Image: Microsoft

Although it won’t be shipping until Oct. 5, Microsoft has already released the commercial preview of Windows 11. You’ll also see this called the “commercial prelease moment,” and it means Microsoft believes the new OS is stable enough for enterprises to not only test but even start deploying to a small number of users (Microsoft suggests 1% of your organization), with free support from Microsoft even if you don’t have Software Assurance.

SEE: The future of work: Tools and strategies for the digital workplace (free PDF) (TechRepublic)

As it’s still a preview, this is available through the Windows Insider and Windows Update for Business channels, as well as through Windows Server Update Services (WSUS), Azure Marketplace for cloud VMs and as an ISO download you can distribute with your usual management tools. If you want to use Windows 11 in Windows 365, that will be available in preview when Windows 11 ships; it won’t be fully supported until spring 2022.

Deploying the final release will be similar to deploying the commercial preview. In many ways, upgrading to Windows 11 on PCs that have supported hardware (or deploying it on new devices if you need to do hardware upgrades) will be like installing a new Windows 10 feature pack.

You need to be running a supported version of Windows 10, currently 1909 or later, and to have applied any necessary cumulative updates. If not, upgrade those devices to at least 1909 and preferably 21H1 first. You’ll also need to migrate LTSB/LTSC installations if you want to upgrade those devices now; the next Windows LTSC will be based on Windows 10 21H2, but the LTSC release after that will be based on Windows 11.

Packs and swaps

As you’d expect, you can use the same tools to manage Windows 11 PCs and OS updates as you do Windows 10, because it’s likely most enterprises will be managing Windows 10 and 11 PCs side by side for the next three to five years as they buy new devices and retire old PCs. You can still do things like customizing the Out of Box Experience that users see the first time they turn on their PC.

But for managing Windows 11 upgrades, it’s helpful to understand the difference between “enablement packs” and what Microsoft refers to as an “OS swap.”

Regular Patch Tuesday updates include security patches and quality updates with fixes, but they may also include extra code to prepare PCs for the next feature update: They download and install new features but those features aren’t available in Windows. A feature update that’s delivered as an enablement package installs very quickly (the reboot should take about five minutes) because it’s really just setting the registry keys to turn on features that have been installed alongside regular Windows updates and changing the version number of Windows. Microsoft says that also means the same app compatibility as the previous version because it has the same core OS.

SEE: How to install Windows 11 on a Mac (TechRepublic)

Windows 10 1909 was a feature update delivered as an enablement package to Windows 10 1903. Enablement packages only work with versions of Windows that share the same core OS, so you couldn’t use that package to upgrade Windows 10 1809 to 1903. But Windows 10 2004 was a “OS swap”; a whole new version of the operating system that was downloaded and installed on top of 1909. Windows 10 20H2 and 21H1 were also delivered as enablement packages and share the same core OS as 2004, but with extra features added. That means if you still have a PC running 2004, you can take it straight to 21H1 with the enablement package rather than needing to upgrade it twice.

Windows 11 will be what Microsoft calls a new “OS floor,” and it will be delivered as an OS swap, not an enablement package. OS swaps take longer to install than enablement packages, but much of the upgrade will be done online while users are working on their PCs, and Microsoft claims it will look like a faster in-place upgrade than previous OS swap releases.

Windows 11 management tools

If you use Microsoft Endpoint Configuration Manager, you’ll need version 2107 (or Technical Preview 2106 or later) to work with Windows 11, and the Assessment and Deployment Kit for Windows 11. In Configuration Manager, use the build number (22000 or higher) to create a device collection for Windows 11 PCs; you may want to have this run daily to update the list of which PCs have successfully upgraded.The Azure Update Compliance service may add more reports covering Windows 11 readiness and the Endpoint Analytics tool in both Intune and Configuration Manager includes hardware assessments for Windows 11.

You can also use the Desktop Analytics service for Configuration manager to do an inventory or use your existing management tools to gather details to see which PCs you’ll be able to install Windows 11 on. Generate reports of which PCs have older versions of Windows 10, less than 64GB of disk space free or less than 4GB of RAM (they’ll need upgrading if they meet the rest of the hardware requirements).

With the new system requirements for Windows 11, you may need to make some configuration changes to existing devices. If TPM 2.0 isn’t enabled in the firmware you’ll need to turn it on. If PCs have been running with BIOS emulation (which may have been turned on to allow running a 32-bit OS on 64-bit hardware), you need to move to UEFI, which means converting the system disk from Master Boot Record to GPT partitions from within Windows or through Configuration Manager and then reconfiguring the firmware for UEFI.

You should be able to make those changes without needing to clean install Windows, but you’ll need to plan for and test the process in advance. And if the reason a PC has BIOS emulation is that it’s running a 32-bit version of Windows 10, you’ll need to do a clean install anyway to move it to a 64-bit version (Windows 11 is 64-bit only). You’ll also need to find which PCs don’t have Secure Boot enabled so you can turn that on.

SEE: Windows evolves: Windows 11, and the future of Windows 10 (TechRepublic)

If you use rings to manage Windows Update for Business, you can choose which rings will upgrade to Windows 11 the same way you would for new Windows 10 releases; the default will be to stay on Windows 10.

If you use Intune or co-management in Microsoft Endpoint Manager, the feature update deployment option works with the new Windows Update for Business deployment service to let you pick which version of Windows you want PCs to stay on or upgrade to, including Windows 11.

It will also control which devices are offered Windows 11 upgrades, based on their telemetry. If a PC doesn’t meet the system requirements or if it does, but that model or specific hardware combination is subject to what Microsoft calls a safeguard hold because there’s a known compatibility issue, it won’t waste time and bandwidth downloading an upgrade that can’t be installed.

You’ll be able to see which devices aren’t eligible and why they’re not being offered Windows 11 in the Configuration Manager update compliance report and in Endpoint Analytics. Microsoft will also provide scripts to gather the same information if you use other management tools.

There’s a group policy (and a configuration service provider setting if you’re using Intune or another MDM tool) to disable a safeguard hold for a specific device if you’re an IT administrator needing to test Windows 11 on a device that isn’t being offered it—perhaps to confirm to a business user that they can’t get Windows 11 yet because they really will see problems on their device. That’s not a way to get around the hardware requirements though, and it may be more useful to use the Test Base service or even a VM than to try to run Windows 11 on unsuitable hardware.

If you turn off a safeguard hold to install Windows 11 and then want to go back to Windows 10 (or if you have users unhappy at the user interface changes who want to revert), Intune and Configuration Manager will allow you to roll back the Windows 11 upgrade because, again, it’s like any other Windows feature update.

It’s more work but you can manage targeting with group policy, using the target release product and target version policies under the Windows Update node. If you use WSUS (Windows Server Update Service), you’ll need to add and sync the Windows 11 product category. The Windows 11 GPO settings have been redesigned (for example to make clearer which apply to Windows Update and which only to WSUS) but the registry keys they set are the same.

For organizations still using group policy though, Windows 11 is a good opportunity to move to more modern device management options. The Intune Group Policy Analytics tool can look at your group policies and tell you which you can implement in MDM using CSPs. It can even convert those policies to work with Intune, but it’s worth taking the time to analyse their impact with Endpoint Analytics and make sure they’re still useful rather than just replicating old policies that could significantly slow down Windows startup times.

And if you want to plan and test your Windows 11 deployment strategy using tools like Configuration Manager and Autopilot and you don’t already have a test lab, Microsoft will also be updating the Windows deployment lab kit to cover Windows 11.