As Microsoft ends support for Windows 10 in October 2025, organizations must start preparing to upgrade their Windows 10 devices to Windows 11. Devices that do not meet the hardware requirements for Windows 11 must either be replaced or covered under an Extended Security Update (ESU) program, which will come at an added cost.
This guide will
walk you through the upgrade readiness, hardware prerequisites, known
compatibility issues, and how to troubleshoot feature upgrade deployments using
Microsoft Intune.
⚙️ Upgrade Options
Organizations have
three primary choices moving forward:
- Upgrade to Windows 11 – For supported hardware.
- Replace hardware – Devices that do not meet Windows 11
requirements.
- Purchase ESU (Extended Security
Updates) – For legacy
systems that must remain on Windows 10.
✅ Windows 11 Hardware Requirements
To ensure a smooth
upgrade to Windows 11, devices must meet the following minimum system
requirements:
- RAM: 4 GB or more
- Storage: 64 GB or more
- Firmware: UEFI capable with Secure Boot
enabled
- TPM: Trusted Platform Module (TPM) version 2.0
- CPU: 8th Gen Intel or newer (Note: Devices purchased before
2017 are likely unsupported)
💡 Tip: Use Intune’s Windows 11 readiness report
under:
Reports →
Endpoint Analytics → Work from anywhere → Windows 11 readiness
This will help you
quickly identify unsupported devices.
⚠️ Application Compatibility and Known Issues
1. Credential
Guard Impact on MSCHAPv2-Based Wi-Fi
- Issue: Breaks traditional MSCHAPv2
authentication (common in enterprise WPA2).
- Workaround: Migrate to EAP-TLS using Intune
to deploy PKCS or SCEP-based certificates.
2. Memory
Integrity and Driver Incompatibility
- Issue: Memory Integrity (HVCI) can block
old or unsigned drivers, causing blue screen errors (BSOD) or app
failures.
- Solution: Update or replace legacy drivers
before enabling Memory Integrity.
📊 Intune Reports to Review Before Upgrading
Before deploying
the Windows 11 Feature Upgrade policy, review the following reports in
Intune:
- Windows feature update device
readiness
- Windows feature update compatibility
risks
If the device does
not appear in these reports or is flagged with compatibility risks, upgrading
via Intune may fail or remain in an “offering” state.
🧰 Troubleshooting Windows 11 Feature Upgrade
Failures with SetupDiag
If an upgrade
appears to stall or fail, Microsoft’s SetupDiag tool is your best
diagnostic resource.
Use On-Demand
Remediation Scripts via Intune
Create a Proactive
Remediation script in Intune to automate SetupDiag log collection. Here's a
sample PowerShell script you can deploy:
🔧 Remediation Script Sample – Collect
SetupDiag Logs
# Remediation Script to run SetupDiag and collect logs
$setupDiagUrl =
"https://aka.ms/SetupDiag"
$destination =
"$env:ProgramData\SetupDiag"
# Create directory
if not exists
if (!(Test-Path
-Path $destination)) {
New-Item -ItemType Directory -Path
$destination -Force
}
# Download
SetupDiag.exe
Invoke-WebRequest
-Uri $setupDiagUrl -OutFile "$destination\SetupDiag.exe"
# Run SetupDiag
and save logs
Start-Process
-FilePath "$destination\SetupDiag.exe" -ArgumentList
"/Output:$destination\SetupDiagResults.xml" -Wait
# Optional: Copy
logs to network share (example path)
# Copy-Item -Path
"$destination\SetupDiagResults.xml" -Destination
"\\yourfileserver\logs\$env:COMPUTERNAME.xml"
✅ Detection Script Sample – Check if SetupDiag Log Exists
$logPath =
"$env:ProgramData\SetupDiag\SetupDiagResults.xml"
if (Test-Path
-Path $logPath) {
Write-Output "SetupDiag log
exists."
exit 0
} else {
Write-Output "SetupDiag log
missing."
exit 1
}
How to Deploy
in Intune:
- Go to Endpoint Security → Proactive
Remediations.
- Create a new script package.
- Upload the detection and remediation
scripts.
- Assign it to the target device group.
- Review the execution status in Intune
> Reports.
Once logs are
collected, open the .xml file and review the blockers or compatibility
errors (e.g., drivers, apps, or TPM issues) that caused upgrade failures.
🚀 Force Windows 11 24H2 Upgrade via
PowerShell
If the device is
eligible and the upgrade is still not applying, you can use the following
script to force the 24H2 Windows 11 upgrade:
🔗 GitHub: Force Windows 11 24H2 Update Script
This script is
ideal for:
- Remote remediation
- One-time on-demand upgrade
- Skipping upgrade delays in Windows
Update for Business (WUfB)
📝 Summary Table
|
Area |
Details |
|
Deadline |
Windows 10 EOL: October
2025 |
|
Upgrade
Options |
Windows 11, New
Hardware, or ESU Licensing |
|
Pre-checks |
Use Intune
readiness and compatibility reports |
|
Known Issues |
Credential Guard
Wi-Fi issues, Memory Integrity blocking old drivers |
|
Troubleshooting
Tool |
SetupDiag +
Intune remediation |
|
Force Upgrade
Script |
GitHub: Windows 11 24H2 Upgrade Script |
📌 Final Recommendations
- Start auditing today with Intune
readiness reports.
- Replace or repurpose unsupported
devices ahead of Q3 2025.
- Pilot Windows 11 upgrades in phases
using Feature Update Rings in Intune.
- Use SetupDiag automation for
ongoing upgrade issue visibility.
- Communicate the upgrade strategy
across the organization early.
