It’s that time again — another Windows feature update, another round of patch roulette.
If you’re managing devices through Microsoft Intune, upgrading from Windows 11 24H2 → 25H2 doesn’t have to be painful.
(Well, less painful, let’s say.)
Here’s how to do it the right way — and avoid the classic “update chaos” that hits every IT team twice a year.
Step 1: Don’t Touch the Devices — Touch Intune
Forget manual upgrades.
Forget remote PowerShell sessions that hang halfway through.
All you need is Windows Update for Business (WUfB) + Intune policies.
Step 2: Configure Your Update Ring
Go to Intune Admin Center
Devices → Windows → Updates → Update Rings
Hit + Create profile
Now name it something useful — like “Windows 11 Prod Update Ring” — not “Test2-final-V3-FIXED” (we’ve all done it).
Define your policies:
-
Servicing channel: General Availability (GA)
-
Quality updates: Auto-install
-
Feature updates: Controlled by policy
-
Deadlines: Add some — or users will postpone this until retirement.
Click Done.
Step 3: Configure the Feature Update Policy
Now the real magic happens.
Go to:
Devices → Windows → Updates → Feature Updates
Create profile
Fill in the basics:
-
Name: Windows 11 25H2 Upgrade
-
Feature update to deploy: Windows 11, version 25H2
-
Assign it to your device group(s).
Click Done.
Now Intune will handle the rollout — no USBs, no ISO circus, no late-night VPN sessions.
Step 4: Test Before You Nuke Production
Always. Always. Always.
Create a pilot group (a few test laptops, preferably your least favorite ones).
Deploy the policy there first.
Monitor for issues via Intune → Reports → Windows Update Reports.
If it survives 72 hours without blue screens, push it to production.
Bonus Tips from the Trenches
-
Make sure Windows Update for Business service is reachable — firewall rules still matter.
-
Keep an eye on drivers — some OEMs delay compatibility for 25H2.
-
Use device filters if you’re managing mixed environments (24H2, 23H2, or legacy Win10 stragglers).
-
Communicate to end users — nobody likes surprise reboots mid-Zoom call.
The Endgame
Once the policy hits devices, Intune coordinates everything automatically:
-
The OS downloads 25H2 via Windows Update.
-
Reboots happen on schedule.
-
Reports show compliance and version health.
No MDT, no SCCM task sequences, no command-line heroics.
Just clean, policy-based updates — like civilized IT professionals.
TL;DR
Path:
Intune Admin Center → Devices → Windows → Updates →
✅ Update Rings → +Create Profile → Done
✅ Feature Updates → Create Profile → Select Windows 11, version 25H2 → Done
You’ve now officially upgraded your fleet — without crying in PowerShell.
BUT if u want PowerShell script – so go ahead I have it
# ============================================================
# Intune Feature Update Deployment with Auto-Rollback + Alerts
# Author: Alex Burlachenko (ctrlaltdel.blog)
# Purpose: Deploy Windows 11 25H2, monitor rollout, rollback failures, and alert admins.
# ============================================================
# — Step 0: Configuration —————————————————-
$TargetFeatureVersion = “Windows 11, version 25H2”
$RollbackVersion = “Windows 11, version 24H2”
$DeploymentName = “Windows 11 25H2 Upgrade”
$AADGroupID = “<YOUR-AAD-GROUP-ID>”
# Email settings for notifications
$SMTPServer = “smtp.office365.com”
$SMTPPort = 587
$From = “intune-notify@yourdomain.com”
$To = “itops@yourdomain.com”
$Subject = “Intune Windows 11 25H2 Upgrade Report”
$Credential = Get-Credential -Message “Enter credentials for SMTP authentication”
# — Step 1: Prerequisites —————————————————-
Install-Module Microsoft.Graph.Intune -Force -AllowClobber
Import-Module Microsoft.Graph.Intune
Connect-MSGraph
# — Step 2: Create Feature Update Policy ————————————-
$featureUpdatePolicy = @{
“@odata.type” = “#microsoft.graph.windowsFeatureUpdateProfile”
displayName = $DeploymentName
description = “Intune policy to upgrade devices to Windows 11 25H2”
featureUpdateVersion = $TargetFeatureVersion
rolloutSettings = @{
rolloutDurationInDays = 7
}
}
$uri = “https://graph.microsoft.com/beta/deviceManagement/windowsFeatureUpdateProfiles”
$policy = Invoke-MSGraphRequest -HttpMethod POST -Url $uri -Content $featureUpdatePolicy
# — Step 3: Assign Policy to Device Group ————————————
$assignment = @{
“@odata.type” = “#microsoft.graph.deviceManagementConfigurationPolicyAssignment”
target = @{
“@odata.type” = “#microsoft.graph.groupAssignmentTarget”
groupId = $AADGroupID
}
}
$assignUri = “https://graph.microsoft.com/beta/deviceManagement/windowsFeatureUpdateProfiles/$($policy.id)/assign”
Invoke-MSGraphRequest -HttpMethod POST -Url $assignUri -Content $assignment
Write-Host “✅ Deployment Policy ‘$DeploymentName’ assigned to group successfully.”
# — Step 4: Monitor Deployment Status —————————————
Start-Sleep -Seconds 60 # small delay to let Intune process
$reportUri = “https://graph.microsoft.com/beta/deviceManagement/reports/getWindowsFeatureUpdateStatusReports”
$report = Invoke-MSGraphRequest -HttpMethod GET -Url $reportUri
# Parse the report
$failedDevices = $report.value | Where-Object { $_.status -eq “failed” }
$successDevices = $report.value | Where-Object { $_.status -eq “success” }
Write-Host “📊 Success: $($successDevices.Count) devices | ❌ Failed: $($failedDevices.Count) devices”
# — Step 5: Rollback Logic for Failed Devices ——————————-
if ($failedDevices.Count -gt 0) {
Write-Host “⚠️ Rolling back failed devices to $RollbackVersion…”
$rollbackPolicy = @{
“@odata.type” = “#microsoft.graph.windowsFeatureUpdateProfile”
displayName = “Rollback to $RollbackVersion”
description = “Automatic rollback for failed Windows 11 25H2 upgrade devices”
featureUpdateVersion = $RollbackVersion
rolloutSettings = @{
rolloutDurationInDays = 2
}
}
$rollbackUri = “https://graph.microsoft.com/beta/deviceManagement/windowsFeatureUpdateProfiles”
$rollbackPolicyResponse = Invoke-MSGraphRequest -HttpMethod POST -Url $rollbackUri -Content $rollbackPolicy
foreach ($device in $failedDevices) {
$assign = @{
“@odata.type” = “#microsoft.graph.deviceManagementConfigurationPolicyAssignment”
target = @{
“@odata.type” = “#microsoft.graph.deviceAndAppManagementAssignmentTarget”
deviceId = $device.deviceId
}
}
$assignRollbackUri = “https://graph.microsoft.com/beta/deviceManagement/windowsFeatureUpdateProfiles/$($rollbackPolicyResponse.id)/assign”
Invoke-MSGraphRequest -HttpMethod POST -Url $assignRollbackUri -Content $assign
}
Write-Host “🔄 Rollback policy applied to failed devices.”
}
# — Step 6: Send Email Notification —————————————–
$Body = @”
<html>
<body>
<h3>Intune Windows 11 25H2 Deployment Report</h3>
<p><b>Deployment:</b> $DeploymentName</p>
<p><b>Target Version:</b> $TargetFeatureVersion</p>
<p><b>Group:</b> $AADGroupID</p>
<hr>
<h4>✅ Successful Devices: $($successDevices.Count)</h4>
<h4>❌ Failed Devices: $($failedDevices.Count)</h4>
<ul>
$(foreach ($f in $failedDevices) { “<li>$($f.deviceName)</li>” })
</ul>
</body>
</html>
“@
Send-MailMessage -From $From -To $To -Subject $Subject -Body $Body -BodyAsHtml -SmtpServer $SMTPServer -Port $SMTPPort -UseSsl -Credential $Credential
Write-Host “📧 Email report sent to $To.”
# — Step 7: Wrap-Up ———————————————————
Write-Host “🎯 Intune upgrade completed. Success: $($successDevices.Count), Failures: $($failedDevices.Count).”