This week is again all about upgrading devices to Windows 11, by using Microsoft Intune. When discussing the upgrade to Windows 11, the first and foremost thing to mention is that managed devices won’t automatically upgrade to Windows 11. There is always an action required by the IT administrator to make sure that managed devices are allowed to upgrade to Windows 11. The options to configure those managed devices, however, were limited when using Microsoft Intune. That has changed with the latest service release (2111) of Microsoft Intune. That service release introduced a few more options for managing and controlling the upgrade to Windows 11. This post will go through those different methods for upgrading devices to Windows 11, followed the configuration options for those different methods.
Tip: When looking for a method to provide users with an option to opt-in for upgrading to Windows 11, have a look at a previous blog post about using access packages.
Introduction to the upgrade options for Windows 11
Let’s start with a quick introduction to the different methods that are available for upgrading devices Windows 11 when relying on Microsoft Intune. When looking at those different methods, the level of control is the main differentiator. Based on the level of control, the following options are available via Microsoft Intune.
- Loosely managed option: The loosely managed option is referring to the Update rings for Windows 10 and later profile. That profile relies on Windows Update for Business and is a collection of (client) settings that control when Windows updates get installed and what the user experience will be. It enables the IT administrator to create update rings that specify how and when Windows 10 devices should be updated with feature and quality updates. Those update rings now include the option to upgrade Windows 10 devices to the latest Windows 11 release. That option makes it possible to upgrade Windows 10 devices to Windows 11, but doesn’t provide a lot of control to manage the specific Windows 11 version or schedule the upgrade in a specific window.
- Controlled option: (Preview) The controlled option is referring to the Feature updates for Windows 10 and later profile. That profile relies on the Windows Update for Business deployment service and is a collection of settings to control the Windows version on devices. It enables the IT administrator to freeze the feature set on those devices until specifically configuring those devices to upgrade to a later Windows version. While the feature version remains static, those devices continue to install quality and security updates that are available for that feature version. This profile includes the option to control the rollout in a period of time.
Note: With the Windows Update for Business deployment service, there is also the option to create a custom solution by using the different APIs. For the sake of simplicity, I’m not discussing that option now. That could be seen, however, as the “total control option”, as those APIs provide the capability to control approving and scheduling updates.
Loosely managed option to upgrade to Windows 11
The first option is using the Update rings for Windows 10 and later profile type. That profile type can be used for all managed devices with Windows 10 version 1607 or later, with the required telemetry level and a Pro or Enterprise edition. Starting with service release 2111 of Microsoft Intune, update rings can now also be used to upgrade eligible Windows 10 devices to Windows 11. That can be achieved by creating an update ring and using the setting named Upgrade Windows 10 devices to Latest Windows 11 release configured to Yes (as shown below in Figure 1). When using that setting, eligible Windows 10 devices automatically upgrade to the current version of Windows 11. Update rings just don’t provide the IT administrator with a lot of control for scheduling the upgrade. Only the standard configuration options for feature updates are available. Update rings rely on local Windows update client configurations that define the update experience and the update timing.
Note: Adjusting the configuration of the update ring doesn’t affect devices that are already upgraded Windows 11.
Controled option to upgrade to Windows 11
The second option is using the Feature updates for Windows 10 and later profile. That profile type can be used for all (hybrid) Azure AD joined and Intune managed devices with a supported Windows version, with the required telemetry level and a Pro or Enterprise edition. Besides that, however, an additional license like Windows 10 Enterprise E3 is required for using this profile type. That’s probably because this profile type relies on the Windows Update for Business deployment service. And the deployment service APIs provide the IT administrator with more control on approving and scheduling updates. Starting with (around) service release 2110 of Microsoft Intune, feature update deployments – that rely on the deployment service APIs – can be used to upgrade eligible Windows 10 devices to Windows 11 and starting with service release 2111 of Microsoft Intune, feature update deployments can also be used to schedule the rollout of the upgrade to Windows 11. That scheduled rollout of the upgrade to Windows 11 can be achieved by using the setting named Feature update to deploy configured to Windows 11 and configuring the Rollout options by using one of the following options for controlling the rollout (as also shown below in Figure 2).
- Make update available as soon as possible – This option is the default behavior for Windows Update and can be used to make the selected Windows 11 version available to all assigned devices with no delay.
- Make update available on a specific date – This options can be used to make the selected Windows 11 version available to all assigned devices on the selected date.
- Make update available gradually – This option can be used to gradually make the selected Windows 11 version available to groups of devices. These groups of devices are created automatically by Windows Update based on the configured start (first group) and end (final group) date in combination with the days between groups.
Note: The Windows Update for Business deployment service will use the information about the start (first group) and end (final group) date and the days between groups, as input to gradually upgrade devices to Windows 11. That information is used to determine the number of groups and devices are automatically added to those groups.
Tip: When using feature update deployments in combination with update rings, the Feature update deferral period (days) must be set to 0 and the feature updates for the update ring must be running.
For more information about Windows Update for Business, update rings and feature update policies in combination with Microsoft Intune, refer to the following docs.
- Learn about using Windows Update for Business in Microsoft Intune | Microsoft Docs
- Configure Update rings for Windows 10 and later policy in Intune | Microsoft Docs
- Configure feature updates policy for Windows 10 Windows 11 devices in Intune | Microsoft Docs
- Configure schedules to gradually roll out Windows Updates in Intune | Microsoft Docs