Creating and Deploying a Windows 11 Image Using Intune: A Comprehensive Guide

Deploying a standardized and secure Windows 11 operating system across an organization can be a complex endeavor. Microsoft Intune, a cloud-based endpoint management solution, offers a robust platform for streamlining this process. This comprehensive guide provides a detailed plan for creating and deploying a Windows 11 image using Intune, incorporating best practices, troubleshooting tips, and alternative solutions.

Prerequisites for Windows 11 Deployment with Intune

Before embarking on the image creation and deployment journey, ensure your environment meets the following prerequisites:

• Intune Subscription: A valid Intune subscription is essential for deploying feature updates in Intune. This could include subscriptions like Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5), Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5), Windows 10/11 Virtual Desktop Access (VDA) per user, or Microsoft 365 Business Premium1.

• Device Enrollment: The target Windows devices must be enrolled in Intune mobile device management (MDM)1.

• Azure AD Join: Devices should be either Azure AD joined or Hybrid AD joined to utilize Intune's management capabilities1.

• Windows 11 Requirements: Ensure devices meet the minimum hardware and software requirements for Windows 11, including TPM 2.0 or newer and supported CPUs1.

Creating a Windows 11 Image for Intune Deployment

Intune can be used to deploy custom images in addition to upgrading existing Windows 10 devices to Windows 11. Here's a combined approach leveraging Intune and traditional imaging tools:

1. Prepare the Reference Computer:

2. Begin with a new virtual machine (VM) in Hyper-V Manager3.

3. Select Generation 2 to support UEFI-based firmware, a requirement for Windows 113.

4. Allocate sufficient resources to the VM, including at least 4GB of RAM and 64GB of disk space3.

5. Enable Trusted Platform Module (TPM) and Secure Boot in the VM settings3.

6. Install Windows 11:

7. Mount the Windows 11 ISO image3.

8. Perform a clean install of Windows 11 Pro on the VM3.

9. During setup, choose "Set up for work or school" and then "Domain join instead" to create an offline account3.

10. Configure Windows 11:

11. Install the latest Windows updates3.

12. Install essential drivers and applications3.

13. Avoid installing antivirus or third-party security software at this stage4.

14. Ensure the language packs installed for the Windows Recovery Environment (WinRE) match the languages preinstalled in Windows. For instance, if building an English-only image, the WinRE language folder can remain empty4.

15. Capture the Image:

16. Utilize a tool like the Deployment Image Servicing and Management (DISM) tool from the Windows Assessment and Deployment Kit (ADK) to capture the image5.

17. For example, run the following command in WinPE: Dism /Capture-Image /ImageFile:C:\myimage.wim /CaptureDir:c:\ /Compress:fast /CheckIntegrity /Name:"Windows 11 Image" /Description:"Windows 11 reference image" 5

18. Store the captured image (install.wim) on a network share accessible by Intune5.

19. Sysprep (Optional):

20. If you intend to deploy the image to multiple devices with varying hardware configurations, use the System Preparation Tool (Sysprep) to generalize the image6.

21. Sysprep removes unique system information, such as the computer name and security identifier (SID), ensuring the image can be deployed on different hardware6.

Understanding System Images and Backups

It's important to distinguish between a system image and a backup. A system image is a snapshot of your entire operating system, including the Windows installation, applications, settings, and files. It allows you to restore your computer to a previous state in case of a system failure. On the other hand, a backup typically focuses on specific files and folders, providing a way to recover lost data. While both are valuable for disaster recovery, system images are primarily used for restoring the entire system, while backups are used for recovering individual files and folders3.

Deploying the Windows 11 Image with Intune

Intune provides several methods for deploying the captured Windows 11 image:

Feature Update Deployment

• This method is primarily used for upgrading existing Windows 10 devices to Windows 112.

• In the Microsoft Endpoint Manager admin center, navigate to Devices > Windows > Feature updates for Windows 10 and later2.

• Create a new profile, select "Windows 11" as the feature update to deploy, and configure the rollout options1.

• Assign the profile to a group of target devices1.

Windows Autopilot

• Autopilot simplifies new device provisioning by automating device configuration and enrollment in Intune. This is a modern deployment method that streamlines the process and reduces manual intervention7.

• Import devices into Autopilot by providing their hardware hash IDs and serial numbers9.

• Create an Autopilot deployment profile with desired settings, such as joining Azure AD, enrolling in Intune, and installing applications9.

• Assign the profile to a group of Autopilot devices9.

• Leverage the "Self-Deploying" mode in Autopilot for zero-touch installations, ideal for scenarios requiring minimal user interaction. In this mode, devices are automatically configured and enrolled with minimal input from the user10.

Traditional Deployment with Configuration Manager

• For more complex scenarios or environments with existing Configuration Manager infrastructure, integrate Intune with Configuration Manager for co-management11.

• Use Configuration Manager's task sequences to deploy the Windows 11 image and leverage Intune for managing policies and applications11.

In-place Upgrades with Intune

For transitioning from Windows 10 to Windows 11, in-place upgrades offer a simpler alternative to creating custom images. In-place upgrades utilize the Windows installation program (Setup.exe) to automatically preserve existing data, settings, applications, and drivers while upgrading the operating system. This method requires minimal IT effort as it eliminates the need for complex deployment infrastructure8.

It's crucial to understand that custom images are not compatible with in-place upgrades. The upgrade process cannot handle conflicts between applications in the old and new operating systems. Therefore, using a custom image for an in-place upgrade is not recommended and may lead to issues8.

Troubleshooting Common Challenges

• Slow App Installations: To expedite app installations, ensure apps are configured to download in the foreground within Intune. Additionally, optimize the Enrollment Status Page (ESP) to prioritize the installation of essential apps, minimizing the time users spend waiting for the process to complete12.

• App Installation Failures: When encountering app installation failures, review Intune logs and the event viewer for specific error messages. Consider utilizing PowerShell scripts for advanced troubleshooting and remediation13.

• Compliance Issues: If devices are not compliant with Intune policies, verify their compatibility with the defined policies. Additionally, check for any firewall errors that might be hindering communication between the devices and Intune14.

• Enrollment Errors: In cases where a device fails to enroll in Intune, investigate potential causes such as previous enrollment records, cloned images, or conflicting accounts on the device. Removing any remnants of previous enrollments or accounts can often resolve these issues15.

• Autopilot Issues: For troubleshooting Windows Autopilot deployments, refer to the known issues documentation provided by Microsoft. This documentation outlines common problems and provides workarounds or solutions to address them16.

• Safeguard Holds: Be aware that safeguard holds might be in place for feature updates due to compatibility issues. These holds temporarily prevent the update from being deployed until the issue is resolved2.

Best Practices for Windows 11 Image Creation and Deployment

• Keep the Image Updated: Before capturing the image, ensure the latest Windows updates are installed on the reference computer. This ensures that the deployed image is up-to-date with security patches and bug fixes4.

• Exclude Unnecessary Software: Avoid including unnecessary software in the image, such as antivirus, third-party security software, and user-specific data. This helps reduce the image size and potential conflicts during deployment4.

• Optimize for Deployment: When capturing the image with DISM, use a fast compression algorithm to minimize the image size and reduce deployment time5.

• Test Thoroughly: Before deploying the image to production devices, conduct thorough testing on a small group of pilot devices. This helps identify and resolve any potential issues before widespread deployment2.

• Use Answer Files: Leverage answer files (unattend.xml) to automate the Windows installation process. Answer files allow you to pre-configure various settings, such as the computer name, product key, language, and domain membership, reducing manual configuration during deployment6.

• Leverage the Enrollment Status Page: Configure the Enrollment Status Page (ESP) in Intune to provide users with clear information and progress updates during the deployment process. The ESP monitors the three phases of provisioning: Device preparation, Device setup, and Account setup. This transparency helps users understand the deployment stages and reduces uncertainty10.

• Intune Security Baselines: Utilize Intune's security baselines, which are pre-configured with Microsoft's best practices and recommendations for security settings. These baselines provide a starting point for securing your Windows 11 deployments and can be customized to meet your specific security requirements18.

Alternative Solutions

If Intune doesn't fully align with your specific needs or environment, consider these alternative solutions for deploying Windows 11 images:

• Microsoft Deployment Toolkit (MDT): MDT is a free tool provided by Microsoft that offers a high degree of customization for creating and deploying Windows images. It provides a comprehensive set of features for managing the deployment process, including task sequences, rules, and driver management. However, it requires manual configuration and lacks official technical support from Microsoft19.

• Third-Party Imaging Solutions: Explore commercial imaging solutions like SmartDeploy, which offer a more streamlined and user-friendly approach to image deployment. SmartDeploy provides features such as a driver pack library, integration with USMT for user data migration, and cloud-based deployments. It simplifies the imaging process and reduces the complexity associated with managing drivers and applications20.

• Other Alternatives: Several other endpoint management solutions can serve as alternatives to Intune, each with its own strengths and weaknesses. Some notable options include NinjaOne, ManageEngine Endpoint Central, Atera, N-able N-sight, Ivanti Neurons, Workspace ONE, Hexnode UEM, ConnectWise Automate, Automox, IBM MaaS360, Citrix Endpoint Management, and GoTo Resolve21.

Conclusion

Deploying Windows 11 images with Intune empowers organizations to efficiently manage and secure their endpoints. By following the detailed plan outlined in this guide, incorporating best practices, and utilizing troubleshooting resources, IT administrators can ensure a smooth and successful deployment process. Remember to tailor the plan to your specific requirements and explore alternative solutions when necessary.

Intune offers a range of deployment methods, including feature update deployments, Windows Autopilot, and integration with Configuration Manager. Choosing the appropriate method depends on your existing infrastructure and desired level of automation. By understanding the prerequisites, image creation steps, deployment options, and best practices, you can effectively leverage Intune to standardize your Windows 11 deployments and enhance your organization's endpoint security.

Works cited

1. How to upgrade to Windows 11 with Intune - System Center Dudes, accessed on January 31, 2025, https://www.systemcenterdudes.com/how-to-upgrade-to-windows-11-with-intune/

2. Deploying Windows 11 with Intune - Microsoft Q&A, accessed on January 31, 2025, https://learn.microsoft.com/en-us/answers/questions/762796/deploying-windows-11-with-intune

3. How to create a Windows system image - SmartDeploy, accessed on January 31, 2025, https://www.smartdeploy.com/blog/how-to-create-system-image-windows/

4. Windows 11 image creation for OEMs | Microsoft Learn, accessed on January 31, 2025, https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/system-builder-deployment?view=windows-11

5. Deploy a Custom Image | Microsoft Learn, accessed on January 31, 2025, https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/deploy-a-custom-image?view=windows-11

6. Unattended Installations, Answer Files, And Imaging In Windows Deployment: CompTIA A+ Guide - ITU Online IT Training, accessed on January 31, 2025, https://www.ituonline.com/comptia-a-plus/unattended-installations-answer-files-and-imaging-in-windows-deployment-comptia-a-guide/

7. How to Set Up Windows Autopilot with Microsoft Intune - Recast Software, accessed on January 31, 2025, https://www.recastsoftware.com/resources/how-to-set-up-windows-autopilot-with-microsoft-intune/

8. Windows deployment scenarios | Microsoft Learn, accessed on January 31, 2025, https://learn.microsoft.com/en-us/windows/deployment/windows-deployment-scenarios

9. How to Deploy Windows 11 Using Intune Autopilot – Full Guide, accessed on January 31, 2025, https://liam-robinson.co.uk/how-to-deploy-windows-11-using-intune-autopilot-full-guide/

10. Windows 11 Best Practices Part One: Onboarding - Mobile Jon's Blog, accessed on January 31, 2025, https://mobile-jon.com/2024/05/06/windows-11-best-practices-part-one-onboarding/

11. Why is there no MDT Support for Windows 11? - Microsoft Learn, accessed on January 31, 2025, https://learn.microsoft.com/en-us/answers/questions/1325234/why-is-there-no-mdt-support-for-windows-11

12. Struggling with Slow Intune Deployments - Reddit, accessed on January 31, 2025, https://www.reddit.com/r/Intune/comments/1eb1y0n/struggling_with_slow_intune_deployments/

13. Intune Application Installation Issues on Windows 11 24H2 - Microsoft Community, accessed on January 31, 2025, https://answers.microsoft.com/en-us/windows/forum/all/intune-application-installation-issues-on-windows/9d89725f-49a1-477c-aa0f-7344bb8b126d

14. Intune compliance and portal issues with Windows 11 - Microsoft Q&A, accessed on January 31, 2025, https://learn.microsoft.com/en-us/answers/questions/1386505/intune-compliance-and-portal-issues-with-windows-1

15. Troubleshooting Windows device enrollment errors in Intune - Microsoft Learn, accessed on January 31, 2025, https://learn.microsoft.com/en-us/troubleshoot/mem/intune/device-enrollment/troubleshoot-windows-enrollment-errors

16. Windows Autopilot known issues | Microsoft Learn, accessed on January 31, 2025, https://learn.microsoft.com/en-us/autopilot/known-issues

17. Answer files (unattend.xml) - Microsoft Learn, accessed on January 31, 2025, https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs?view=windows-11

18. Learn about Intune security baselines for Windows devices, accessed on January 31, 2025, https://learn.microsoft.com/en-us/mem/intune/protect/security-baselines

19. What is Microsoft Deployment Toolkit (MDT)? Pros & cons | SmartDeploy, accessed on January 31, 2025, https://www.smartdeploy.com/blog/microsoft-deployment-toolkit-pros-cons-of-a-free-tool/

20. SmartDeploy vs. Windows Autopilot and Microsoft Intune, accessed on January 31, 2025, https://www.smartdeploy.com/comparisons/microsoft-intune-vs-smartdeploy/

21. 12 Best Microsoft Intune Alternatives & Competitors - NinjaOne, accessed on January 31, 2025, https://www.ninjaone.com/blog/alternatives-to-intune/