Win 11 Upgrade – few important things
Upgrade Plans
- Microsoft Configuration Manager
- Servicing plans
- Task Sequence
- Upgrade
- Wipe (OSD)
- Intune
- Windows Update for Business (don’t forget delivery optimization)
- Win32 App (don’t forget delivery optimization)
PreReqs
Wi-Fi profile changes
- Windows 11 no longer supports automatic PEAP sign-on without a certificate. You’ll be prompted to confirm if you want to connect to the untrusted network.
- To avoid this inconvenience, specify your Trusted Root certificate as well as your authentication server.
- This might be a good opportunity to switch to EAP-TLS (Certificate) authentication instead of PEAP (username and password).
Credential Guard overview | Microsoft Learn
Default enablement
Starting in Windows 11, 22H2 and Windows Server 2025, VBS and Credential Guard are enabled by default on devices that meet the requirements.
The default enablement is without UEFI Lock, thus allowing administrators to disable Credential Guard remotely if needed.
When Credential Guard is enabled, VBS is automatically enabled too.
Security Baseline
Microsoft’s Security Baselines provide robust security settings that can enhance your security score in Microsoft Defender for Endpoint (MDE). However, enabling these security features may impact user functionality. It’s essential to thoroughly review the proposed changes in the baseline, test them, and document any modifications you make to the baseline settings if necessary.
Since UEFI and SecureBoot are necessary for Windows 11 and VBS, it’s a good idea to enable this security feature now.
However, start by enabling it WITHOUT UEFI lock. This way, if any issues arise within the first few weeks after deployment, you can easily rollback the policy for affected devices. If you enable UEFI lock from the beginning, it will be very difficult to remove the policy later on. Therefore, consider that enabling UEFI lock is a one-way decision.
