which also resets reporting in Intune, so can be disrupting to an existing deployment.  

 

Hope that helps,

-DG

Copper Contributor

Would this work with Autopatch?

Copper Contributor

Hi,

 

This upgrade creates the windows.old folder at the root of C:

 

How can we automate the "clean" deletion of the old Windows 10 installation?

 

On the Microsoft website, it says "automatic deletion after 10 days", but this is not true.

 

Thank you

Version history
Last update:
‎Nov 08 2023 05:28 PM
Updated by: