Friday, 25 July 2025

Windows 11 Upgrade with Intune: Prerequisites and Troubleshooting

 As Microsoft ends support for Windows 10 in October 2025, organizations must start preparing to upgrade their Windows 10 devices to Windows 11. Devices that do not meet the hardware requirements for Windows 11 must either be replaced or covered under an Extended Security Update (ESU) program, which will come at an added cost.

This guide will walk you through the upgrade readiness, hardware prerequisites, known compatibility issues, and how to troubleshoot feature upgrade deployments using Microsoft Intune.


⚙️ Upgrade Options

Organizations have three primary choices moving forward:

  1. Upgrade to Windows 11 – For supported hardware.
  2. Replace hardware – Devices that do not meet Windows 11 requirements.
  3. Purchase ESU (Extended Security Updates) – For legacy systems that must remain on Windows 10.

Windows 11 Hardware Requirements

To ensure a smooth upgrade to Windows 11, devices must meet the following minimum system requirements:

  • RAM: 4 GB or more
  • Storage: 64 GB or more
  • Firmware: UEFI capable with Secure Boot enabled
  • TPM: Trusted Platform Module (TPM) version 2.0
  • CPU: 8th Gen Intel or newer (Note: Devices purchased before 2017 are likely unsupported)

💡 Tip: Use Intune’s Windows 11 readiness report under:

Reports → Endpoint Analytics → Work from anywhere → Windows 11 readiness

This will help you quickly identify unsupported devices.


⚠️ Application Compatibility and Known Issues

1. Credential Guard Impact on MSCHAPv2-Based Wi-Fi

  • Issue: Breaks traditional MSCHAPv2 authentication (common in enterprise WPA2).
  • Workaround: Migrate to EAP-TLS using Intune to deploy PKCS or SCEP-based certificates.

2. Memory Integrity and Driver Incompatibility

  • Issue: Memory Integrity (HVCI) can block old or unsigned drivers, causing blue screen errors (BSOD) or app failures.
  • Solution: Update or replace legacy drivers before enabling Memory Integrity.

📊 Intune Reports to Review Before Upgrading

Before deploying the Windows 11 Feature Upgrade policy, review the following reports in Intune:

  1. Windows feature update device readiness
  2. Windows feature update compatibility risks

If the device does not appear in these reports or is flagged with compatibility risks, upgrading via Intune may fail or remain in an “offering” state.


🧰 Troubleshooting Windows 11 Feature Upgrade Failures with SetupDiag

If an upgrade appears to stall or fail, Microsoft’s SetupDiag tool is your best diagnostic resource.

Use On-Demand Remediation Scripts via Intune

Create a Proactive Remediation script in Intune to automate SetupDiag log collection. Here's a sample PowerShell script you can deploy:

🔧 Remediation Script Sample – Collect SetupDiag Logs

# Remediation Script to run SetupDiag and collect logs

$setupDiagUrl = "https://aka.ms/SetupDiag"

$destination = "$env:ProgramData\SetupDiag"

 

# Create directory if not exists

if (!(Test-Path -Path $destination)) {

    New-Item -ItemType Directory -Path $destination -Force

}

 

# Download SetupDiag.exe

Invoke-WebRequest -Uri $setupDiagUrl -OutFile "$destination\SetupDiag.exe"

 

# Run SetupDiag and save logs

Start-Process -FilePath "$destination\SetupDiag.exe" -ArgumentList "/Output:$destination\SetupDiagResults.xml" -Wait

 

# Optional: Copy logs to network share (example path)

# Copy-Item -Path "$destination\SetupDiagResults.xml" -Destination "\\yourfileserver\logs\$env:COMPUTERNAME.xml"

Detection Script Sample – Check if SetupDiag Log Exists


$logPath = "$env:ProgramData\SetupDiag\SetupDiagResults.xml"

 

if (Test-Path -Path $logPath) {

    Write-Output "SetupDiag log exists."

    exit 0

} else {

    Write-Output "SetupDiag log missing."

    exit 1

}

How to Deploy in Intune:

  1. Go to Endpoint Security → Proactive Remediations.
  2. Create a new script package.
  3. Upload the detection and remediation scripts.
  4. Assign it to the target device group.
  5. Review the execution status in Intune > Reports.

Once logs are collected, open the .xml file and review the blockers or compatibility errors (e.g., drivers, apps, or TPM issues) that caused upgrade failures.


🚀 Force Windows 11 24H2 Upgrade via PowerShell

If the device is eligible and the upgrade is still not applying, you can use the following script to force the 24H2 Windows 11 upgrade:

🔗 GitHub: Force Windows 11 24H2 Update Script

This script is ideal for:

  • Remote remediation
  • One-time on-demand upgrade
  • Skipping upgrade delays in Windows Update for Business (WUfB)

📝 Summary Table

Area

Details

Deadline

Windows 10 EOL: October 2025

Upgrade Options

Windows 11, New Hardware, or ESU Licensing

Pre-checks

Use Intune readiness and compatibility reports

Known Issues

Credential Guard Wi-Fi issues, Memory Integrity blocking old drivers

Troubleshooting Tool

SetupDiag + Intune remediation

Force Upgrade Script

GitHub: Windows 11 24H2 Upgrade Script


📌 Final Recommendations

  • Start auditing today with Intune readiness reports.
  • Replace or repurpose unsupported devices ahead of Q3 2025.
  • Pilot Windows 11 upgrades in phases using Feature Update Rings in Intune.
  • Use SetupDiag automation for ongoing upgrade issue visibility.
  • Communicate the upgrade strategy across the organization early.

Wednesday, 9 July 2025

SCCM SQL Query to Report Application Deployment Status Per Device

 

SCCM SQL Query to Report Application Deployment Status Per Device

In enterprise environments, monitoring application deployment results is crucial for ensuring successful software rollouts and troubleshooting failed installations. System Center Configuration Manager (SCCM) provides a rich set of SQL views that allow administrators to extract detailed deployment information.

This blog post walks through a powerful SQL query that retrieves comprehensive deployment status details for applications assigned to specific devices or users.


🔍 Purpose of the Query

The purpose of this query is to generate a detailed report that includes:

  • Device and user information
  • Operating System details
  • Assigned application and collection name
  • Deployment status (e.g., Success, In Progress, Error)
  • Last enforcement and compliance message timestamps

This helps administrators quickly determine the current state of application deployments across targeted machines.


📄 The SQL Query

SELECT DISTINCT

    vrs.Name0 AS [Computer Name],

    vgos.Caption0 AS [OS],

    vrs.User_Name0 AS [User Name],

    vrs.Ad_site_name0 AS [AD Site Name],

    lac.DisplayName AS [Application Name],

    CollectionName,

    IIF(

        vAppDeploymentResultsPerClient.EnforcementState = 1001, 'Installation Success',

        IIF(

            vAppDeploymentResultsPerClient.EnforcementState >= 1000 AND vAppDeploymentResultsPerClient.EnforcementState < 2000 AND vAppDeploymentResultsPerClient.EnforcementState <> 1001, 'Installation Success',

            IIF(

                vAppDeploymentResultsPerClient.EnforcementState >= 2000 AND vAppDeploymentResultsPerClient.EnforcementState < 3000, 'In Progress',

                IIF(

                    vAppDeploymentResultsPerClient.EnforcementState >= 3000 AND vAppDeploymentResultsPerClient.EnforcementState < 4000, 'Requirements Not Met',

                    IIF(

                        vAppDeploymentResultsPerClient.EnforcementState >= 4000 AND vAppDeploymentResultsPerClient.EnforcementState < 5000, 'Unknown',

                        IIF(

                            vAppDeploymentResultsPerClient.EnforcementState >= 5000 AND vAppDeploymentResultsPerClient.EnforcementState < 6000, 'Error',

                            'Unknown'

                        )

                    )

                )

            )

        )

    ) AS [Status],

    LastEnforcementMessageTime AS [LastEnfMessageTime],

    LastComplianceMessageTime AS [LastComMessageTime]

FROM dbo.v_R_System AS vrs

LEFT JOIN (dbo.vAppDeploymentResultsPerClient

    LEFT JOIN v_CIAssignment ON dbo.vAppDeploymentResultsPerClient.AssignmentID = v_CIAssignment.AssignmentID)

    ON vrs.ResourceID = dbo.vAppDeploymentResultsPerClient.ResourceID

LEFT JOIN dbo.fn_ListApplicationCIs(1033) lac ON lac.CI_ID = dbo.vAppDeploymentResultsPerClient.CI_ID

LEFT JOIN dbo.v_GS_WORKSTATION_STATUS AS vgws ON vgws.ResourceID = vrs.ResourceID

LEFT JOIN v_FullCollectionMembership coll ON coll.ResourceID = vrs.ResourceID

LEFT JOIN dbo.v_GS_OPERATING_SYSTEM AS vgos ON vgos.ResourceID = vrs.ResourceID

LEFT JOIN v_CICurrentComplianceStatus ci2 ON ci2.CI_ID = vAppDeploymentResultsPerClient.CI_ID AND ci2.ResourceID = vrs.ResourceID

WHERE

    vAppDeploymentResultsPerClient.AssignmentID IN ('ID') AND

    vrs.Name0 IN ('User Name') AND

    CollectionName = 'Collection'


🔧 Query Breakdown

  • v_R_System (vrs): Core system view providing details like computer name, user name, and AD site.
  • vAppDeploymentResultsPerClient: Contains application deployment status per client.
  • fn_ListApplicationCIs(1033): Retrieves application names based on configuration item (CI) IDs.
  • v_GS_OPERATING_SYSTEM (vgos): Provides OS information of the client.
  • v_CIAssignment: Stores deployment assignment details.
  • v_CICurrentComplianceStatus: Shows compliance status for the CI.
  • v_FullCollectionMembership: Maps devices to their collections.

📊 Deployment Status Mapping

Enforcement State Range

Status Description

= 1001

Installation Success

1000–1999 (≠1001)

Installation Success

2000–2999

In Progress

3000–3999

Requirements Not Met

4000–4999

Unknown

5000–5999

Error

Other

Unknown


🎯 Use Case Scenario

This query is useful when you want to:

  • Audit application deployment success/failure
  • Troubleshoot issues in a specific device or collection
  • Generate deployment compliance reports
  • Identify pending or in-progress installations

Simply replace the following placeholders in the WHERE clause:

  • 'ID' → Your application deployment AssignmentID
  • 'User Name' → List of device names or users
  • 'Collection' → Target SCCM collection name

📝 Final Notes

  • Ensure that you run this query in the SCCM database context (typically CM_<SiteCode>).
  • Add additional filters or joins (like deployment types or deadlines) based on your reporting needs.
  • You can export this data to Power BI or Excel for further visualization.

Tuesday, 1 July 2025

SQL Script to List SCCM Applications Details



📘 Overview

In SCCM (Microsoft Endpoint Configuration Manager), gaining a clear view of your applications, their deployment types, source content, and install/uninstall behaviors is critical for maintaining a healthy environment. Whether you are auditing your environment, troubleshooting deployment issues, or preparing for a migration, having a detailed application inventory is a must.

In this blog post, we’ll walk through a powerful SQL query that pulls application metadata, deployment information, content size, install/uninstall commands, and more — directly from your SCCM database.


🔍 What This Query Does

This SQL query retrieves:

  • Application name and description
  • Deployment type details
  • Source path and size
  • Status (Active/Retired)
  • Install and uninstall command lines
  • Detection method
  • Admin comments and metadata

All tied together using SCCM’s AppModel and CI relationships.


📋 The SQL Query

DECLARE @LocaleID INT = (SELECT LocaleID FROM vSMSData);

 

WITH XMLNAMESPACES (DEFAULT 'http://schemas.microsoft.com/SystemCenterConfigurationManager/2009/AppMgmtDigest')

SELECT

    app.DisplayName AS ApplicationName,

    pkg.PackageID,

    CASE

        WHEN dtt.IsExpired LIKE '1' THEN 'Retired'

        ELSE 'Active'

    END AS [Application Status],

    cp.SourceSize AS [Source Size in KB],

    app.Description,

    ad.AdminComments,

    Dtt.DisplayName AS [DeploymentTypeName],

    Dtt.Technology,

    dt.CI_ID,

    dt.SDMPackageDigest.value('(/AppMgmtDigest/DeploymentType/Title)[1]', 'nvarchar(max)') AS [DeploymentTypeName],

    ab.NumberOfDeploymentTypes AS [No of Deployments],

    dt.SDMPackageDigest.value('(/AppMgmtDigest/DeploymentType/Installer/Contents/Content/Location)[1]', 'nvarchar(max)') AS [SourcePath],

    dt.SDMPackageDigest.value('(/AppMgmtDigest/DeploymentType/Installer/InstallAction/Args/Arg)[1]', 'nvarchar(max)') AS [InstallCommandLine],

    dt.SDMPackageDigest.value('(/AppMgmtDigest/DeploymentType/Installer/UninstallAction/Args/Arg)[1]', 'nvarchar(max)') AS [UninstallCommandLine],

    dt.SDMPackageDigest.value('(/AppMgmtDigest/DeploymentType/DetectionMethod/Setting)[1]', 'nvarchar(max)') AS DetectionSetting

FROM v_ConfigurationItems dt

INNER JOIN vSMS_CIRelation rel ON dt.CI_ID = rel.ToCIID

INNER JOIN fn_ListLatestApplicationCIs_List(@LocaleID) app ON app.CI_ID = rel.FromCIID

INNER JOIN v_Package p ON p.SecurityKey = app.ModelName

INNER JOIN vSMS_ContentPackage cp ON cp.PkgID = p.PackageID

INNER JOIN dbo.Fn_Listdeploymenttypecis(1033) AS Dtt ON Dtt.AppModelName = app.ModelName

INNER JOIN fn_ListLatestApplicationCIs(1033) AS ab ON ab.ModelName = app.ModelName

INNER JOIN v_Package pkg ON pkg.SecurityKey = ab.ModelName

INNER JOIN v_Applications ad ON ad.ModelID = app.ModelID

WHERE dt.CIType_ID = 21 -- Deployment Type

  AND dt.IsLatest = 1;  -- Latest version only

 


Windows 11 Upgrade with Intune: Prerequisites and Troubleshooting

  As Microsoft ends support for Windows 10 in October 2025 , organizations must start preparing to upgrade their Windows 10 devices to Windo...