Upgrading to a new operating system can be challenging, and Windows 11 is no different. Many organizations planning to upgrade their systems to Windows 11 might think they’re prepared, especially if they’ve previously upgraded to Windows 10. However, Windows 11 brings its own set of challenges, from meeting new hardware requirements to managing resources effectively.
In this blog post, we’ll walk you through the essential steps and tools needed for a smooth transition to Windows 11. We will focus on two main tasks:
- Collecting information to identify compatibility issues.
- Understanding and using the collected data effectively.
Whether you’re using Configuration Manager or Intune, we’ll explain the readiness dashboards, reporting options, and practical tips to ensure your devices are ready for the Windows 11 upgrade. We’ll cover everything from gathering initial data, checking compatibility, and using detailed reports for better decision-making.
Configuration Manager – Windows 11 Readiness Dashboard
Organizations using Microsoft Configuration Manager to manage Windows 10 operating systems can already orchestrate the required components to allow managed Windows devices to upgrade to Windows 11. This is one of the areas in which the Configuration Manager is more than capable of handling, but it also lacks reporting. Not just reporting on “Did my device successfully upgrade?” but even the first question, “Which of my devices are Windows 11 ready?”
In Configuration Manager version 2309, the ‘Windows 11 Upgrade Readiness Dashboard’ was introduced to provide details on ‘Upgrade Experience Indicators’. The goal is to give visibility on which devices meet the Windows 11 minimum requirements.
The report prerequisites are all fairly straightforward:
For Configuration Manager version 2203 or later, the WebView2 console extension must be installed.
If needed, select the notification bell in the top right corner of the console to install the extension.
Windows 10 telemetry services should be enabled at basic level.
Hardware inventory to be enabled on all client devices.
One area that can catch admins off guard is setting the correct telemetry data collection settings for clients. Using the Group Policy object, this can easily be achieved:
Windows 10: Computer ConfigurationAdministrative TemplatesWindows ComponentsData Collection and Preview BuildsAllow Telemetry – Enabled and set to 1 – Basic.
Windows 11: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Allow Diagnostic Data – Enabled and set to (1) Send required diagnostic data.
Setting these GPOs creates the registry DWORD:
HKLMSOFTWAREPoliciesMicrosoftWindowsDataCollection, DWORD: AllowTelemetry, value=1
Data Source
The data that drives the Windows 11 Readiness Dashboard reporting feature is generated locally by the built-in ‘Microsoft Compatibility Appraiser’ process.
The Microsoft Compatibility Appraiser, executed by the CompatTelRunner.exe scheduled task, collects system information to evaluate device compatibility with Windows OS versions. It involves the Appraiser.sdb (Shim Database) file, which contains compatibility information, and the Appraiser_TelemetryRunList.xml file, which provides processing rules. This process generates registry entries and .bin files, which Configuration Manager uses to determine upgrade readiness.
There is very little official Microsoft documentation around that covers the process in any great depth. However, there is an excellent blog by Adam Gross that unpacks a lot of this process and explains the specifics around how the ‘Appraiser.sdb’ and ‘Appraiser_TelemetryRunList.xml’ are used, including how to make sense of the compatibility assessment results. Be sure to have a read of his blog here: Demystifying Windows 10 Feature Update Blocks-A Square Dozen | A. Gross Blog
The Configuration Manager client hardware inventory process collects data from the registry entries produced by the CompatTelRunner.exe process. In addition to storing data in the mentioned .bins files, some of the data is written to ‘HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionAppCompatFlagsTargetVersionUpgradeExperienceIndicators’. This, in turn, populates a Configuration Manager inventory class ‘SMS_UpgradeExperienceIndicators’ with a bunch of properties and values.
Version
This property represents the value of the Windows 11 release against which the compatibility assessment has been processed. The values aren’t very well documented, but essentially, the version values in Windows 11 builds indicate the development cycle, release schedule, and internal codenames used by Microsoft. Here, we are expected to see the following values:
· CO21H2 (likely ‘Cobalt’)
· NI22H2 / 23H2 (likely ‘Nickel’)
· GE24H2 (likely “Germanium”).
· UNV (Not confirmed, but this could mean ‘Universal’ and contains data that applies across any operating system feature update.)
AppraiserVersion
The version of the compatibility appraiser database used for the assessment.
Reason
This property will store values related to the blocking ‘reason’ for the upgrade compatibility assessment. (CPU, TPM, etc)
TimeStamp
Date / Time the data was captured.
UpgExProp & UpgExU.
Again, little information is available explaining the difference between these two properties. However, we know that for the compatibility assessment to pass, both of these properties should be reporting ‘Green’. There’s a traffic-light approach in use; Red is a blocker, Orange is a more complex set of results with multiple triggers that define the property status, and Yellow status generally points towards an incompatible application that needs to be removed.
Client Inventory Collection
Configuration Manager clients collect and submit the data from the inventory class ‘SMS_UpgradeExperienceIndicators’ during the regular inventory schedule defined in the client settings policy.
Reporting Experience
The dashboard is embedded into the Configuration Manager console within the Software Library node. As well as showing metrics around OS version information and feature upgrade versions, four categories define the ‘upgrade experience indicators’:
· ‘Ready For Upgrade’
· ‘App Upgrade/Uninstall Required’
· ‘App/Driver Upgrade Required’
· ‘Cannot Upgrade’
Within the Upgrade Experience Indicators section, you can click on the actual donut chart to view the devices within that category.
For example, clicking the ‘Cannot Upgrade’ metric takes us to the assets and compliance view into a ‘Cannot Upgrade’ list of the associated devices.
The ‘Reason’ column provides one or more string values to indicate the blocking information. From this device list view we can add devices to new or existing collections.
Configuration Manager Summary
The Configuration Manager Windows 11 Readiness dashboard provides fairly basic visibility into identifying the device’s upgrade compatibility. Satisfying the prerequisites is quite straightforward, with the only trip up likely to be the setting of the telemetry logging on the clients. The blocking ‘reason’ string values could be better defined, and if there are unsupported applications or drivers blocking upgrades, you don’t get to see the extra detail of what they are. Overall, if you’re using Configuration Manager, it’s a reasonable starting point to identify devices compatible with Windows 11 but be prepared to do some additional digging for the blocking reasons, particularly around applications and drivers.
Intune Reporting – Windows 11 Readiness
Like Configuration Manager, Intune can be used to upgrade managed Windows devices to Windows 11 OS. The toolsets for both have different features and capabilities to achieve the goal, and they both offer a certain level of reporting for Windows 11 readiness.
Intune does offer a more comprehensive reporting library than Configuration Manager, but it doesn’t necessarily mean the overall reporting experience will meet our expectations, particularly when focusing on Windows 11 readiness. Amongst the available reports, there are three which can be used:
Windows feature update device readiness report
This report provides information about which devices have compatibility risks associated with upgrading to a particular Windows OS version.
Windows feature update compatibility risks report
This report summarizes the compatibility risks for the targeted Windows OS version and provides additional detail about the specific flagged risks.
Windows – ‘Work from anywhere’ report
This report focuses on the minimum system requirements for Windows 11 and which devices are ‘capable’ or not, including details on the specific hardware blockers.
Prerequisites
Apart from the obvious, e.g. devices must be managed by Intune (or ConfigMgr co-managed), devices joined to Entra or Entra hybrid joined, telemetry data must be enabled and be captured using Intune data collection policy.
To be eligible for the Windows Feature Update Device Readiness and Windows Feature Update Compatibility Risks reports, devices must:
Run a supported version of Windows 10 or later with the latest cumulative update
Be Microsoft Entra joined or Microsoft Entra hybrid joined
Be managed by Intune (including co-managed devices) or a supported version of the Configuration Manager client with tenant attach enabled
Have Windows diagnostic data enabled at the Required level or higher
Have Windows Health Monitoring configured to include Windows Updates as part of the scope
You must set the Enable features that require Windows diagnostic data in processor configuration setting within the Tenant administration > Connectors and tokens > Windows data to On.
Endpoint analytics data collection must be enabled with ‘optional’ level set. Endpoint Analytics uses the Windows Connected User Experiences and Telemetry component (DiagTrack) to collect the data from Intune-managed devices.
Data Source
Intune reporting on specific device information requires data to be captured on the device and uploaded to Microsoft. This is the subset of the dataset Microsoft talks about in their ‘Diagnostics, feedback, and privacy in Windows’ statement – Diagnostics, feedback, and privacy in Windows – Microsoft Support. In short: “Microsoft collects Windows diagnostic data to solve problems and to keep Windows up to date, secure, and operating properly. It also helps us improve Windows and related Microsoft products and services and, for customers who have turned on the Tailored experiences setting, to provide more relevant tips and recommendations to enhance Microsoft and third-party products and services for each customer’s needs.”
Windows OS telemetry is processed by the Connected User Experience and Telemetry service, also known as ‘DiagTrack’ or Customer Experience Improvement Program (CEIP). It’s a built-in Windows service that collects and transmits anonymized data about user experience and device health to Microsoft. This data can include device specs, installed programs, basic error info, and Windows update details.
Windows Connected User Experience and Telemetry / ‘DiagTrack’ service:
The volume and type of telemetry data that the ‘DiagTrack’ service will process is determined by which of the four logging options are selected:
Diagnostic data off (Security)
Required diagnostic data (Basic)
Enhanced (This setting is only available on devices running Windows 10, Windows Server 2016, and Windows Server 2019.)
Optional diagnostic data (Full)
We’re not going to deep dive on each logging level, but instead recommend the following reading: Configure Windows diagnostic data in your organisation (Windows 10 and Windows 11) – Windows Privacy | Microsoft Learn
Depending on the configured telemetry logging level, the data output is stored in encrypted files within %ProgramData%MicrosoftDiagnosis folder. This location is not accessible by non-administrative users. The Connected User Experience and Telemetry / ‘DiagTrack’ service uploads data to Microsoft over an HTTPS connection.
Additionally, Microsoft allows us to view the diagnostic data they collect in real time. ‘Diagnostic Data Viewer’ provides full visibility to the data collected and groups it into categories. The Diagnostic Data Viewer feature is disabled by default.
Diagnostic Data Viewer Overview (Windows 10 and Windows 11) – Windows Privacy | Microsoft Learn
The report parameters require selecting a ‘Target OS’ before generating the report.
Target OS selection (as of June 2024):
Once the OS target value is set, the report can be generated. In the top section of the report, a donut chart shows the devices grouped into ‘Readiness Status’ categories: Low Risk, Medium Risk, High Risk, Replace Device, Upgraded, and Unknown. In the bottom half of the report, a data table lists devices with various other columns, including basic device information and a few clues related to their readiness status.
This report provides limited information about upgrade readiness. Similar to the Configuration Manager report output, there’s no drill-through capability on any of the metrics on show. For example, you cannot drill down to any numerical value displayed in the ‘App issues’, ‘Driver issues’, or ‘Other issues’ columns to view more detailed information.
Windows feature update compatibility risks report
Like the ‘Windows feature update device readiness report,’ this also requires selecting a target OS before generating the report. The same target Windows OS options are listed again.
The report output format follows the device readiness report too: there’s donut chart and data table. The major difference with this report is that the focus is on the ‘Risk Status.’ The report provides additional details related to each ‘Risk Status’, specifically ‘Low Risk,’ ‘Medium Risk,’ and ‘High Risk.’ The data table does have click-through capabilities to display the affected devices related to the specific risk status.
Click-through detail:
Windows feature update compatibility risks report – Summary
This report provides some insight into why Windows devices may not be compatible with an OS upgrade. Incompatible applications and drivers can be reported here, too. This is an improvement on the Windows 11 readiness dashboard in Configuration Manager, purely for the details on any blockers with incompatible applications and drivers.
Windows – ‘Work from anywhere’ report
This report focuses on the minimum system hardware requirements for Windows 11 and which devices are ‘capable’ or not, including details on the specific hardware blockers.
Like the other reports, the data source relies on the Windows Connected User Experience and Telemetry / ‘DiagTrack’ service to process and upload data from the clients. There is a difference with this report though as, unlike the others, it leverages Endpoint Analytics. So as mentioned earlier, on-boarding to Endpoint Analytics is a requirement.
There are a whole bunch of reports nested within the ‘Work from anywhere’ section that provide a comprehensive ‘scoring’ of the environment across various subcategories and an overall score, alongside insightful recommendations. The ‘Windows’ subreport provides the ‘Windows 11 readiness status.’ The page will display any hardware blockers:
This is essentially what the Windows 11 readiness dashboard in Configuration Manager is; it provides the bare-bones output on hardware compatibility for Windows 11. The report does not have any click-through capabilities at all, and it also would be nice to have some ‘actions’ options based on the readiness state e.g. devices that equal ‘capable’ add those devices to a group or assign a feature update policy.
Hardware Readiness PowerShell script
Microsoft provides a standalone PowerShell script that can be executed on Windows devices to determine whether an individual device meets the system requirements for Windows 11. The script can be run locally from an elevated PowerShell session or across multiple devices in the enterprise, leveraging the device scripts feature in Microsoft Configuration Manager and Intune.
The script uses standard PowerShell commands and modules like ‘Get-WmiObject’, ‘Get-Tpm’ etc to gather the devices hardware details including Storage, Memory, TPM, CPU, and SecureBoot. The script output uses a ‘return code’ value to set the readiness state.
‘returnCode’
-2
FAILED TO RUN – the script encountered an error
-1
UNDETERMINED – one or more of the hardware requirement checks failed to execute properly
0
CAPABLE – the device meets all assessed Windows 11 hardware requirements
1
NOT CAPABLE – the device does not meet one or more of the assessed Windows 11 hardware requirements
The returnResult property is a string value representation of returnCode. The possible results include: CAPABLE, NOT CAPABLE, UNDETERMINED, and FAILED TO RUN.
Output example:
This script does not do much else other than highlight any hardware blockers in the categories mentioned. Using your favourite web search engine, you’ll also find that there are a plethora of PowerShell community efforts available, all providing different variations on this approach.
Windows 11 OS Media – Compat Scan
The Setup.exe process, when using Windows operating system media, includes the ability to check for system compatibility using the command line switch ‘/Compat scan only.’ This feature has existed for many years now. It has also been utilized in a few creative ways, including customizing Operating System upgrades using Configuration Manager by categorizing devices pre-upgrade. Using ‘setup.exe /compat scanonly’ uses the same data source approach as ‘compattelrunner.exe’; the Appraiser.sdb.
When running the setup.exe command e.g. ‘setup /auto upgrade /quiet /compat scanonly /copylogs C:TempCompatLogfile’ part of the setup process will determine whether the latest feature update has been applied, and, if not, the latest applicable version of the ‘appraiser.sdb’ database will be automatically downloaded. (Alternate_AppraiserData.cab). The processing rules for the appraiser remain the same, with the ‘Appraiser_TelemetryRunList.xml’ providing the rules of what to process.
Summary
Just as the ‘CompatTelRunner’ scheduled task creates bin files, the process during Windows Setup creates a set of XML and BIN files in the Panther folder and, if specified, the logs output path. The ‘CompatData_…… .xml’ can show us the hardware blockers.
In the output logs directory, we also have the ‘setupact.log’ and ‘setuperr.log’, which give us a more verbose view of the data. Overall, despite the fact that the data source (appraiser.sdb) is still somewhat a mystery in how it all fully works, there is sufficient data to improve the overall output.
Final Thoughts
The reporting solutions we’ve covered here are lacking in many ways. Whether that’s presentation, the lack of depth to the output, or just a bit cumbersome to use, the overall feeling is that the output should be much better given that the data depth is available. The ‘Appriaser.sdb’ appears to have all the information you’d want to know about OS upgrade blockers. Still, it’s not entirely straightforward to parse, and there’s little documentation around about its contents nor how the ‘Appraiser_TelemetryRunList.xml’ is used to process it.
Each report does at least cover the very basics to highlight hardware blockers, and the output quality is just about acceptable. Blocking information on applications and drivers is a bit inconsistent, with only the Intune reports providing real reliability.
If only we could have a single report or dashboard that reliably shows all the Windows 11 readiness data (and more!), with click-through datasets that provide data depth without just clues as to why an OS upgrade blocker exists.