Skip to content
Menu
IT-DRAFTS
  • About
  • My Statistics at Microsoft Q&A
  • Privacy policy
IT-DRAFTS
October 6, 2025

How to Push Windows 11 25H2 Using Intune (Without Losing Your Sanity) + PowerShell Script

It’s that time again — another Windows feature update, another round of patch roulette.
If you’re managing devices through Microsoft Intune, upgrading from Windows 11 24H2 → 25H2 doesn’t have to be painful.
(Well, less painful, let’s say.)

Here’s how to do it the right way — and avoid the classic “update chaos” that hits every IT team twice a year.

Step 1: Don’t Touch the Devices — Touch Intune

Forget manual upgrades.
Forget remote PowerShell sessions that hang halfway through.
All you need is Windows Update for Business (WUfB) + Intune policies.

Step 2: Configure Your Update Ring

Go to Intune Admin Center
Devices → Windows → Updates → Update Rings
Hit + Create profile

Now name it something useful — like “Windows 11 Prod Update Ring” — not “Test2-final-V3-FIXED” (we’ve all done it).

Define your policies:

  • Servicing channel: General Availability (GA)

  • Quality updates: Auto-install

  • Feature updates: Controlled by policy

  • Deadlines: Add some — or users will postpone this until retirement.

Click Done.

Step 3: Configure the Feature Update Policy

Now the real magic happens.

Go to:
Devices → Windows → Updates → Feature Updates
Create profile

Fill in the basics:

  • Name: Windows 11 25H2 Upgrade

  • Feature update to deploy: Windows 11, version 25H2

  • Assign it to your device group(s).

Click Done.

Now Intune will handle the rollout — no USBs, no ISO circus, no late-night VPN sessions.

Step 4: Test Before You Nuke Production

Always. Always. Always.
Create a pilot group (a few test laptops, preferably your least favorite ones).
Deploy the policy there first.
Monitor for issues via Intune → Reports → Windows Update Reports.

If it survives 72 hours without blue screens, push it to production.

Bonus Tips from the Trenches

  • Make sure Windows Update for Business service is reachable — firewall rules still matter.

  • Keep an eye on drivers — some OEMs delay compatibility for 25H2.

  • Use device filters if you’re managing mixed environments (24H2, 23H2, or legacy Win10 stragglers).

  • Communicate to end users — nobody likes surprise reboots mid-Zoom call.

The Endgame

Once the policy hits devices, Intune coordinates everything automatically:

  • The OS downloads 25H2 via Windows Update.

  • Reboots happen on schedule.

  • Reports show compliance and version health.

No MDT, no SCCM task sequences, no command-line heroics.

Just clean, policy-based updates — like civilized IT professionals.

TL;DR

Path:
Intune Admin Center → Devices → Windows → Updates →
✅ Update Rings → +Create Profile → Done
✅ Feature Updates → Create Profile → Select Windows 11, version 25H2 → Done

You’ve now officially upgraded your fleet — without crying in PowerShell.

BUT if u want PowerShell script – so go ahead I have it

# ============================================================
# Intune Feature Update Deployment with Auto-Rollback + Alerts
# Author: Alex Burlachenko (ctrlaltdel.blog)
# Purpose: Deploy Windows 11 25H2, monitor rollout, rollback failures, and alert admins.
# ============================================================

# — Step 0: Configuration —————————————————-

$TargetFeatureVersion = “Windows 11, version 25H2”
$RollbackVersion = “Windows 11, version 24H2”
$DeploymentName = “Windows 11 25H2 Upgrade”
$AADGroupID = “<YOUR-AAD-GROUP-ID>”

# Email settings for notifications
$SMTPServer = “smtp.office365.com”
$SMTPPort = 587
$From = “intune-notify@yourdomain.com”
$To = “itops@yourdomain.com”
$Subject = “Intune Windows 11 25H2 Upgrade Report”
$Credential = Get-Credential -Message “Enter credentials for SMTP authentication”

# — Step 1: Prerequisites —————————————————-

Install-Module Microsoft.Graph.Intune -Force -AllowClobber
Import-Module Microsoft.Graph.Intune
Connect-MSGraph

# — Step 2: Create Feature Update Policy ————————————-

$featureUpdatePolicy = @{
“@odata.type” = “#microsoft.graph.windowsFeatureUpdateProfile”
displayName = $DeploymentName
description = “Intune policy to upgrade devices to Windows 11 25H2”
featureUpdateVersion = $TargetFeatureVersion
rolloutSettings = @{
rolloutDurationInDays = 7
}
}

$uri = “https://graph.microsoft.com/beta/deviceManagement/windowsFeatureUpdateProfiles”
$policy = Invoke-MSGraphRequest -HttpMethod POST -Url $uri -Content $featureUpdatePolicy

# — Step 3: Assign Policy to Device Group ————————————

$assignment = @{
“@odata.type” = “#microsoft.graph.deviceManagementConfigurationPolicyAssignment”
target = @{
“@odata.type” = “#microsoft.graph.groupAssignmentTarget”
groupId = $AADGroupID
}
}

$assignUri = “https://graph.microsoft.com/beta/deviceManagement/windowsFeatureUpdateProfiles/$($policy.id)/assign”
Invoke-MSGraphRequest -HttpMethod POST -Url $assignUri -Content $assignment

Write-Host “✅ Deployment Policy ‘$DeploymentName’ assigned to group successfully.”

# — Step 4: Monitor Deployment Status —————————————

Start-Sleep -Seconds 60 # small delay to let Intune process

$reportUri = “https://graph.microsoft.com/beta/deviceManagement/reports/getWindowsFeatureUpdateStatusReports”
$report = Invoke-MSGraphRequest -HttpMethod GET -Url $reportUri

# Parse the report
$failedDevices = $report.value | Where-Object { $_.status -eq “failed” }
$successDevices = $report.value | Where-Object { $_.status -eq “success” }

Write-Host “📊 Success: $($successDevices.Count) devices | ❌ Failed: $($failedDevices.Count) devices”

# — Step 5: Rollback Logic for Failed Devices ——————————-

if ($failedDevices.Count -gt 0) {
Write-Host “⚠️ Rolling back failed devices to $RollbackVersion…”

$rollbackPolicy = @{
“@odata.type” = “#microsoft.graph.windowsFeatureUpdateProfile”
displayName = “Rollback to $RollbackVersion”
description = “Automatic rollback for failed Windows 11 25H2 upgrade devices”
featureUpdateVersion = $RollbackVersion
rolloutSettings = @{
rolloutDurationInDays = 2
}
}

$rollbackUri = “https://graph.microsoft.com/beta/deviceManagement/windowsFeatureUpdateProfiles”
$rollbackPolicyResponse = Invoke-MSGraphRequest -HttpMethod POST -Url $rollbackUri -Content $rollbackPolicy

foreach ($device in $failedDevices) {
$assign = @{
“@odata.type” = “#microsoft.graph.deviceManagementConfigurationPolicyAssignment”
target = @{
“@odata.type” = “#microsoft.graph.deviceAndAppManagementAssignmentTarget”
deviceId = $device.deviceId
}
}

$assignRollbackUri = “https://graph.microsoft.com/beta/deviceManagement/windowsFeatureUpdateProfiles/$($rollbackPolicyResponse.id)/assign”
Invoke-MSGraphRequest -HttpMethod POST -Url $assignRollbackUri -Content $assign
}

Write-Host “🔄 Rollback policy applied to failed devices.”
}

# — Step 6: Send Email Notification —————————————–

$Body = @”
<html>
<body>
<h3>Intune Windows 11 25H2 Deployment Report</h3>
<p><b>Deployment:</b> $DeploymentName</p>
<p><b>Target Version:</b> $TargetFeatureVersion</p>
<p><b>Group:</b> $AADGroupID</p>
<hr>
<h4>✅ Successful Devices: $($successDevices.Count)</h4>
<h4>❌ Failed Devices: $($failedDevices.Count)</h4>
<ul>
$(foreach ($f in $failedDevices) { “<li>$($f.deviceName)</li>” })
</ul>
</body>
</html>
“@

Send-MailMessage -From $From -To $To -Subject $Subject -Body $Body -BodyAsHtml -SmtpServer $SMTPServer -Port $SMTPPort -UseSsl -Credential $Credential

Write-Host “📧 Email report sent to $To.”

# — Step 7: Wrap-Up ———————————————————

Write-Host “🎯 Intune upgrade completed. Success: $($successDevices.Count), Failures: $($failedDevices.Count).”

Categories

ActiveDirectory AI AIinBusiness AIInfrastructure Azure AzureAI azurefirewall azuresecurity cloudarchitecture cloudnetworking cloudops CloudSecurity cloudstrategy Copilot ctrlaltdelblog Cybersecurity DataProtection DataSecurity DevOps devsecops Entra entraID Howto hybridcloud infosec Innovation Intune ITInfrastructure ITProblems MFA Microsoft Microsoft365 Microsoft AI MicrosoftAzure Microsoft Product microsoftsecurity Security SoftwareUpdate sysadminlife TechNews updates Windows Windows10 Windows11 zeroTrust

Archives

  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025
  • February 2025
  • October 2024
  • September 2024
  • July 2024
  • June 2024
  • May 2024
  • April 2024
  • March 2024
No comments to show.

Recent Comments

Recent Posts

  • Micromanagement and Trust: Opposite Ends of Leadership in the IT World
  • How they hijack Microsoft Teams via tokens (and what to do while everyone sips their coffee)
  • The Gentleman’s Guide to Cloud Domination: Azure, AI & Afternoon Tea
  • Bill, You’d Never Believe What Windows Is Doing Now (email#0 to young mr. B.Gates)
  • Azure Leaderboard 2025: The Unsung Heroes of Microsoft Q&A
©2025 IT-DRAFTS | Powered by WordPress and Superb Themes!