Upgrade to Windows 11 25H2 using Intune

Photo of author
Jatin Makhija
0

In this post, I will show you the process to upgrade to Windows 11 25H2 using Intune. Microsoft has recently released 25H2 and made it available for deployment via Intune. It’s also available to download using Microsoft’s Software download center. For more details, refer to the techcommunity link: An IT pro’s guide to Windows 11, version 25H2 – Windows IT Pro Blog.

Unlike the 24H2 feature update, 25H2 is delivered as an enablement package (eKB), whereas 24H2 was a major release that introduced many significant changes to the OS. When a feature update is delivered as an eKB, the download is usually small and typically requires only one restart to complete. 

If you have installed the latest updates on Windows 11 24H2, most of the features introduced in Windows 11 25H2 are already there but not yet active. When you upgrade to the 25H2 feature update, those features will be activated on your computer.

Windows 11 25H2 release introduces new features while also removing features such as PowerShell 2.0 and WMIC. For Enterprise and Education editions, you now have the ability to remove pre-installed Microsoft Store apps using either Group Policy or Intune (via the Settings Catalog policy). Apps that can be removed include Xbox, Feedback Hub, Sticky Notes, Clipchamp, Copilot, and others.

Microsoft has also updated Windows 11 25H2 security baseline, 25H2 ADMX templates, and Group Policy settings. This means you can now create policies with the latest settings included in these updates. With the release of the Windows 11 25H2 feature update on September 30, 2025, Enterprise and Education editions will receive 36 months of servicing support, while Home and Pro editions will receive 24 months of support.

Prerequisites

Let’s review the system requirements for upgrading to Windows 11, 25H2. For more general Windows 11 system requirements, refer to the link: Windows 11 Specs and System Requirements | Microsoft

  • Windows 11 devices must be Enrolled and managed by Intune.
  • Users of the Devices should be assigned one of the following licenses:
    • Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
    • Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
    • Windows Virtual Desktop Access E3 or E5
    • Microsoft 365 Business Premium
  • Devices can be either Entra joined, or Entra Hybrid joined.
  • Following Windows 10 and Windows 11, Editions are supported:
    • Pro/Education/Enterprise/Pro Education/Pro for Workstations.
  • Telemetry/Diagnostic data sharing with Microsoft should be enabled and set to Required level.

Feature Update Policy

To upgrade Intune-managed devices to Windows 11 25H2, we will utilize a Feature Update policy. The Feature Updates policy in Intune allows you to specify the Windows feature update version for your organization’s devices, effectively locking Windows OS to that version of feature update.

You may already have an existing Feature Update policy that upgrades your company’s devices to Windows 11 24H2. One option for updating to 24H2 is to modify this existing policy by changing the Feature deployment setting to Windows 11 25H2.

However, this approach will upgrade all targeted devices according to the rollout options defined in the policy. It is not best practice to roll out any update to all devices at once without proper testing because:

  • Certain in-house apps may not be compatible with Windows 11 25H2.
  • Some devices may not be ready or suitable for the upgrade.
  • Deployment issues could occur during the upgrade that should be tested and fixed first.

Instead, create a test ring of devices to validate and monitor the upgrade first. Once everything works as expected, you can gradually include more devices. In my experience, a phased approach works best when upgrading devices to new feature updates. This allows you to monitor progress closely and catch potential issues early without impacting production or business users. Let’s now explore the best practices and recommended approach for this deployment.

More Information about Feature update policy: Configure feature updates policy for Windows 10 Windows 11 devices in Intune | Microsoft Learn

1. Organize Devices into Phased Deployment Groups

I will recommend organizing the devices into multiple Entra security groups, also referred to as rings. This approach enables phased deployment across all devices.

  • Test ring devices
  • Pilot ring devices
  • Production ring devices 01
  • Production ring devices 02 and so on..

2. Create a New Feature update Policy

Keep your existing feature update policy unchanged, and create a new one specifically for upgrading devices to Windows 11 25H2. When assigning the new policy to groups such as the Test ring, Pilot ring, and Production ring, make sure these groups are excluded from any existing feature update policies (for example, those upgrading devices to 24H2.

As shown in below screenshot, I have excluded Test ring devices group from my existing Windows 11 24H2 feature update policy.

According to Microsoft, if you target multiple feature update profiles to the same device, the Windows Update service will always offer the latest version of the feature update. However, as a best practice, I also exclude devices from any previous feature update profiles to avoid potential conflicts.

Excluding Test devices from existing Feature update policy

Now we will move on to creating a new Feature update policy which will upgrade devices to Windows 11 25H2.

  • Sign into the lntune admin center > Devices > Windows updates > Feature updates > Create profile.

Deployment settings

On the Deployment settings tab, Configure below options:

  • Name: Provide the name of the Feature update policy. e.g., Upgrade to Windows 11 25H2.
  • Description: Provide a description.
  • Feature update to deploy: Use the drop-down to select Windows 11, version 25H2.
  • Make available to users as a required update: When you select this option, the feature update will be automatically installed on the target end user devices.
  • Make available to users as optional update: As the setting name suggests, this is an optional update. That means it will be offered to the target devices, however it will not be downloaded or installed. To install an optional update, users will need to go to the Windows update settings and click on Download button to being the Installation process.
  • When a device isn’t eligible to run Windows 11, install the latest Windows 10 feature update: You can select this checkbox, if there are Windows 10 devices in your environment, and you want to upgrade them to the latest feature update. This option is provided so that you don’t have to create separate feature update policies for Windows 10 and Windows 11 devices. One policy will upgrade the devices to selected feature update on Windows 11 and also upgrade Windows 10 devices to latest feature update as well.
  • Rollout options: There are three rollout options:
    • Make update available as soon as possible – This is the default option selected, It will deploy feature update on users devices without delay.
    • Make update available on a specific date – You can select the day you want this feature update to be available for targeted devices.
    • Make update available gradually – You can provide a range of time to make the updates available to devices. Intune will automatically create a subset of target devices based on the range configured, and the duration mentioned between those days. For more information, refer to the link: Make updates available gradually.
Create a New Feature update Policy to upgrade to 25h2
  • Scope tags (optional): A scope tag in Intune is an RBAC label you add to resources (policies, apps, devices) to limit which admins can see and manage them. For more Information, read: How to use Scope tags in Intune.
  • Assignments: Now, you can assign this feature update deployment to the devices you want to upgrade. Click on Add groups and select an Entra security group containing Windows devices. Click Next. For guidance on assignment strategy, see Intune assignments: User groups vs. Device groups.

Below screenshot shows that Test ring devices group has been targeted for the upgrade. This is the same group we have excluded from our existing Upgrade to Windows 11 24H2 policy. All devices with in the Test ring will be upgraded to 25H2.

Assign the policy to Test ring of devices
  • Review + create: Review the deployment summary and click Create.
Upgrade to Windows 11 25H2 policy created

After successful testing on Test ring of devices, you can add more groups and expand the upgrade to other pilot users and then production/business users as well. Also ensure to exclude those groups from your previous feature update policy (as discussed before).

End User Experience

Once the device check-in is completed with Intune, new feature update policy will be applied. Users will receive a notification and need to reboot to complete the installation process.

The device will regularly check in with Intune for new policy updates. However, if you want to speed up this process, you can force an Intune sync from the device. A restart of the device also triggers the Intune device check-in process.

Troubleshooting

If there are any issues with the Windows 11 25H2 feature update deployment, there are multiple places to investigate and find out what went wrong.

1. Investigate Event Viewer logs

  • Press Windows Key + R to open the Run dialog box.
  • Type eventvwr and press Enter to open Event Viewer.
  • Navigate to Application and Services logs > Microsoft Windows DeviceManagement– Enterprise-Diagnostics-Provider > Admin.
Event viewer logs to troubleshoot issues with upgrading to 25H2

2. Check if Safeguard hold is applied

If a device has a Safeguard hold applied for a feature update version deployed through Intune, the upgrade may not proceed. Refer to this link to learn more about opting out of Safeguard Hold.

3. Check Reports on Intune admin center

Export feature update reports to investigate the deployment’s status. Confirm that the deployment is in the offering state; the update won’t be deployed if it’s paused or scheduled. For instructions on exporting Feature update reports, refer to the link: 3 Ways to Export Windows Feature Update Report from Intune.

4. Check if Telemetry level is set to the Required

Sometimes, if the Telemetry level is not set to Required, Feature updates via Intune may not be offered to the devices. Ensure the Telemetry or Diagnostic data setting is set to Required. For more information on Telemetry/Diagnostic data settings, refer to Intune: Configure Windows Telemetry/Diagnostic data [3 ways].

Windows 11 25H2 Known Issues

Note

Leave a Comment

Step-by-Step Guides: Setup /Troubleshooting/Configuring Solutions for Intune, Microsoft 365, Windows 365, PowerShell, Windows, Azure, and other Cloud Technologies.

About the author
Contact Us
Privacy Policies
Comment Policies
Cookie Policies

Enter your email address to subscribe to this blog and receive notifications of new posts by email.