Endpoint Services, MECM, Managing Windows 11
Overview
This article covers the available MECM features for evaluating Windows 11 compatibility, as well as deploying Windows 11 to new and existing devices.Systems
Microsoft Endpoint Configuration Manager (MECM)
Intended Audience
University of Illinois IT Pros leveraging MECM, hosted by Technology Services' Endpoint Services team
Evaluating Windows 11 compatibility for an existing device
- Deploy one of the 'Audit Windows 11 Readiness' configuration baselines to the respective collection - located at \Assets and Compliance\Overview\Compliance Settings\Configuration Baselines in the console
- The configuration baselines leverage Microsoft's Windows 11 Hardware Readiness script. Non-compliant devices will fail one or more of the following requirements: Memory, Processor, SecureBoot, Storage, TPM
- Refer to the 'Understanding the Hardware Readiness script output' section at the link above to evaluate the output of the baseline
- This will check that an endpoint meets the Windows 11 minimum system requirements and mark any endpoints that don't meet them as non-compliant
- The 'Audit Windows 11 Readiness - Granular' baseline checks all of the requirements: Memory, Processor, TPM, SecureBoot, Storage
- If you would like to create a non-compliant collection for a specific requirement, deploy the respective 'Audit Windows 11 Readiness - x' baseline.
- For example, if you want a collection of devices that do not meet TPM requirements so you can query models and potentially deploy newer TPM firmware, deploy the 'Audit Windows 11 Readiness - TPM' baseline
- For example, if you want a collection of devices that do not meet TPM requirements so you can query models and potentially deploy newer TPM firmware, deploy the 'Audit Windows 11 Readiness - TPM' baseline
- Collections based on compliance can be created by right-clicking the deployment of the configuration baseline, selecting ‘Create New Collection’, then selecting the desired compliance status
- View the details of the baseline results at \Monitoring\Overview\Deployments in the console
- Search for the baseline name and double-click to view the status
- For details of non-compliance, select the Non-Compliant tab, expand the columns, then view the assets under each CI name.
- Please note that additional compatibility considerations for internal and external peripherals may be required
- The configuration baselines leverage Microsoft's Windows 11 Hardware Readiness script. Non-compliant devices will fail one or more of the following requirements: Memory, Processor, SecureBoot, Storage, TPM
- For devices that do not meet TPM requirements, determine if the device can be upgraded from TPM 1.2 to TPM 2.0
- Refer to this page to upgrade eligible Dell devices: https://www.dell.com/support/kbdoc/en-us/000132583/dell-systems-that-can-upgrade-from-tpm-version-1-2-to-2-0
- Refer to this page to upgrade eligible HP devices: https://support.hp.com/us-en/document/c05381064
- If a TPM upgrade is possible, upgrade the device to the latest BIOS version first. Note that very outdated BIOS versions may need to upgrade to a middle version first before upgrading to the latest version; refer to the vendor's documentation in the BIOS update.
- Refer to this page to upgrade eligible Dell devices: https://www.dell.com/support/kbdoc/en-us/000132583/dell-systems-that-can-upgrade-from-tpm-version-1-2-to-2-0
Deploy and manage Windows 11
- For new Windows 11 installations:
- Copy an existing OS deployment task sequence to use for Windows 11 deployments
- Update the 'Apply Operating System Image' step to use the latest Windows 11 operating system upgrade package
- Update the 'Apply Driver Package' steps to use the latest Windows 11 drivers for each model
- If there is a 'Pre-provision BitLocker' step, disable that step and implement one of the following options:
- Replace the step with a new ‘Run Task Sequence’ step that runs the ‘DEMO DAYS-Pre-Provision Bitlocker Workaround’ task sequence, located at '\Software Library\Overview\Operating Systems\Task Sequences\.DEMO DAYS' in the console
- Or, you can create the following four Run Command Line steps in your task sequence using the commands below:
- reg.exe add HKLM\SOFTWARE\Policies\Microsoft\TPM /v OSManagedAuthLevel /t REG_DWORD /d 2 /f
- reg.exe delete HKLM\SYSTEM\CurrentControlSet\Control\MiniNT /f
- manage-bde.exe -on C: -em xts_aes128
- reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\MiniNT /f
- Ensure your unit's boot image is updated to the latest version (OS Version 10.0.25398.531 or greater): Update boot image
- Deploy the task sequence to the respective OSD collection
- Copy an existing OS deployment task sequence to use for Windows 11 deployments
- Upgrade devices with an existing Windows 10 installation:
- Follow the guidance in this article to create an upgrade task sequence: https://learn.microsoft.com/en-us/mem/configmgr/osd/deploy-use/create-a-task-sequence-to-upgrade-an-operating-system
- Update the 'Upgrade Operating System' step to use the latest Windows 11 operating system upgrade package
- Deploy the task sequence to the respective collection
- Follow the guidance in this article to create an upgrade task sequence: https://learn.microsoft.com/en-us/mem/configmgr/osd/deploy-use/create-a-task-sequence-to-upgrade-an-operating-system
- Track your environment's overall count of Windows 11 devices
- Follow this guide to create collections based on a device's OS version: https://answers.uillinois.edu/illinois/90428
- Follow this guide to create collections based on a device's OS version: https://answers.uillinois.edu/illinois/90428
- In order to manage Windows 11 updates with MECM, visit https://go.illinois.edu/epshelp, select the 'MECM' service, select 'Microsoft/Office/Windows Updates' under 'Request Type', then fill out the rest of the form