How to Push Windows 11 25H2 Using Intune (Without Losing Your Sanity) + PowerShell Script

It’s that time again — another Windows feature update, another round of patch roulette.
If you’re managing devices through Microsoft Intune, upgrading from Windows 11 24H2 → 25H2 doesn’t have to be painful.
(Well, less painful, let’s say.)

Here’s how to do it the right way — and avoid the classic “update chaos” that hits every IT team twice a year.

Step 1: Don’t Touch the Devices — Touch Intune

Forget manual upgrades.
Forget remote PowerShell sessions that hang halfway through.
All you need is Windows Update for Business (WUfB) + Intune policies.

Step 2: Configure Your Update Ring

Go to Intune Admin Center
Devices → Windows → Updates → Update Rings
Hit + Create profile

Now name it something useful — like “Windows 11 Prod Update Ring” — not “Test2-final-V3-FIXED” (we’ve all done it).

Define your policies:

  • Servicing channel: General Availability (GA)

  • Quality updates: Auto-install

  • Feature updates: Controlled by policy

  • Deadlines: Add some — or users will postpone this until retirement.

Click Done.

Step 3: Configure the Feature Update Policy

Now the real magic happens.

Go to:
Devices → Windows → Updates → Feature Updates
Create profile

Fill in the basics:

  • Name: Windows 11 25H2 Upgrade

  • Feature update to deploy: Windows 11, version 25H2

  • Assign it to your device group(s).

Click Done.

Now Intune will handle the rollout — no USBs, no ISO circus, no late-night VPN sessions.

Step 4: Test Before You Nuke Production

Always. Always. Always.
Create a pilot group (a few test laptops, preferably your least favorite ones).
Deploy the policy there first.
Monitor for issues via Intune → Reports → Windows Update Reports.

If it survives 72 hours without blue screens, push it to production.

Bonus Tips from the Trenches

  • Make sure Windows Update for Business service is reachable — firewall rules still matter.

  • Keep an eye on drivers — some OEMs delay compatibility for 25H2.

  • Use device filters if you’re managing mixed environments (24H2, 23H2, or legacy Win10 stragglers).

  • Communicate to end users — nobody likes surprise reboots mid-Zoom call.

The Endgame

Once the policy hits devices, Intune coordinates everything automatically:

  • The OS downloads 25H2 via Windows Update.

  • Reboots happen on schedule.

  • Reports show compliance and version health.

No MDT, no SCCM task sequences, no command-line heroics.

Just clean, policy-based updates — like civilized IT professionals.

TL;DR

Path:
Intune Admin Center → Devices → Windows → Updates →
✅ Update Rings → +Create Profile → Done
✅ Feature Updates → Create Profile → Select Windows 11, version 25H2 → Done

You’ve now officially upgraded your fleet — without crying in PowerShell.

BUT if u want PowerShell script – so go ahead I have it

# ============================================================
# Intune Feature Update Deployment with Auto-Rollback + Alerts
# Author: Alex Burlachenko (ctrlaltdel.blog)
# Purpose: Deploy Windows 11 25H2, monitor rollout, rollback failures, and alert admins.
# ============================================================

# — Step 0: Configuration —————————————————-

$TargetFeatureVersion = “Windows 11, version 25H2”
$RollbackVersion = “Windows 11, version 24H2”
$DeploymentName = “Windows 11 25H2 Upgrade”
$AADGroupID = “<YOUR-AAD-GROUP-ID>”

# Email settings for notifications
$SMTPServer = “smtp.office365.com”
$SMTPPort = 587
$From = “intune-notify@yourdomain.com”
$To = “itops@yourdomain.com”
$Subject = “Intune Windows 11 25H2 Upgrade Report”
$Credential = Get-Credential -Message “Enter credentials for SMTP authentication”

# — Step 1: Prerequisites —————————————————-

Install-Module Microsoft.Graph.Intune -Force -AllowClobber
Import-Module Microsoft.Graph.Intune
Connect-MSGraph

# — Step 2: Create Feature Update Policy ————————————-

$featureUpdatePolicy = @{
“@odata.type” = “#microsoft.graph.windowsFeatureUpdateProfile”
displayName = $DeploymentName
description = “Intune policy to upgrade devices to Windows 11 25H2”
featureUpdateVersion = $TargetFeatureVersion
rolloutSettings = @{
rolloutDurationInDays = 7
}
}

$uri = “https://graph.microsoft.com/beta/deviceManagement/windowsFeatureUpdateProfiles”
$policy = Invoke-MSGraphRequest -HttpMethod POST -Url $uri -Content $featureUpdatePolicy

# — Step 3: Assign Policy to Device Group ————————————

$assignment = @{
“@odata.type” = “#microsoft.graph.deviceManagementConfigurationPolicyAssignment”
target = @{
“@odata.type” = “#microsoft.graph.groupAssignmentTarget”
groupId = $AADGroupID
}
}

$assignUri = “https://graph.microsoft.com/beta/deviceManagement/windowsFeatureUpdateProfiles/$($policy.id)/assign”
Invoke-MSGraphRequest -HttpMethod POST -Url $assignUri -Content $assignment

Write-Host “✅ Deployment Policy ‘$DeploymentName’ assigned to group successfully.”

# — Step 4: Monitor Deployment Status —————————————

Start-Sleep -Seconds 60 # small delay to let Intune process

$reportUri = “https://graph.microsoft.com/beta/deviceManagement/reports/getWindowsFeatureUpdateStatusReports”
$report = Invoke-MSGraphRequest -HttpMethod GET -Url $reportUri

# Parse the report
$failedDevices = $report.value | Where-Object { $_.status -eq “failed” }
$successDevices = $report.value | Where-Object { $_.status -eq “success” }

Write-Host “📊 Success: $($successDevices.Count) devices | ❌ Failed: $($failedDevices.Count) devices”

# — Step 5: Rollback Logic for Failed Devices ——————————-

if ($failedDevices.Count -gt 0) {
Write-Host “⚠️ Rolling back failed devices to $RollbackVersion…”

$rollbackPolicy = @{
“@odata.type” = “#microsoft.graph.windowsFeatureUpdateProfile”
displayName = “Rollback to $RollbackVersion”
description = “Automatic rollback for failed Windows 11 25H2 upgrade devices”
featureUpdateVersion = $RollbackVersion
rolloutSettings = @{
rolloutDurationInDays = 2
}
}

$rollbackUri = “https://graph.microsoft.com/beta/deviceManagement/windowsFeatureUpdateProfiles”
$rollbackPolicyResponse = Invoke-MSGraphRequest -HttpMethod POST -Url $rollbackUri -Content $rollbackPolicy

foreach ($device in $failedDevices) {
$assign = @{
“@odata.type” = “#microsoft.graph.deviceManagementConfigurationPolicyAssignment”
target = @{
“@odata.type” = “#microsoft.graph.deviceAndAppManagementAssignmentTarget”
deviceId = $device.deviceId
}
}

$assignRollbackUri = “https://graph.microsoft.com/beta/deviceManagement/windowsFeatureUpdateProfiles/$($rollbackPolicyResponse.id)/assign”
Invoke-MSGraphRequest -HttpMethod POST -Url $assignRollbackUri -Content $assign
}

Write-Host “🔄 Rollback policy applied to failed devices.”
}

# — Step 6: Send Email Notification —————————————–

$Body = @”
<html>
<body>
<h3>Intune Windows 11 25H2 Deployment Report</h3>
<p><b>Deployment:</b> $DeploymentName</p>
<p><b>Target Version:</b> $TargetFeatureVersion</p>
<p><b>Group:</b> $AADGroupID</p>
<hr>
<h4>✅ Successful Devices: $($successDevices.Count)</h4>
<h4>❌ Failed Devices: $($failedDevices.Count)</h4>
<ul>
$(foreach ($f in $failedDevices) { “<li>$($f.deviceName)</li>” })
</ul>
</body>
</html>
“@

Send-MailMessage -From $From -To $To -Subject $Subject -Body $Body -BodyAsHtml -SmtpServer $SMTPServer -Port $SMTPPort -UseSsl -Credential $Credential

Write-Host “📧 Email report sent to $To.”

# — Step 7: Wrap-Up ———————————————————

Write-Host “🎯 Intune upgrade completed. Success: $($successDevices.Count), Failures: $($failedDevices.Count).”