Here I will be showing how you can use the Access Package feature of Azure Active Directory (Azure AD) entitlement management along with the Feature Update deployment policy from Intune to let end-users opt-in for Windows 11.
Back from vacation, I am currently looking at the different ways an organization can move to Windows 11 from Windows 10 in an Intune managed environment and this blog post is about one such way – empower end-users to opt-in to get the latest OS delivered to their managed device as per their convenience.
Let’s get started.
Table of Contents
Pre-Requisite
- Azure AD Premium P2 license as already mentioned above.
- A blank Azure AD security group with assigned membership that will be used for the purpose of deployment.
Create Access Package in Azure AD to let end-users to opt-in for Windows 11
- Login to Azure AD portal and navigate to Azure Active Directory > Identity Governance > Access packages
- Click New access package
- On the Basics page, provide the information required to create the Access Package.
- On the Resource roles page, click Groups and Teams to add the Azure AD security group and set the Role to Member. This will make sure that the user opting-in for Windows 11 will be added as a member to the group.
- On the Requests page, choose the options that best suits the requirement. The below config as shown in the snap is to let All Users within the directory (excluding Guests) to opt-in and get Windows 11.
If you require to add an approval flow that will be triggered after user requests for access, this can be done from here. However, for simplicity, I will omit the approval flow for now.
- The Requestor information page is Optional and can be used to collect information and attributes from the requestors, i.e. users requesting for the access package to opt-in for Windows 11. If you do not wish to collect any information from users, simply click on Next.
- On the Lifecycle page, you can select the expiration for the access package that is being created and also decide whether to add access reviews to the access package that will be automatically scheduled. Again for simplicity, I will keep Access package assignments expire to Never and Require access reviews to No.
- Rules (preview) page is again optional and I will not be doing anything in here but proceed to create the Access package.
- The final step, click on Create to create the Access package that will enable users to opt-in to get Windows 11.
With the Access Package created, let’s move on to the next configuration item.
Create a Feature Update policy deployment to let end-users opt-in for Windows 11
- In the MEM portal, navigate to Devices > Windows > Feature updates for Windows 10 and later
- Click on Create profile
- Give a Name for the Feature Update deployment policy, choose Windows 11 from the drop-down list of the Feature update to deploy and finally in the Rollout options, select the Make update available as soon as possible.
Note the other Rollout options now available to provide greater control to the IT. The team behind has done a wonderful job and surely deserves a mention here.
- In the Assignments page, select the security group that was used previously for the Access Package.
- Finally click on Create.
With the Access Package and the Windows 11 Feature Update deployment policy in place, let’s move on to see the end-user experience.
Opt-in for Windows 11 with Intune and Azure AD – End user Experience
End-user needs to visit the My Access portal that is available as part of the Azure AD entitlement management and see the Access Packages that are made available by the IT.
As you can see, I can see the Access Package that was created for the purpose of allowing users to opt-in for Windows 11 and all I need to do is click on Request.
The Request access opens a flyout pane where the user can fill in additional information. However, as in our configuration, no additional information needs to be provided, I can just click on the Submit button.
As soon as the user clicks on submit, the flow is triggered to add the user to the required group.
If we had added approvals, then the request would wait to get approved before the user is added to the group. In our case though, since we have no approvals setup, it will process directly as can be seen below from the Request history section.
As soon as the user gets added to the group, it’s over to Intune which will then make the Windows 11 update available to the users’ eligible Windows 10 device.
You can monitor the feature update deployment, as usual, using the Feature Update report from the MEM portal.
Ending
That was all for today. Hope you will find this informative.
1 Trackback / Pingback
Comments are closed.