Deploy Windows 11 25H2 with Microsoft Intune: Enterprise Step-by-Step Tutorial

Microsoft introduced a significant change with Windows 11 25H2: instead of delivering a complete operating system package, the update arrives as an enablement package (eKB). This architectural decision has practical implications for enterprise deployments.

When you install monthly cumulative updates on Windows 11 24H2, Microsoft includes new 25H2 features in a dormant state. These features exist on the device but remain inactive. The enablement package functions as an activation switch, turning on these pre-installed features without replacing core system files.

This approach provides several operational benefits. Installation completes rapidly because the system only needs to activate existing code rather than replace system files. The update typically requires a single restart, similar to monthly quality updates. Rollback becomes simpler because fewer system components change during the upgrade process.

Both Windows 11 versions 24H2 and 25H2 share the same servicing branch and codebase. This means devices on either version receive identical monthly security updates, simplifying patch management across mixed-version environments during gradual rollouts.

Important timeline note: Microsoft officially released 25H2 on September 30, 2025. For organizations using Windows Server Update Services (WSUS) or Configuration Manager, the update became available on October 14, 2025. Enterprise and Education editions receive 36 months of servicing support, while Home and Pro editions receive 24 months.

Before creating any Intune policies, validate that your device fleet meets the necessary criteria. Devices failing these checks will not receive the update, often without clear error messages to end users.

Hardware Verification Script:

Execute this PowerShell script on representative devices from your fleet to check hardware compliance:

# Windows 11 25H2 Prerequisite Checker
# Run this script with administrator privileges

Write-Host "=== Windows 11 25H2 Prerequisite Check ===" -ForegroundColor Cyan
Write-Host ""

# Check TPM status
$tpmInfo = Get-Tpm -ErrorAction SilentlyContinue
if ($tpmInfo) {
    $tpmStatus = if ($tpmInfo.TpmPresent -and $tpmInfo.TpmReady) { "PASS" } else { "FAIL" }
    $tpmColor = if ($tpmStatus -eq "PASS") { "Green" } else { "Red" }
    Write-Host "TPM 2.0 Status: $tpmStatus" -ForegroundColor $tpmColor
} else {
    Write-Host "TPM 2.0 Status: Unable to query" -ForegroundColor Yellow
}

# Check Secure Boot
try {
    $secureBootEnabled = Confirm-SecureBootUEFI
    $sbStatus = if ($secureBootEnabled) { "PASS" } else { "FAIL" }
    $sbColor = if ($sbStatus -eq "PASS") { "Green" } else { "Red" }
    Write-Host "Secure Boot: $sbStatus" -ForegroundColor $sbColor
} catch {
    Write-Host "Secure Boot: Unable to verify (legacy BIOS?)" -ForegroundColor Yellow
}

# Check current Windows version
$osVersion = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion"
$currentBuild = $osVersion.CurrentBuildNumber
$displayVersion = $osVersion.DisplayVersion
Write-Host "Current Version: $displayVersion (Build $currentBuild)" -ForegroundColor White

# Determine upgrade path
if ($currentBuild -ge 26100) {
    Write-Host "Upgrade Path: Enablement Package (fast)" -ForegroundColor Green
} elseif ($currentBuild -ge 22000) {
    Write-Host "Upgrade Path: Full OS Swap Required (slower)" -ForegroundColor Yellow
} else {
    Write-Host "Upgrade Path: Not eligible for direct upgrade" -ForegroundColor Red
}

# Check telemetry level
$telemetryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection"
$telemetryValue = (Get-ItemProperty -Path $telemetryPath -Name "AllowTelemetry" -ErrorAction SilentlyContinue).AllowTelemetry
if ($telemetryValue -ge 1) {
    Write-Host "Telemetry Level: $telemetryValue (Compliant)" -ForegroundColor Green
} else {
    Write-Host "Telemetry Level: Not configured or too restrictive" -ForegroundColor Red
}

Telemetry Requirements:

Windows 11 25H2 requires diagnostic data sharing at the "Required" level minimum. If your organization previously disabled telemetry through Group Policy or Intune configuration profiles, you must modify these settings before deployment.

The registry path HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection with DWORD value AllowTelemetry must be set to 1 or higher. You can deploy this setting through Intune Settings Catalog under "System > Allow Telemetry".

Ring-based deployment distributes update risk by targeting smaller populations first. If problems emerge, you can pause deployment before affecting your entire organization. Microsoft recommends this approach for all feature update deployments.

Navigate to Microsoft Entra admin center: Open entra.microsoft.com and go to Groups > All groups > New group.

Ring 1 Configuration (IT Pilot Group):

This group contains IT department devices that receive updates immediately with no deferral.

Group name: Intune-Win11-25H2-Ring1-Pilot
Group type: Security
Membership type: Dynamic Device

Dynamic query rule syntax:
(device.displayName -startsWith "IT-") or (device.extensionAttribute1 -eq "Pilot")

Aim for 20-50 devices in this ring. These should be machines used by IT staff who can quickly identify and report issues.

Ring 2 Configuration (Early Adopters):

Target power users and volunteers who accept early updates in exchange for new features.

Group name: Intune-Win11-25H2-Ring2-EarlyAdopters
Group type: Security
Membership type: Dynamic Device

Dynamic query rule syntax:
(device.extensionAttribute1 -eq "EarlyAdopter") and (device.deviceOSType -eq "Windows")

This ring should include 5-10% of your device population, typically 200-500 devices in medium-sized organizations.

Ring 3 Configuration (Production Fleet):

Capture all remaining managed Windows devices not assigned to earlier rings.

Group name: Intune-Win11-25H2-Ring3-Production
Group type: Security
Membership type: Dynamic Device

Dynamic query rule syntax:
(device.deviceOSType -eq "Windows") and 
(device.managementType -eq "MDM") and 
(device.extensionAttribute1 -ne "Pilot") and 
(device.extensionAttribute1 -ne "EarlyAdopter") and 
(device.extensionAttribute1 -ne "Excluded")

Exclusion Group (Optional but Recommended):

Create a group for devices that should never receive automatic feature updates, such as kiosks, specialized workstations, or systems with validated configurations.

Group name: Intune-Win11-FeatureUpdate-Excluded
Group type: Security
Membership type: Assigned (manual)

Update Ring policies determine how long devices wait before receiving available updates. Combined with Feature Update policies, they provide precise control over deployment timing.

Access Update Rings in Intune: Navigate to intune.microsoft.com > Devices > Windows > Manage updates > Windows updates > Update rings tab > Create profile.

Ring 1 Policy (IT Pilot - No Deferral):

Basics:
  Name: UpdateRing-Win11-Pilot
  Description: Immediate updates for IT pilot devices testing 25H2

Update settings:
  Microsoft product updates: Allow
  Windows drivers: Allow
  Quality update deferral period (days): 0
  Feature update deferral period (days): 0
  Upgrade Windows 10 devices to latest Windows 11 release: Yes
  Set feature update uninstall period (days): 10
  Enable pre-release builds: Not configured

User experience settings:
  Automatic update behavior: Auto install at maintenance time
  Active hours start: 8 AM
  Active hours end: 6 PM
  Restart checks: Enable
  Option to pause updates: Enable

Assignments:
  Included groups: Intune-Win11-25H2-Ring1-Pilot

Ring 2 Policy (Early Adopters - 7 Day Deferral):

Basics:
  Name: UpdateRing-Win11-EarlyAdopters
  Description: 7-day delayed updates for early adopter validation

Update settings:
  Quality update deferral period (days): 3
  Feature update deferral period (days): 7
  [Other settings same as Ring 1]

Assignments:
  Included groups: Intune-Win11-25H2-Ring2-EarlyAdopters

Ring 3 Policy (Production - 14 Day Deferral):

Basics:
  Name: UpdateRing-Win11-Production
  Description: 14-day delayed updates for production fleet

Update settings:
  Quality update deferral period (days): 7
  Feature update deferral period (days): 14
  [Other settings same as Ring 1]

Assignments:
  Included groups: Intune-Win11-25H2-Ring3-Production

Critical Configuration Note:

Microsoft documentation recommends setting Feature update deferral period to 0 when using Feature Update policies (configured in Step 5). Combining non-zero deferrals in Update Rings with Feature Update policies can create complexity that delays installations unexpectedly. If you use Feature Update policies, consider managing timing through policy assignment dates rather than ring deferrals.

While Update Rings control timing and behavior, Feature Update policies specify which Windows version devices should install.

Create the Feature Update Policy: Navigate to intune.microsoft.com > Devices > Windows > Manage updates > Windows updates > Feature updates tab > Create > Create feature update policy.

Policy Configuration:

Deployment settings:
  Name: FeatureUpdate-Windows11-25H2-Enterprise
  Description: Controlled deployment of Windows 11 25H2 to managed devices
  Feature update to deploy: Windows 11, version 25H2

Rollout options (choose one):
  Option A - Immediate: Make update available as soon as possible
  Option B - Scheduled: First day availability date [select date]
  Option C - Gradual: Gradually make update available to users
    First day availability: [start date]
    Final day availability: [end date, typically start + 21 days]
    Days between groups: 7

Update type:
  Make available to users as a required update (automatic installation)
  OR
  Make available to users as an optional update (user-initiated)

For most enterprise deployments, select "Make available as soon as possible" combined with Update Ring deferrals to control timing, or use "Gradual rollout" for additional automated pacing.

Assignments:

Included groups:
  Intune-Win11-25H2-Ring1-Pilot
  Intune-Win11-25H2-Ring2-EarlyAdopters
  Intune-Win11-25H2-Ring3-Production

Excluded groups:
  Intune-Win11-FeatureUpdate-Excluded

When you select Windows 11 version 25H2, you accept Microsoft's license terms on behalf of your organization for volume-licensed deployments.

Access Deployment Reports: Navigate to intune.microsoft.com > Reports > Windows updates > Reports tab > Windows Feature Update Report > Generate report.

Configure the report filter to show your specific policy and date range. Key status values to monitor include "In progress" (actively downloading or installing), "Succeeded" (completed successfully), "Failed" (error encountered), and "Pending" (awaiting scan or download).

Key Performance Indicators:

Track these metrics for each ring during deployment:

Metric	Ring 1 Target	Ring 2 Target	Ring 3 Target
Success rate after 72 hours	>90%	>93%	>95%
Average installation time	<45 min	<45 min	<45 min
Devices blocked by safeguard	Document all	<5%	<3%
User-reported issues	Track all	<10 tickets	<5% ticket rate

Safeguard Hold Detection:

Microsoft automatically blocks updates on devices with known compatibility issues. To check if a device has an active safeguard hold, run this command:

# Check safeguard hold status
$gwxPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Appraiser\GWX"
$gStatus = (Get-ItemProperty -Path $gwxPath -Name "GStatus" -ErrorAction SilentlyContinue).GStatus

switch ($gStatus) {
    2 { Write-Host "No safeguard hold active - device eligible for upgrade" -ForegroundColor Green }
    0 { Write-Host "Safeguard hold ACTIVE - upgrade blocked by Microsoft" -ForegroundColor Red }
    default { Write-Host "Status unknown: $gStatus" -ForegroundColor Yellow }
}

Common Safeguard Hold Causes:

Safeguard holds typically stem from outdated GPU drivers (AMD, NVIDIA, Intel), incompatible security software (antivirus, endpoint protection), problematic VPN clients, outdated firmware (TPM, BIOS/UEFI), or virtualization software conflicts.

Resolution requires updating the problematic component to a 25H2-compatible version. Microsoft publishes known issues and safeguard hold information at learn.microsoft.com/windows/release-health/status-windows-11-25h2.

Event Log Analysis for Failed Devices:

On devices showing failed status, examine Event Viewer logs:

Path: Application and Services Logs > Microsoft > Windows > 
      DeviceManagement-Enterprise-Diagnostics-Provider > Admin

Key Event IDs:
  814: Policy applied successfully
  813: Policy application warning or error
  400-410: Compliance check issues

Also check Windows Update client logs:

Path: Applications and Services Logs > Microsoft > Windows > 
      WindowsUpdateClient > Operational

After devices complete the upgrade, validate both technical success and user experience quality.

Technical Validation Script:

Deploy this script through Intune Remediations or run manually on upgraded devices:

# Windows 11 25H2 Post-Upgrade Validation
# Outputs results for review

$results = @()

# Validate Windows version
$osInfo = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion"
$versionCheck = $osInfo.DisplayVersion -eq "25H2" -and $osInfo.CurrentBuildNumber -ge 26200
$results += [PSCustomObject]@{
    Check = "Windows Version"
    Expected = "25H2 (Build 26200+)"
    Actual = "$($osInfo.DisplayVersion) (Build $($osInfo.CurrentBuildNumber))"
    Status = if ($versionCheck) { "PASS" } else { "FAIL" }
}

# Check for recent crash dumps (BSODs)
$crashEvents = Get-WinEvent -FilterHashtable @{
    LogName = 'System'
    Id = 1001
    ProviderName = 'Microsoft-Windows-WER-SystemErrorReporting'
} -MaxEvents 10 -ErrorAction SilentlyContinue

$crashCheck = ($crashEvents | Where-Object { $_.TimeCreated -gt (Get-Date).AddDays(-7) }).Count -eq 0
$results += [PSCustomObject]@{
    Check = "System Stability (7 days)"
    Expected = "No BSOD events"
    Actual = "$($crashEvents.Count) crash events found"
    Status = if ($crashCheck) { "PASS" } else { "WARN" }
}

# Verify critical services
$criticalServices = @("wuauserv", "bits", "cryptsvc", "Winmgmt")
foreach ($svcName in $criticalServices) {
    $svc = Get-Service -Name $svcName -ErrorAction SilentlyContinue
    $svcOk = $svc -and ($svc.Status -eq "Running" -or $svc.StartType -eq "Manual")
    $results += [PSCustomObject]@{
        Check = "Service: $svcName"
        Expected = "Running or Manual"
        Actual = if ($svc) { "$($svc.Status) / $($svc.StartType)" } else { "Not found" }
        Status = if ($svcOk) { "PASS" } else { "FAIL" }
    }
}

# Check available disk space
$systemDrive = Get-PSDrive -Name C
$freeSpaceGB = [math]::Round($systemDrive.Free / 1GB, 1)
$spaceCheck = $freeSpaceGB -ge 15
$results += [PSCustomObject]@{
    Check = "Disk Space (C:)"
    Expected = ">15 GB free"
    Actual = "$freeSpaceGB GB free"
    Status = if ($spaceCheck) { "PASS" } else { "WARN" }
}

# Output results
$results | Format-Table -AutoSize

User Experience Validation:

After Ring 1 deployment, collect feedback on these areas: application launch times and stability, sign-in experience (Windows Hello, PIN, password), network connectivity (Wi-Fi, VPN, file shares), printing and peripheral devices, and business application functionality.

Create a simple feedback form or Teams channel where pilot users can report issues immediately.

Rollback Window:

Windows 11 25H2 includes a 10-day rollback window (configured in your Update Ring policy). During this period, users can revert to the previous version through Settings > System > Recovery > Go back.

After 10 days, the rollback option expires and recovery requires reimaging. Document any persistent issues before this window closes.

Ring 2 Deployment Decision Criteria:

Before expanding to Ring 2, confirm all of these conditions are met: Ring 1 success rate exceeds 90% after 72 hours, no critical application compatibility issues discovered, safeguard hold rate below 10%, IT support prepared for increased ticket volume, and user communication sent to Ring 2 population.

Ring 2 Monitoring Period:

Allow 7 days for Ring 2 to fully deploy. During this period, monitor daily success rate trends, user-reported issues and ticket categories, safeguard hold patterns (new hardware or software types affected), and application crashes or performance degradation.

Ring 3 Deployment Decision Criteria:

Expand to production fleet when Ring 2 success rate exceeds 93% after 7 days, ticket volume remains manageable and issues have documented resolutions, no new safeguard holds affect significant device populations, and business stakeholders approve general deployment.

Production Deployment Communication:

Send advance notice to all users at least 48 hours before Ring 3 deployment begins. Include expected installation timing (outside active hours), restart requirements, new features they can expect, and support contact information for issues.

Post-Deployment Cleanup:

After Ring 3 reaches 95%+ success, archive deployment reports for compliance documentation, update device inventory to reflect 25H2 status, review lessons learned for future deployments, and plan timeline for Windows 11 24H2 end-of-support (October 2026 for Enterprise).