Upgrading to Windows 11

Share This Post

Windows 11 was released on October 5th, 2021 and many have already started testing the new operating system. However the adoption rate has not been as quick as Microsoft hoped, as of December 2021 Windows 11 only has a market-share of around 10%. Most enterprises are probably looking at broad deployment sometime in 2022 or 2023. In this post we will look at some of the new requirements and changes Windows 11 brings, use Endpoint Analytics or PowerShell to assess the compatibility of existing devices, and finally demonstrate how to deploy Windows 11 with Microsoft Endpoint Manager (Intune).

Contents

Microsoft will offer Windows 11 to eligible devices first, then the upgrade will roll out over time to in-market devices based on intelligence models that consider hardware eligibility, reliability metrics, age of device and other factors that impact the upgrade experience. Microsoft expects that all applicable devices should receive the offer to upgrade by mid-2022.

Does this mean that all my devices will be automatically upgraded? The answer to that question is like always, it depends.

If the device meets the Windows 11 hardware requirements and is allowed to talk directly to Windows Update, then the device will be offered the Windows 11 upgrade automatically (given the the user has administrator rights), which is the normal consumer experience. However most organizations are either using Windows Update for Business (WUfB), WSUS (Windows Server Update Services) or Configuration Manager to deploy updates in their organization. As long as one of these methods is configured, existing Windows 10 devices will not be offered the Windows 11 upgrade automatically, providing full control for administrators.

How long can I stay on Windows 10? Windows 10 will be supported until October 14, 2025. If your organization has older hardware that cannot be upgraded to Windows 11, remaining on Windows 10 would be the best choice for now.

What’s New?

There are a lot of changes in Windows 11 and we wont go through them all. Here are a few highlights.

  • A new start menu that is now centered on the screen (per default), new icons, rounded edges and an updated settings app are just some of the new visual changes in Windows 11.
  • The Microsoft Store has been revamped with a new user experience and will also soon allow you to install Android Apps directly on your Windows 11 device (coming soon). Additionally, the Microsoft Store for Business as we know it today will be retired in the first quarter of 2023 and Microsoft will probably provide more information on this topic as we get closer to that date.
  • Snap Groups and Snap Layouts allows you to easily multitask with more than two windows. Simply hover over the maximize button in any desktop application and select your desired setup. This allows you to be more efficient and optimize the use of screen space.
  • Multiple desktops. This feature allows you to organize what is displayed and could for example be used to separate work, school and personal tasks. Doing a customer presentation? Create a new desktop with just the elements needed for that specific presentation and let the clutter stay on your work desktop.
  • Widgets, this is a new personalized feed that allow you to connect and access information that is important for you. Widgets integrate with existing Microsoft services such as Microsoft To Do, allowing you easy access to your tasks.
  • Windows AutoPilot and the OOBE (Out-Of-Box-Experience) has also gotten a new look but the functionality remains the same.
  • Teams Consumer App is added by default to the screen and requires a Microsoft Account to be used. This is not the same Teams app that organizations are familiar with and most organizations will probably remove it.
  • Windows Terminal is a much welcomed utility that allows for Command Line, PowerShell and Azure Cloud Shell in different tabs within a single app. Windows Terminal also allows for a large variety of customizations and you can add additional shells if you want.

Hardware Requirements

Windows 11 comes with some increased hardware requirements that you need to be aware of. Those organizations who refresh their devices on schedule (3-4 years is what I typically see for my customers) will probably not have too much issues with the hardware requirements. For my audience that is not so tech-savvy, the requirements below can be summarized like this: Any PC that is procured in 2018 or later should have no issues running Windows 11. This is of course just a rule-of-thumb and there could be exceptions.

Processor1 gigahertz (GHz) or faster with 2 or more cores on a compatible 64-bit processor or System on a Chip (SoC).
RAM4 gigabyte (GB).
Storage64 GB or larger storage device.
System firmwareUEFI, Secure Boot capable.
TPMTrusted Platform Module (TPM) version 2.0.
Graphics cardCompatible with DirectX 12 or later with WDDM 2.0 driver.
DisplayHigh definition (720p) display that is greater than 9” diagonally, 8 bits per color channel.
ConnectivityInternet Access for Updates. Windows 11 Home requires internet and a Microsoft Account.

To be certain if your computer(s) meet the Windows 11 requirements use Microsoft’s PC Health Checker App or have a look at Microsoft’s official requirements. Running the Health Checker App does not really scale for larger deployments. Thankfully Microsoft have provided us with a few free tools, that can be used to asses our current environment and identity devices that do or do not meet the hardware requirements for Windows 11. For reference the complete hardware requirements are documented here.

Release and Support Changes

With the release of Windows 10 21H2 (November 2021) and Windows 11, Microsoft made some significant changes in terms of release cadence and support to Windows as a Service (WaaS).

Many are familiar with the Semi-Annual Channel that was originally introduced with Windows 10. The model was based on two updates to the operating system each year, with a limited support period for each release. With Windows 10 21H2 and Windows 11, the Semi-Annual Channel is replaced with the General Availability Channel. This practically means that both Windows 10 and Windows 11 will have a single yearly update, arriving in the second half of each year. The only difference is that Windows 11 will have a longer support period. The next version of both Windows 10 and 11 will arrive sometime in the second half of 2022.

EditionWindows 10Windows 11
Home and Pro18 months24 months
Enterprise and Education30 months36 months
Enterprise LTSC (Long Term Servicing Channel)5 years5 years

Are My Devices Compatible – Endpoint Analytics

We discussed Windows 11 hardware requirements earlier, now we need to check if our devices are compatible or not. The easiest way of doing this, regardless if your devices are managed by an on-premise Configuration Manager instance or by Intune is to leverage Endpoint Analytics.

Endpoint Analytics allows organizations to understand what kind of experience their end-users are having. The Work from Anywhere report within Endpoint Analytics will indicate if the requirements for Windows 11 are met and if not display what requirement is not met. Read my post on Getting Started with Endpoint Analytics if this is an unfamiliar tool.

Windows 11 hardware readiness insight is displayed for devices that are enrolled via Intune, co-management, or Configuration Manager version 2107+ with tenant attach enabled. Windows 11 readiness will display one of the following statuses: Capable, Not-Capable, Upgraded or Unknown (if the client is inactive or has not reported status yet).

Work from Anywhere report in Endpoint Analytics showing Windows 11 readiness.

Are My Devices Compatible – PowerShell

Another way of determining Windows 11 readiness is to use Microsoft’s Hardware Readiness Script. The script can be used in Intune, Configuration Manager or any other device management platform that supports PowerShell scripts.

When the script is run it will return a json object with the following parameters: returnCode, returnReason and logging. Note that the script needs to be run as a local administrator or else some of the checks will fail.

ReturnResult: Displays the result based on the return code listed below.

ReturnReason: displays a comma separated list of the hardware requirements that are not met. If all requirements are met, the value will be empty.

Logging: contains a string of text that shows additional information as to what test passed or failed.

ReturnCode: a list of the different RetrunCodes is summarized in the table below.

Return CodeDefinition
-2FAILED TO RUN – the script encountered an error
-1UNDETERMINED – one or more of the hardware requirement checks failed to execute properly
0CAPABLE – the device meets all assessed Windows 11 hardware requirements
1NOT CAPABLE – the device does not meet one or more of the assessed Windows 11 hardware requirements

Upgrading to Windows 11

With our compatibility assessment complete we can start deploying Windows 11 to our devices. The guide assume that Windows Update for Business is being used (this is the case if updates are managed through Intune today) and that devices are enrolled into Intune. Microsoft recommend the use of Windows Update for Business Deployment Service to deploy Windows 11t to corporate devices. Simply said this is a service within Windows Update for Business that allows administrators more control than the traditional deferral policies and deployment rings (more on these later). The deployment service will also respect Microsoft Safeguard Holds that prevent upgrades on devices containing components that Microsoft know to have issues (see the note below).

Our first and only task is to create a Feature Update policy in the Endpoint Manager Admin Center. This policy configures the Windows Update for Business Deployment Service mentioned above. Follow the steps below to get started:

  1. Open the the Endpoint Manager Admin Center
  2. Select Devices from the left hand menu.
  3. Next select Feature Updates for Windows 10 and Later
  4. Choose Windows 11 as the feature update to deploy.
  5. On the Rollout Options choose Make the update available as soon as possible (more on these options below).

Use the rollout options to control when the feature update (Windows 11) will become available to the device. It is important to note here that this is not the installation time, but rather when the update is made available for a particular device. Once the upgrade is made available, the device must scan for updates against Windows Update to receive the update. The actual install time will depend on user behavior and other policies such as deadline policies.

Make Update Available As Soon As Possible – This is the default option and there is no delay in making the upgrade available to devices.

Make Update Available On A Specific Date – With this option all targeted devices will receive the upgrade on a specific date.

Make Update Available Gradually – This option distributes the availability of the upgrade over a specific range of time and is perhaps the more interesting option for larger environments. This option can reduce the effect to your network when compared to offering the update to all devices at the same time.

Here is an example scenario to understand how the gradual rollout option works. Lets say that our organization has 100 devices that needs the upgrade. We have completed our internal verification process and we are ready to deploy to all 100 devices. We would like to start the rollout starting February 1st 2022 and complete the rollout before March. Additionally we want to a week between deployments to reduce the load on the helpdesk. This would result in 4 deployment groups containing 25 devices in each group. Again this is still only controls the availability of the Windows 11 upgrade, not the actual installation time.

First Group: February 1, 2022.
Final Group: February 22, 2022.
Days Between Groups: 7
Assignment Group: A group that contains all 100 devices.

A couple of important points to consider when using the gradual rollout option:

  • The first group date must be at least two days in the future. This is to give Windows Update enough time to identify devices, calculate the amount of rollout-groups and assign the policy.
  • Groups are randomly created and sized evenly. It is not possible to include a specific device in a specific rollout group. To do this, use one of the other rollout methods and exclude it from gradual rollout.
  • The amount of rollout-groups to use is recalculated if required. Changing the interval between groups could cause this to happen.
  • If additional devices are added to the assignment group, those devices will be distributed to one of the remaining rollout-groups. If a device is removed from the assignment group, Windows update will attempt to remove the offer. However this is not possible if the device has started to process the offer from Windows Update.
  • Say that Management decides to postpone the rollout by 1 week and the First Group needs to be changed to February 8, 2022. Devices in the First Group that have already been offered the upgrade will retain that offer. However new devices will not receive the upgrade until February 8.

Note on Update Rings and Deferrals

There are a few ways of controlling how Windows Updates should be applied to devices in Intune. Most common is to use update rings to manage deferrals for quality (monthly) and feature upgrades. Microsoft recommends to seize the use of feature update deferrals in update rings, if the feature update policy is also configured (like we did in this blog post). While it is possible to define Feature Update deferrals in Update Ring policies and Feature Update policies together, this only increases complexity and adds little value. Update rings can still be used to configure the end-user experience as these are not affected by using a feature update policy.

Here is an example: In our production Update Ring policy, we specified 14 days deferral for Feature Updates. We then deployed the Windows 11 upgrade using a Feature Update policy and set the rollout option to be as soon as possible. Since both of these policies need to be evaluated true, it could take an additional 14 days before the device is offered the feature update.

In the Update Ring policy change the Feature Update to 0, this would allow you to control rollout, using the Feature Update policy with minimal complexity.

Note on Safeguard Holds

Safeguard Holds prevent upgrades on devices that contain specific hardware or software that Microsoft know can cause issues. Safeguards are based on telemetry data or from partner or internal Microsoft validation. The idea is to hold the upgrade until Microsoft has found a fix rather than letting the device attempt the upgrade that could result in failure or poor user-experience. This feature is only available to devices using Windows Update (consumer) or Windows Update for Business. Microsoft list publicly discussed issues on the Windows Release Information page, however this is not a complete list of all know issues. For organizations using WSUS or Configuration Manager, administrators should review the releases information page so that they can apply any mitigations or workarounds to their task-sequences or other deployment method.

Want To See More?

Azure AD

Access Reviews with On-Premise Groups

In some of my earlier post I have talked about Access Reviews that are part of the Identity Governance tools in Azure AD. One of

Azure

Access Reviews: Manage Guest Users

Azure AD’s B2B (Business to Business) functionality allows organizations to invite external users into their organization so that they can collaborate. However, very few of