Skip to content
Menu
IT-DRAFTS
  • About
  • My Statistics at Microsoft Q&A
  • Privacy policy
IT-DRAFTS
October 6, 2025

How to Push Windows 11 25H2 Using Intune (Without Losing Your Sanity) + PowerShell Script

It’s that time again — another Windows feature update, another round of patch roulette.
If you’re managing devices through Microsoft Intune, upgrading from Windows 11 24H2 → 25H2 doesn’t have to be painful.
(Well, less painful, let’s say.)

Here’s how to do it the right way — and avoid the classic “update chaos” that hits every IT team twice a year.

Step 1: Don’t Touch the Devices — Touch Intune

Forget manual upgrades.
Forget remote PowerShell sessions that hang halfway through.
All you need is Windows Update for Business (WUfB) + Intune policies.

Step 2: Configure Your Update Ring

Go to Intune Admin Center
Devices → Windows → Updates → Update Rings
Hit + Create profile

Now name it something useful — like “Windows 11 Prod Update Ring” — not “Test2-final-V3-FIXED” (we’ve all done it).

Define your policies:

  • Servicing channel: General Availability (GA)

  • Quality updates: Auto-install

  • Feature updates: Controlled by policy

  • Deadlines: Add some — or users will postpone this until retirement.

Click Done.

Step 3: Configure the Feature Update Policy

Now the real magic happens.

Go to:
Devices → Windows → Updates → Feature Updates
Create profile

Fill in the basics:

  • Name: Windows 11 25H2 Upgrade

  • Feature update to deploy: Windows 11, version 25H2

  • Assign it to your device group(s).

Click Done.

Now Intune will handle the rollout — no USBs, no ISO circus, no late-night VPN sessions.

Step 4: Test Before You Nuke Production

Always. Always. Always.
Create a pilot group (a few test laptops, preferably your least favorite ones).
Deploy the policy there first.
Monitor for issues via Intune → Reports → Windows Update Reports.

If it survives 72 hours without blue screens, push it to production.

Bonus Tips from the Trenches

  • Make sure Windows Update for Business service is reachable — firewall rules still matter.

  • Keep an eye on drivers — some OEMs delay compatibility for 25H2.

  • Use device filters if you’re managing mixed environments (24H2, 23H2, or legacy Win10 stragglers).

  • Communicate to end users — nobody likes surprise reboots mid-Zoom call.

The Endgame

Once the policy hits devices, Intune coordinates everything automatically:

  • The OS downloads 25H2 via Windows Update.

  • Reboots happen on schedule.

  • Reports show compliance and version health.

No MDT, no SCCM task sequences, no command-line heroics.

Just clean, policy-based updates — like civilized IT professionals.

TL;DR

Path:
Intune Admin Center → Devices → Windows → Updates →
✅ Update Rings → +Create Profile → Done
✅ Feature Updates → Create Profile → Select Windows 11, version 25H2 → Done

You’ve now officially upgraded your fleet — without crying in PowerShell.

BUT if u want PowerShell script – so go ahead I have it

# ============================================================
# Intune Feature Update Deployment with Auto-Rollback + Alerts
# Author: Alex Burlachenko (ctrlaltdel.blog)
# Purpose: Deploy Windows 11 25H2, monitor rollout, rollback failures, and alert admins.
# ============================================================

# — Step 0: Configuration —————————————————-

$TargetFeatureVersion = “Windows 11, version 25H2”
$RollbackVersion = “Windows 11, version 24H2”
$DeploymentName = “Windows 11 25H2 Upgrade”
$AADGroupID = “<YOUR-AAD-GROUP-ID>”

# Email settings for notifications
$SMTPServer = “smtp.office365.com”
$SMTPPort = 587
$From = “intune-notify@yourdomain.com”
$To = “itops@yourdomain.com”
$Subject = “Intune Windows 11 25H2 Upgrade Report”
$Credential = Get-Credential -Message “Enter credentials for SMTP authentication”

# — Step 1: Prerequisites —————————————————-

Install-Module Microsoft.Graph.Intune -Force -AllowClobber
Import-Module Microsoft.Graph.Intune
Connect-MSGraph

# — Step 2: Create Feature Update Policy ————————————-

$featureUpdatePolicy = @{
“@odata.type” = “#microsoft.graph.windowsFeatureUpdateProfile”
displayName = $DeploymentName
description = “Intune policy to upgrade devices to Windows 11 25H2”
featureUpdateVersion = $TargetFeatureVersion
rolloutSettings = @{
rolloutDurationInDays = 7
}
}

$uri = “https://graph.microsoft.com/beta/deviceManagement/windowsFeatureUpdateProfiles”
$policy = Invoke-MSGraphRequest -HttpMethod POST -Url $uri -Content $featureUpdatePolicy

# — Step 3: Assign Policy to Device Group ————————————

$assignment = @{
“@odata.type” = “#microsoft.graph.deviceManagementConfigurationPolicyAssignment”
target = @{
“@odata.type” = “#microsoft.graph.groupAssignmentTarget”
groupId = $AADGroupID
}
}

$assignUri = “https://graph.microsoft.com/beta/deviceManagement/windowsFeatureUpdateProfiles/$($policy.id)/assign”
Invoke-MSGraphRequest -HttpMethod POST -Url $assignUri -Content $assignment

Write-Host “✅ Deployment Policy ‘$DeploymentName’ assigned to group successfully.”

# — Step 4: Monitor Deployment Status —————————————

Start-Sleep -Seconds 60 # small delay to let Intune process

$reportUri = “https://graph.microsoft.com/beta/deviceManagement/reports/getWindowsFeatureUpdateStatusReports”
$report = Invoke-MSGraphRequest -HttpMethod GET -Url $reportUri

# Parse the report
$failedDevices = $report.value | Where-Object { $_.status -eq “failed” }
$successDevices = $report.value | Where-Object { $_.status -eq “success” }

Write-Host “📊 Success: $($successDevices.Count) devices | ❌ Failed: $($failedDevices.Count) devices”

# — Step 5: Rollback Logic for Failed Devices ——————————-

if ($failedDevices.Count -gt 0) {
Write-Host “⚠️ Rolling back failed devices to $RollbackVersion…”

$rollbackPolicy = @{
“@odata.type” = “#microsoft.graph.windowsFeatureUpdateProfile”
displayName = “Rollback to $RollbackVersion”
description = “Automatic rollback for failed Windows 11 25H2 upgrade devices”
featureUpdateVersion = $RollbackVersion
rolloutSettings = @{
rolloutDurationInDays = 2
}
}

$rollbackUri = “https://graph.microsoft.com/beta/deviceManagement/windowsFeatureUpdateProfiles”
$rollbackPolicyResponse = Invoke-MSGraphRequest -HttpMethod POST -Url $rollbackUri -Content $rollbackPolicy

foreach ($device in $failedDevices) {
$assign = @{
“@odata.type” = “#microsoft.graph.deviceManagementConfigurationPolicyAssignment”
target = @{
“@odata.type” = “#microsoft.graph.deviceAndAppManagementAssignmentTarget”
deviceId = $device.deviceId
}
}

$assignRollbackUri = “https://graph.microsoft.com/beta/deviceManagement/windowsFeatureUpdateProfiles/$($rollbackPolicyResponse.id)/assign”
Invoke-MSGraphRequest -HttpMethod POST -Url $assignRollbackUri -Content $assign
}

Write-Host “🔄 Rollback policy applied to failed devices.”
}

# — Step 6: Send Email Notification —————————————–

$Body = @”
<html>
<body>
<h3>Intune Windows 11 25H2 Deployment Report</h3>
<p><b>Deployment:</b> $DeploymentName</p>
<p><b>Target Version:</b> $TargetFeatureVersion</p>
<p><b>Group:</b> $AADGroupID</p>
<hr>
<h4>✅ Successful Devices: $($successDevices.Count)</h4>
<h4>❌ Failed Devices: $($failedDevices.Count)</h4>
<ul>
$(foreach ($f in $failedDevices) { “<li>$($f.deviceName)</li>” })
</ul>
</body>
</html>
“@

Send-MailMessage -From $From -To $To -Subject $Subject -Body $Body -BodyAsHtml -SmtpServer $SMTPServer -Port $SMTPPort -UseSsl -Credential $Credential

Write-Host “📧 Email report sent to $To.”

# — Step 7: Wrap-Up ———————————————————

Write-Host “🎯 Intune upgrade completed. Success: $($successDevices.Count), Failures: $($failedDevices.Count).”

Categories

ActiveDirectory AI AIInfrastructure Azure AzureAI azurepolicy azuresecurity cloudarchitecture cloudnetworking CloudSecurity Copilot ctrlaltdelblog Cybersecurity DataProtection DataSecurity DevOps devsecops Entra entraID GDPRcompliance Howto hybridcloud infosec Innovation Intune ITProblems licensing Microsoft Microsoft365 Microsoft AI MicrosoftAzure microsoftcloud Microsoft Product microsoftsecurity SecureAccess Security securitycopilot SoftwareUpdate sysadminlife TechNews updates Windows Windows10 Windows11 zeroTrust

Archives

  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025
  • February 2025
  • October 2024
  • September 2024
  • July 2024
  • June 2024
  • May 2024
  • April 2024
  • March 2024
No comments to show.

Recent Comments

Recent Posts

  • 🛡️ Secure Medallion Architecture on Azure Databricks Or How to Stop Treating Your Lakehouse Like a Flat Share
  • Monitoring Azure OpenAI Your Way — Without Tossing Out Your Observability Stack
  • How to Push Windows 11 25H2 Using Intune (Without Losing Your Sanity) + PowerShell Script
  • Goodbye SCOM Managed Instance: The End of an Era
  • Cybersecurity Tools: Expectation vs Reality
©2025 IT-DRAFTS | Powered by WordPress and Superb Themes!