Intune managed laptop updated to windows 11

Veelaert Matthias 1 Reputation point


we currently have 1000+ managed devices in intune with a lock on the update to windows 11 so we can manually decide when we're ready to upgrade our environment to windows 11. However,2 of our laptops automatically updated to windows 11. I have contacted the users of these devices and they said they had nothing to do with the update to windows 11. I currently have one of these laptops in my possession. Is there a way to troubleshoot the laptop to find out why it updated to windows 11? Or do you know a reason why it could have happened?

Thanks in advance!

Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
8,051 questions
Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,697 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Riaan-VS 351 Reputation points

    Did they by any chance enroll in the insider program?

  2. Veelaert Matthias 1 Reputation point

    I will ask. Is that possible for them to do on their own or is there also a possibility to block that?

    0 comments No comments

  3. Limitless Technology 39,331 Reputation points

    Hello there,

    What is you feature update policy?

    A intune device won't install an update when it has a safeguard hold for that Windows version. When a device evaluates applicability of an update version, Windows creates the temporary safeguard hold if an unresolved known issue exists. Once the issue is resolved, the hold is removed and the device can then update.

    You can read about the Update behavior when multiple policies target a device:


    --If the reply is helpful, please Upvote and Accept it as an answer--

  4. Crystal-MSFT 42,306 Reputation points Microsoft Vendor

    @Veelaert Matthias , Thanks for the reply. In General, after the feature update policy is applied to the device, Intune pass the device list to DSS (Downstream service). Then the device enroll to DSS to block or allow the updates. The DSS process request from Intune to pin device to a certain OS version with feature update policy.

    In your situation, there are some possible cause that the device has enrollment issue to DSS. Or the devices may be accidently upgraded to unwanted OS version before these device are actually enrolled into DSS.

    As a workaround, we can use TargetReleaseVersion CSP to control the version:

    But if you want to troubleshoot this, you can open case to get more help. Here is a link with the steps to open case for your reference:

    Hope it can help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments