Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
9,893 questions
Did they by any chance enroll in the insider program?
Intune managed laptop updated to windows 11
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 15%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMV%3C/text%3E%3C/svg%3E)
Matthias Veelaert
1
Reputation point
Hi,
we currently have 1000+ managed devices in intune with a lock on the update to windows 11 so we can manually decide when we're ready to upgrade our environment to windows 11. However,2 of our laptops automatically updated to windows 11. I have contacted the users of these devices and they said they had nothing to do with the update to windows 11. I currently have one of these laptops in my possession. Is there a way to troubleshoot the laptop to find out why it updated to windows 11? Or do you know a reason why it could have happened?
Thanks in advance!
4 answers
Sort by: Most helpful
-
Riaan-VS 376 Reputation points2022-08-19T09:47:45.097+00:00 -
Matthias Veelaert 1 Reputation point
2022-08-19T12:03:41.013+00:00 They are not enrolled in the insider program it seems.
Sign in to comment -
-
Matthias Veelaert 1 Reputation point
2022-08-19T11:30:32.95+00:00 I will ask. Is that possible for them to do on their own or is there also a possibility to block that?
-
Limitless Technology 39,676 Reputation points2022-08-19T15:09:24.113+00:00 Hello there,
What is you feature update policy?
A intune device won't install an update when it has a safeguard hold for that Windows version. When a device evaluates applicability of an update version, Windows creates the temporary safeguard hold if an unresolved known issue exists. Once the issue is resolved, the hold is removed and the device can then update.
You can read about the Update behavior when multiple policies target a device: https://learn.microsoft.com/en-us/mem/intune/protect/windows-10-feature-updates#update-behavior-when-multiple-policies-target-a-device
------------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept it as an answer--
-
Matthias Veelaert 1 Reputation point
2022-08-19T15:49:54.7+00:00 Hi, yeah. So our feature update policy is this:
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Crystal-MSFT 49,351 Reputation points Microsoft Vendor2022-08-22T01:38:47.303+00:00 @Anonymous , For our issue, please make sure the "Feature update deferral period (days) " is set to 0. And check if these devices are co-managed device. Because feature updates policies might not immediately take effect on devices when you newly configure the Windows Update policies workload to Intune. This delay is temporary but can initially result in devices updating to a later feature update version than is configured in the policy. Here is a link with more details:
https://learn.microsoft.com/en-us/mem/intune/protect/windows-10-feature-updates#limitations-for-feature-updates-for-windows-10-and-later-policy -
Matthias Veelaert 1 Reputation point
2022-08-22T06:45:50.853+00:00 But setting the setting of "Feature update deferral period (days) " to 0 doesn't stop devices form updating to windows 11 it seems then. It just makes sure there is no delay when the feature update takes place. That's what I atleast get from reading the docs there. This is our current update ring for windows btw:
Sign in to comment -
-
Crystal-MSFT 49,351 Reputation points Microsoft Vendor
2022-08-22T08:28:27.653+00:00 @Anonymous , Thanks for the reply. In General, after the feature update policy is applied to the device, Intune pass the device list to DSS (Downstream service). Then the device enroll to DSS to block or allow the updates. The DSS process request from Intune to pin device to a certain OS version with feature update policy.
In your situation, there are some possible cause that the device has enrollment issue to DSS. Or the devices may be accidently upgraded to unwanted OS version before these device are actually enrolled into DSS.
As a workaround, we can use TargetReleaseVersion CSP to control the version:
https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#update-targetreleaseversionBut if you want to troubleshoot this, you can open case to get more help. Here is a link with the steps to open case for your reference:
https://learn.microsoft.com/en-us/mem/get-supportHope it can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.