3.3 Windows 11 Upgrades and Windows 365 Cloud PCs

Windows 11 upgrade planning with Intune

For MD-102, Windows upgrade management is mostly about policy intent. Feature update policies select the Windows release you want devices to install or remain on. Update rings control ongoing quality update behavior such as deferrals, deadlines, restarts, and active hours.

Feature update policies keep applying until changed or removed. They also do not downgrade a device. If a device already runs a newer Windows version than the target, the policy is not used to force it backward.

Because Windows 10 reached end of support on October 14, 2025, 2026 endpoint plans should treat Windows 11 upgrade readiness as an operational priority. Intune may still show enrolled Windows 10 devices and some eligible management features may still work, but ongoing quality and feature update support is no longer guaranteed for Windows 10.

A practical Windows 11 deployment pattern

A safe upgrade plan usually starts with readiness and scope:

1. Identify hardware, app, driver, VPN, and security-agent blockers.
2. Create pilot user and device groups for IT, early adopters, and critical departments.
3. Use assignment filters where group membership is too broad, such as excluding unsupported models or including a specific OS version range.
4. Assign a feature update policy to the pilot group and monitor installation status.
5. Expand rings after help desk, app owners, and security teams confirm success.

If a question says the organization must control monthly quality update restart behavior, do not answer feature update policy by itself. If the question says devices must remain on a specific Windows 11 release until the admin selects a later release, use a feature update policy.

Windows 365 Cloud PC deployment

Windows 365 provisions Cloud PCs from the Microsoft cloud and manages them through Intune. A provisioning policy is the central object. It tells Windows 365 which users get Cloud PCs and how those Cloud PCs should be created.

A Windows 365 provisioning policy includes:

• Network - Microsoft-hosted network or Azure network connection, depending on join and networking requirements.
• Image - Microsoft gallery image or custom image.
• Configuration - language, region, optional device name template, and related settings.
• Assignment - Microsoft Entra user security groups or Microsoft 365 Groups.
• Licensing - users need the appropriate Windows 365 license before a Cloud PC is provisioned.

For Windows 365 Enterprise, if a user in an assigned group is not licensed, Windows 365 does not provision that user's Cloud PC. If a user is in scope for more than one provisioning policy for the same license, the service uses the first assigned policy for that Cloud PC.

Policy changes after provisioning

A key exam trap is assuming every provisioning policy edit changes existing Cloud PCs. Many changes, such as image, network, region, or single sign-on configuration, affect newly provisioned or reprovisioned Cloud PCs. Existing provisioned Cloud PCs usually need a specific move, apply-current-configuration, or reprovision operation depending on the setting.

Reprovisioning is destructive to the Cloud PC because it deletes and recreates it from the current provisioning policy. Use it when a failed or misconfigured Cloud PC must be rebuilt, not as a routine policy refresh.

Cloud PCs and configuration profiles

After provisioning, Cloud PCs are Intune-managed Windows devices. You can target device configuration, security, and app policies to Cloud PC device groups just like physical Windows endpoints. For user-experience settings that follow the person, use user-group assignment carefully.

Do not confuse Windows 365 Cloud PCs with Azure Virtual Desktop multi-session hosts. Windows 11 Enterprise multi-session is managed through a more constrained Intune path, mainly the Settings catalog with Enterprise multi-session applicability filtering. That profile behavior is covered in the next section.