In this post, I will show you the process to upgrade to Windows 11 25H2 using Intune. Microsoft has recently released 25H2 and made it available for deployment via Intune. It’s also available to download using Microsoft’s Software download center. For more details, refer to the techcommunity link: An IT pro’s guide to Windows 11, version 25H2 – Windows IT Pro Blog.
Unlike the 24H2 feature update, 25H2 is delivered as an enablement package (eKB), whereas 24H2 was a major release that introduced many significant changes to the OS. When a feature update is delivered as an eKB, the download is usually small and typically requires only one restart to complete.
If you have installed the latest updates on Windows 11 24H2, most of the features introduced in Windows 11 25H2 are already there but not yet active. When you upgrade to the 25H2 feature update, those features will be activated on your computer. If there are issues deploying 25H2 via Intune on a specific device and you want to force upgrade it to 25H2 manually, refer to the steps in this post: Force Upgrade to Windows 11 25H2 Manually.
Windows 11 25H2 release introduces new features while also removing features such as PowerShell 2.0 and WMIC. For Enterprise and Education editions, you now have the ability to remove pre-installed Microsoft Store apps using either Group Policy or Intune (via the Settings Catalog policy). Apps that can be removed include Xbox, Feedback Hub, Sticky Notes, Clipchamp, Copilot, and others. For new features in Windows 11 25H2, refer her: What’s new in Windows 11, version 25H2 for IT pros | Microsoft Learn
Microsoft has also updated Windows 11 25H2 security baseline, 25H2 ADMX templates, and Group Policy settings. This means you can now create policies with the latest settings included in these updates. With the release of the Windows 11 25H2 feature update on September 30, 2025, Enterprise and Education editions will receive 36 months of servicing support (ultil, while Home and Pro editions will receive 24 months of support. For Windows – General Lifecycle policy, refer here: Lifecycle FAQ – Windows.
Contents
Prerequisites
Let’s review the system requirements for upgrading to Windows 11, 25H2. For more general Windows 11 system requirements, refer to the link: Windows 11 Specs and System Requirements | Microsoft
- Windows 11 devices must be Enrolled and managed by Intune.
- Users of the Devices should be assigned one of the following licenses:
- Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
- Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
- Windows Virtual Desktop Access E3 or E5
- Microsoft 365 Business Premium
- Devices can be either Entra joined, or Entra Hybrid joined.
- Following Windows 10 and Windows 11, Editions are supported:
- Pro/Education/Enterprise/Pro Education/Pro for Workstations.
- Telemetry/Diagnostic data sharing with Microsoft should be enabled and set to Required level.
Create Phased Deployment Device Groups
If you are starting from scratch, I will recommend to start with creating phased deployment Entra security groups, also referred to as rings. This approach enables phased deployment across all devices. Below are examples of the group structure that you could create.
- Test ring devices
- Pilot ring devices
- Early adopters
- Production ring devices 01
- Production ring devices 02 and so on..
For deploying updates on Windows devices, you will need to create update ring policies to manage the overall configuration of how updates are delivered, and feature update policies to specify the Windows feature update version for your organization’s devices. A feature update policy locks the Windows operating system to the specific feature update version defined in the policy, preventing devices from automatically upgrading to a later version until the policy is updated.
If you haven’t created update ring policies in your environment yet, read the next section, which explains update ring policies in detail, including how to configure the feature update deferral setting. If you already have established update ring policies, you can skip directly to the feature update policy section, which will guide you through the process of upgrading to Windows 11, version 25H2. Refer to Microsoft learn page to know more about Update ring policies: Configure Windows Update rings policy in Intune – Microsoft Intune | Microsoft Learn
The screenshot below illustrates how both policies work together to enable a controlled and phased feature update deployment.
Update Ring Policy
To deploy quality and feature updates on Windows 11 devices, you need to create an update rings policy. An update ring policy in Intune is a Windows Update for Business configuration that defines how and when Windows 10 or 11 devices receive quality and feature updates.
Quality updates are regular montly cumulative updates, typically released on Patch tuesday (second tuesday of every month). These updates focus on security fixes, bug fixes, performance improvements, and reliability enhancements, rather than introducing new features or major OS changes.
A feature update in Windows is a major OS release that introduces new features, design changes, and improvements to functionality, security, and performance. Unlike quality updates, which are smaller and more frequent, feature updates are large, version-based upgrades. For example, 24H2, 25H2, 26H2 etc.
You can create multiple update ring policies and assign them to specific device groups, such as a test ring, pilot ring etc. In a test ring, you can configure a more aggressive update policy that installs updates as soon as they are released. For example, you can set the Quality update deferral period (days) and Feature update deferral period (days) to 0, and configure Automatic update behavior with broader active hours. Since these are test devices, deploying updates during business hours has minimal or no impact on operations.
In addition to the test ring, you can create other update ring policies such as a pilot ring, early adopters ring, and finally a production ring that includes most of the organization’s business devices. The production ring should be deployed only after the update has been thoroughly tested and validated through the earlier rings (for example, test and pilot rings). Below is a basic sample/example update ring and group assignement structure you could create in your environment.
| Update Ring | Entra Group Assignment |
|---|---|
| Test update ring | Test ring devices |
| Pilot update ring | Pilot ring devices |
| Early adopters update ring | Early adopters devices |
| Production update ring | All Production devices |
The values for Quality update deferral period (days) and Feature update deferral period (days) determine how long a device will wait before installing an update after Microsoft releases it. The default value for both settings is 0. You can specify a deferral period of 0 to 30 days for quality updates and 0 to 365 days for feature updates.
If you’re planning to test a new feature update (for example, version 25H2) on test devices, I recommend setting the Feature update deferral period (days) to 0 so it can be deployed immediately without delay. For a more cautious approach, you can defer the feature update on production devices by, say, 180 days. This allows sufficient time to test, validate, and document the new features before deploying the update to production devices with confidence.
Feature Update Policy
Windows feature update policies work together with your Update ring policies to ensure that devices do not receive a Windows feature version later than the one specified in the feature update policy.
I will cover two scenarios for upgrading devices to Windows 11, version 25H2. The first scenario applies when no feature update policy currently exists, and the second scenario applies when a feature update policy is already in place (for example, a Windows 11 24H2 feature update policy).
When you don’t have an existing feature update policy, you can create a new one and target it to a test ring of devices first. After successful testing, extend the deployment to the pilot group, followed by the early adopters group, and finally to the production group. This phased approach ensures a gradual and controlled rollout of the latest feature update across all devices in your organization.
When you already have an existing feature update policy (for example, a Windows 11 24H2 feature update policy) targeting all devices in your organization, avoid changing the Feature update to deploy setting to a newer version within the same policy. Doing so could trigger the upgrade process for all devices assigned to that policy. It is not best practice to roll out any update without testing, this is because:
- Certain in-house apps may not be compatible with the newer feature update (e.g., 25H2)
- Some devices may not be ready or suitable for the upgrade.
- Deployment issues could occur during the upgrade that should be tested and fixed first.
The next sections will cover the creation of a feature update policy and upgrading the devices to a newer feature update version in a phased manner.
More Information about Feature update policy: Configure feature updates policy for Windows 10 Windows 11 devices in Intune | Microsoft Learn
Exclude Device Groups From Existing Feature Update Policy (If any)
If there is an existing feature update policy, keep it as it is, and create a new one specifically for upgrading devices to Windows 11 25H2. When assigning the new policy to groups such as the Test ring, Pilot ring, and Production ring, make sure these groups are excluded from any existing feature update policies, for example, those upgrading devices to 24H2.
As shown in below screenshot, I have excluded Test ring devices group from my existing Windows 11 24H2 feature update policy. In the next section, I will create a new feature update policy for 25H2 and target Test ring devices group.
According to Microsoft, if you target multiple feature update profiles to the same device, the Windows Update service will always offer the latest version of the feature update. However, as a best practice, I also exclude devices from any previous feature update profiles to avoid potential conflicts.
Create a New Feature Update Policy
Once you have excludes the Test ring devices from the existing feature update policy, create a new feature update policy by using below steps:
- Sign into the lntune admin center > Devices > Windows updates > Feature updates > Create profile.
Deployment settings
On the Deployment settings tab, Configure below options:
- Name: Provide the name of the Feature update policy. e.g., Upgrade to Windows 11 25H2.
- Description: Provide a description.
- Feature update to deploy: Use the drop-down to select Windows 11, version 25H2.
- Make available to users as a required update: When you select this option, the feature update will be automatically installed on the target end user devices.
- Make available to users as optional update: As the setting name suggests, this is an optional update. That means it will be offered to the target devices, however it will not be downloaded or installed. To install an optional update, users will need to go to the Windows update settings and click on Download button to being the Installation process.
- When a device isn’t eligible to run Windows 11, install the latest Windows 10 feature update: You can select this checkbox, if there are Windows 10 devices in your environment, and you want to upgrade them to the latest feature update. This option is provided so that you don’t have to create separate feature update policies for Windows 10 and Windows 11 devices. One policy will upgrade the devices to selected feature update on Windows 11 and also upgrade Windows 10 devices to latest feature update as well.
- Rollout options: There are three rollout options:
- Make update available as soon as possible – This is the default option selected, It will deploy feature update on users devices without delay.
- Make update available on a specific date – You can select the day you want this feature update to be available for targeted devices.
- Make update available gradually – You can provide a range of time to make the updates available to devices. Intune will automatically create a subset of target devices based on the range configured, and the duration mentioned between those days. For more information, refer to the link: Make updates available gradually.
- Scope tags (optional): A scope tag in Intune is an RBAC label you add to resources (policies, apps, devices) to limit which admins can see and manage them. For more Information, read: How to use Scope tags in Intune.
- Assignments: Now, you can assign this feature update deployment to the devices you want to upgrade. Click on Add groups and select an Entra security group containing Windows devices. Click Next. For guidance on assignment strategy, see Intune assignments: User groups vs. Device groups.
Below screenshot shows that Test ring devices group has been targeted for the upgrade. This is the same group we have excluded from our existing Upgrade to Windows 11 24H2 policy. All devices with in the Test ring will be upgraded to 25H2.
- Review + create: Review the deployment summary and click Create.
After successfully testing on the Test ring devices, add the Pilot ring devices to the 25H2 feature update policy and exclude them from the 24H2 feature update policy. Test the update on the pilot devices as well. Continue expanding the rollout by adding more groups, gradually deploying the 25H2 update across the entire organization.
Monitoring Feature Update Deployment
After deploying the policy to upgrade devices to the Windows 11 25H2 feature update, you can track the deployment progress using the Windows Feature Update Report. Refer to my other post for detailed steps on generating this report from Intune, what information it includes, and other available options for creating feature update reports. Export Windows Feature Update Report From Intune [3-Ways]
End User Experience
Once the device check-in is completed with Intune, new feature update policy will be applied. Users will receive a notification and need to reboot to complete the installation process.
The device will regularly check in with Intune for new policy updates. However, if you want to speed up this process, you can force an Intune sync from the device. A restart of the device also triggers the Intune device check-in process.
Troubleshooting
If there are any issues with the Windows 11 25H2 feature update deployment, there are multiple places to investigate and find out what went wrong.
1. Investigate Event Viewer logs
- Press Windows Key + R to open the Run dialog box.
- Type
eventvwrand press Enter to open Event Viewer. - Navigate to Application and Services logs > Microsoft > Windows > DeviceManagement– Enterprise-Diagnostics-Provider > Admin.
2. Check if Safeguard hold is applied
If a device has a Safeguard hold applied for a feature update version deployed through Intune, the upgrade may not proceed. Refer to this link to learn more about opting out of Safeguard Hold.
3. Check Reports on Intune admin center
Export feature update reports to investigate the deployment’s status. Confirm that the deployment is in the offering state; the update won’t be deployed if it’s paused or scheduled. For instructions on exporting Feature update reports, refer to the link: 3 Ways to Export Windows Feature Update Report from Intune.
4. Check if Telemetry level is set to the Required
Sometimes, if the Telemetry level is not set to Required, Feature updates via Intune may not be offered to the devices. Ensure the Telemetry or Diagnostic data setting is set to Required. For more information on Telemetry/Diagnostic data settings, refer to Intune: Configure Windows Telemetry/Diagnostic data [3 ways].
Note
