Windows 10 to Windows 11 Upgrade with Intune

Why upgrade to Windows 11?

An upgrade to Windows 11 is generally a good idea. It offers many new functions and tools, higher performance and improved security.
Upgrading from Windows 10 to Windows 11 is free, however, this only applies if the latest version of Windows 10. There are also some hardware requirements, as described below.

Time is running out, because support for Windows 10 will be discontinued on October 14, 2025, which means that no more security updates will be provided for Windows 10 after that date.

In this regard, Microsoft writes:
An unsupported version of Windows doesn't receive software updates from Microsoft. These updates include security updates that protect your PC from harmful viruses, spyware, and other malicious software, which can steal your personal information.

Prerequisites for Windows 11 upgrade

To upgrade to Windows 11 via Intune, you need (in addition to the Intune license) one of the following licenses:

• Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, E5)
  
• Windows 10/11 Education A3 or A5 (enthalten in Microsoft 365 A3 or A5)
  
• Windows Virtual Desktop Access E3 or E5
  
• Microsoft 365 Business Premium
  

There are minimum hardware requirements. In general, Windows hardware (laptops, desktops) purchased since 2018 should be compatible with Windows 11. Microsoft lists this requirement as follows:

• CPU: with 2 or more cores, Intel: i3, i5, i7, i9 (from 8th generation), AMD: Ryzen: 3, 5, 7, 9 (from 2nd generation)
  
• RAM: at least 4 GB
  
• Hard disk: at least 64 GB
  
• System firmware: UEFI with Secure Boot
  
• TPM: Trusted Platform Module (TPM) Version 2.0
  
• Graphics card: compatible with DirectX 12
  
• Display: high-resolution screen from 720p and more than 9 inches
  

Windows 10 should ideally be updated to the latest version 22H2, at least to version 2004. This can be implemented and monitored via Intune.

Inventory of Windows 10 devices

It is assumed that you are already using Intune for MDM device management. Initially, it does not matter which Microsoft 365 environment you use for Windows devices, hybrid as 'Microsoft Entra Hybrid Joined' or cloud-only as 'Microsoft Entra Joined'.

If your company has purchased hardware for employees in recent years, you already have Windows 11 devices in EntraID and Intune. However, this article only focuses on Windows 10 devices.

You can find Windows 10 devices directly in Entra. You can limit the selection with the appropriate filters. This data can be exported as a CSV file for further processing in Excel.

It is even better to create a dynamic device group in Entra that only contains Windows 10 devices. You can use as a dynamic rule:
(device.deviceOSType -eq "Windows") and (device.deviceOSVersion -startsWith "10.0.1")
(By the way, the Windows 11 version starts with "10.0.2")

This group will be needed later anyway for the upgrade to Windows 11. The devices can also be exported as a CSV file.

Prepare Windows 11 upgrade

Microsoft provides a PowerShell script that you can download from HardwareReadiness.ps1.
To automate the process, you can run this script via GPO or Intune. The results can be saved in a log file, e.g. to see whether the hardware can still be used.

In our experience, the BIOS/UEFI settings sometimes do not fit, especially if the user can change them. These include settings: UEFI Mode, TPM 2.0 and Secure Boot, which can be set manually.
If you have a large number of devices, you should look for the 'Bios Config Tool', which is often provided by the manufacturer.

If you are stuck or your IT resources are limited, we will be happy to support you. Precise results are essential, especially in the preparation phase, to ensure a smooth migration.

For older hardware that cannot be upgraded to Windows 11, you will need to clarify who is responsible for the purchasing and technical implementation of the manual installation.

It is also worth noting that the Microsoft Docs refer to Intune Endpoint analytics | Work from anywhere, where you can find the inventory data about Windows 11 Upgrade. However, the results are/were often unusable and incomplete. But this can be improved in the future.

Upgrading to Windows 11

Once the preparation phase is complete, the test conversion can begin. During this phase, errors can be corrected and optimizations can be made, in:

• Intune settings
  
• The common apps continue to run
  
• Time required by IT and users
  
• Creation of admin and user guides, possibly training
  
• Installation process: Country/department-related or user decides via company portal
  
• Modify resource planning, possibly external support
  

Immediately after the test phase (depending on the size of the company), the installation continues as follows:

• Extended test phase involving IT and key users
  
• Pilot phase with approx. 10% of employees
  
• Upgrade of non-critical systems
  
• Upgrade of remaining systems (more than 95%)
  
• Troubleshooting for failed systems (ongoing)
  

External support

It is recommended to obtain external support during the preparation and planning phase. In this way, costs can be saved, as a time-consuming installation for IT and, above all, for employees can be avoided.
In addition to day-to-day business, IT will also be confronted with additional user support.

Using established methods, we support you in the inventory by thoroughly identifying Windows 10 devices.
We configure the Intune environment and you can constantly fetch an updated Excel export with the following device data:

• Ready for Windows 11 upgrade
  
• Corrected BIOS/UEFI settings have been corrected with Intune Remediation Scripting
  
• Wrong BIOS/UEFI settings can be corrected by manual access
  
• Hardware is too old
  The hardware properties do not meet the minimum requirements for CPU, RAM, hard disk, etc. with serial number of the device and date of manufacture
  

Employees are busy and do not want to be interrupted at work (possibly in a meeting) by the installation of Windows 11. We support your employees so that they can determine the time of installation themselves by clicking the appropriate button in the company portal.

This method is user-friendly but can take time with user justifications like 'had no time for it'.
If the installation needs to run faster and more effectively, we can send the employee 3 installation dates on different days and times. An employee can simply book an installation time via the existing M365 apps.

For IT, this simply means that the relevant employee is added to the Entra installation group on the chosen day and the automatic installation process is followed.

Let's talk about it as soon as possible, because the successful installation alone in companies with ca. thousand employees can take several months, and that without troubleshooting.