Let’s learn to Upgrade to Windows 11 using Intune Feature Update Deployment Policy. This is the only policy that upgrades Intune managed Windows 10 PCs into Windows 11 version.
I have seen many tweets from Aria (MSFT PM) to emphasize the message that your managed devices will NOT automatically upgrade to Windows11. You can check out the latest Windows 11 22H2 upgrade guide using Intune feature update deployment policy.
The only option to upgrade Windows 10 PCs to Windows 11 using WUfB and Intune is the feature update deployment policy. It seems a lot of IT folks are getting confused between the different WUfB policies available in Intune.
- Create Windows 11 Azure AD Device Group
- Latest Windows 11 ISO Ready to Download Production Version
- Windows 11 Intune Enrollment Process (Known issue/Firewall Rules/Connectivity Requirements)
- Windows 11 Minimum System Requirements Updated
First, we all need to understand the difference between Windows 11 and Windows 10 from an update mechanism perspective. The Windows 10 version updates are updates within the same product.
However, Windows 11 is a different product, and the upgrade from one product to another is handled differently. As per Microsoft, Windows 11 availability can vary depending on the device and how the Windows Update policy is configured.
The managed Windows 10 devices will receive the policies from management solutions like Intune. So, this is fully managed by an IT administrator.
Prerequisites for Windows 11 Upgrade using WUfB Feature Updates
Let’s find out the prerequisites for Windows 11 upgrade using WUfB feature updates. The appropriate license should be there Windows 10/11 Enterprise/Education/Virtual Desktop Access or E3 above.
Windows Long Term (LTSC) and HOME versions are not supported for WUfB. In addition to a license for Intune, your organization must have one of the following subscriptions that include a license for Windows Update for Business deployment service:
Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
Windows Virtual Desktop Access E3 or E5
Microsoft 365 Business Premium
Review your subscription details for applicability to Windows 11.
- It should be in a Supported version of Windows 10.
- Should be Intune managed + Hybrid Azure AD joined, or Azure AD joined Devices. BYO scenario is not supported.
Beginning in November of 2022, the Windows Update for Business deployment service (WUfB DS) license will be checked and enforced.
You will need to have Telemetry turned on with a minimum set to Required. You can configure it from Device Restriction policy -> Reporting and Telemetry -> Share Usage Data.
You also should have the Microsoft Account Sign-in Assistant (wlidsvc) service running manually triggered. The service should not be disabled otherwise, WUfB won’t offer the Windows 11 feature updates.
Windows 10 to Windows 11 Upgrade using Update ring policy is NOT Possible
The feature update deferral policy is part of the update ring policy, used MAINLY for monthly patching using Intune. The update ring feature deferral policy also helps IT admins control version upgrades of Windows 10. You can use the Intune feature update policy to upgrade from Windows 10 to Windows 11.
NOTE! – Feature Deferrals policies are great for quality updates or moving to a newer version of the same product (for example, from Windows 10, version 20H2 to 21H1).
There is an Update ring policy for Windows 10 and later, and this is to deploy patches to Windows 10 and Windows 11 PCs.The biggest confusion is between the following two policies in Intune and Windows CSPs.
- Feature update deferral period (days) policy – Update Ring
- Feature Deployment policy – Feature Update Deployment
Feature update deferral period (days) – This policy is to defer feature updates for a specified number of days. The allowed value is between 0-365 days. This policy only applies to Windows 10 version upgrades within the same product line.
Windows 11 Feature Update Deployment Policy for Upgrade
You will need to use a feature update deployment policy for Windows 11 upgrade. The reason for that is it’s a product upgrade (Windows 10 to Windows 11), unlike Windows 10 version upgrade within the same product. The following table gives you a more clear understanding of the different policies.
Learn how to upgrade to Windows 11 using an Intune feature update deployment policy. This is what is explained in this post. This is the only Windows Update for Business policy.
| WUFB Policy Name | Type of Policy | Result |
|---|---|---|
| Feature update deferral period (days) policy | Update Ring | Upgrade versions within the same Products (for example, Windows 10 21H1 to 21H2) |
| Feature Deployment Settings policy | Feature Update Deployment | Migrate a Device from one product to another (Windows 10 to Windows 11) |
| Feature Update Deferral Period (Day) Policy | Update RIng | Upgrade versions within the same Products (for example, Windows 11 21H2 to 22H2) |
Upgrade to Windows 11 using Intune Feature Update Deployment Policy
You will need to create a feature update deployment policy from Intune portal to upgrade your eligible Windows 10 PCs to Windows 11. The Windows 11, version 21H2 drop-down option is NOW available in Feature Deployment Settings.
Intune Feature Update Deployment Policy is the only WUfB policy configured through Intune help IT admins upgrade to Windows 11 from Windows 10. You can select the feature deployment settings from the drop-down list.
- Login to MEM Admin Center endpoint.microsoft.com
- Navigate to Devices – Feature updates for Windows 10 and later (Preview)
- Click on +Create Profile.
- Enter the Name of the Policy and Description.
- Feature deployment settings – Feature Update to deploy-> Windows 11
You can use Windows 11 Azure AD device group to deploy this policy (of course!). However, you will need to use Windows 10 Intune filter rules or (filter is not available for feature update policy while writing this post).
Windows 10 AAD groups to upgrade Windows 10 devices to Windows 11 operating system. Search and select the AAD Device Group – Devices in that group will get upgraded to Windows 11.
There was a known issue with Windows 11 Feature deployment settings in Intune. I can confirm that this issue is already fixed for my Intune tenant. So, you can try this again if you faced any issues before.
Windows 11 Feature Updates Scheduling Options
You will get an option to schedule Windows 11 upgrade (Intune feature update policy). This is the most welcome change announced back in Microsoft Ignite (a year before?).
The Windows 11 Intune feature update will allow admins to granularly Rollout Windows 11 operating system in the coming days.
As per Microsoft, This will replace the deferral options in Update rings and makes it much easier to schedule a rollout versus needing to calculate the required deferral days based on the publish date of the update. Intune feature update will have the following Rollout Options.
- Make Update available as soon as possible
- Make Update available on a Specific Date
- Make Update Available Gradually
When you select the “Make Update available on a Specific Date” option, the Windows 11 upgrade will start on the defined date as per admin configuration.
Another granular option that will be made available in the feature update policy is a start and end date configuration.
When would you like to make the update available in Windows Updates? You can configure the start date of the Windows 11 upgrade and the end date of an upgrade as well.
This makes Windows feature updates gradually availability Gradually – This means you will get options to define the start and end date for Windows 11 upgrade from Windows 10.
First group availability -> 01/01/2022
Final Group availability -> 01/29/2022
Days between groups -> 7 Days
NOTE! – As per Microsoft, they will use Telemetry data (keeping GDPR in consideration) to span out the upgrades within the start and end dates.
Update Ring for Windows 10 to Windows 11 Upgrades
This is another helpful option to get into the latest version of Windows 11 from Windows 10. The Update Ring option is still not available. But this option will help to upgrade all Windows 10 PCs to the latest version of Windows 11.
Windows Update Ring policy in Intune will help If devices are on Windows 10, and you will need to upgrade to the newest version of the Windows 11 22H2 instead of the Windows 11 21H2 version.
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Hi Anoop,
It is not clear to me whether enabling the “Upgrade Windows 10 devices to Latest Windows 11 release” setting (in the Windows Update ring) to Yes can help me to upgrade my Windows 10 device to Windows 11.
Could you please elabourate here so that I can have a better understanding.
Thanks,
Ashish Arya
Hi – The following policy (copied below) will get Windows 10 PCs upgraded to Windows 11. If the PCs have all the prerequisites in place.
Navigate to Devices – Feature updates for Windows 10 and later (Preview)
Click on +Create Profile.
Enter the Name of the Policy and Description.
Feature deployment settings – Feature Update to deploy-> Windows 11
Hi Anoop, after following this. the status under reports have been stuck on pending. and nothing has appeared on computers so far.
they are stuck at offer ready (update substate) and in progress (update aggregated state)
I’m still having one confusion. we have few devices on windows 10, and others on windows 11.
I have update
1. update ring targeting few windows 10 devices to get their regular updates, but not upgrade to windows 11. This is working properly and offering regular updates for windows 10.
2. Another update ring targeting windows 11, so I make sure these devices will get regular updates. . This is working properly and offering regular updates for windows 11.
3. Feature update policy, targeting few devices (few windows10 and few windows 11) to get an offer to upgrade to windows 11 22H2.
As per my understanding from your post, policy #2 must offer windows 11 the feature update of Windows 11 22H2. Unfortunately my windows 11 devices are not getting 22H2, neither from deferral option in policy #2, nor from the feature update in Policy #3
Not sure also why I split Policy #1 and #2, because they are exactly the same, but each one target different group.
Hi Anoop,
If the ‘Upgrade Windows 10 devices to Latest Windows 11 release’ setting (in the Windows Update ring), is set to ‘No’, but the device is added to a group under Feature Update Deployment policy to target Win 11 release, will the device upgrade or will it be blocked because its update ring policy (Upgrade Windows 10 devices to Latest Windows 11 release) is set to ‘No’?
A follow up with this on how to roll it out with an existing Windows 10 Autopatch setup, and target specific devices with Win 11 upgrade would be welcome.
For Hybrid Joined+Intune Managed Devices
1)If they are co-managed anything needs to check related to Workload from SCCM To Intune?
2)Does GPO Settings required in such case? Even if we apply policy , how we ensure that GPO of such machines does not block update.