Automate your Windows 11 upgrade with Forms, Power Automate, and Intune

Windows 11 is here, and as always there are different attitudes as to when it should be deployed. Some will want it instantly, some won’t care, and some will be resistant.

For my organisation we didn’t want to force people to upgrade until they felt comfortable, so I created an opt-in system that:

  • Uses Forms to capture the request of the person wanting to upgrade
  • Power Automate to add the requestor to a security group
  • Intune to manage upgrade policies based on security group membership

The building blocks

The security group

The first step is to create a security group in Azure Active Directory, taking note of the ID for later use:

The feature update policy

Secondly, we need to create a new feature update policy in Intune that specifies Windows 11 as the update to apply. And here we will need to include our newly created security group:

The update ring

Next, we need to have an update ring policy that reduces the deferral of feature updates down to 0 days, so that the upgrade is available instantly. We don’t want to affect users who haven’t opted in to be upgrade, so we create a new policy and apply this to our new security group:

In the existing update ring policy, we need to update this to exclude our new security group:

The Form

Then we create a Form for users to submit so they can opt in:

Let’s make sure they really want the upgrade:

Let’s really, REALLY make sure:

Because it’s an internal Form, at no point do I need to ask for their contact details – as I can extract that from looking up their email address.

Bringing it together

Before getting staff to use the form we create a simple workflow in Power Automate with the following key steps:

  • A Forms trigger for every time the form is submitted
  • A Forms action to get the respondent’s email address
  • A Forms action to look up the profile of the respondent so I can get their account ID as well as first name for the email I’ll send them
  • An Azure Active Directory action to add their account ID to the security group (using the group ID recorded earlier)
  • An Outlook action to send them an email with any information, notes, etc.

Feel free to customise the email you send, but here’s what is being sent in mine:

And that’s it!

The result

While I said in the form that it may take up to 8 hours, most people were able to see the upgrade as an option in Windows Update in less than 15 minutes.

If anyone who submits the form isn’t able to see Windows 11 as an option in Windows Update, you can always have a look at the “Work from anywhere (preview)” report in Intune endpoint analytics to see if their machine is not eligible for upgrade:

Also published on Medium.

1 comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: