1

I didn’t expect it to be such a challenge to determine which computers in the organization are not suitable for Windows 11. I am currently trying to determine this via WSUS and can identify all PCs with Windows 10 there. So far so good. However, when I check the status of the Windows 11 upgrade, I only get a list e.g. 80 PCs require the update and 120 PCs either have it installed or it is not applicable.

To create a list of which PCs are not suitable for Windows 11, I assume that these are the Windows 10 PCs for which the status is not applicable because they have not requested the update. The PCs with Windows 10 for which the status of the update is required are then the ones that can probably be upgraded. But that’s just a guess.

If I leave out the PCs with the status required, I still have to filter out Windows 11 from the rest. But WSUS does not allow the nested filters, and in Powershell all attempts fail with endless error messages.

The second option I have found is via Intune. Here, however, the company-wide telemetry policies are not high enough to obtain the necessary information, and not all devices are included in Intune.
Does anyone else have an idea how I can get the information about which PCs can no longer be updated?

5 Spice ups
2

Have managed to get Powershell to work by finding TPM version, but can not get it to work out the CPU

1 Spice up
3

To retrieve the CPU version I used the following command:

Get-CimInstance Win32_Processor | Select-Object -ExpandProperty Name

HTH

3 Spice ups
4

Do you have any kind of RMM or inventory management system? I have Lansweeper and Datto RMM and both have a readiness report that looks at TPM and CPU.

3 Spice ups
5

If it helps, I used Microsoft’s hardware readiness script with success (in my case I used Action1 to run the script on all my endpoints, then looked through the results)
w11readiness.txt (33.2 KB)

1 Spice up
6

Thanks for being an Action1 customer! You know, since this returns JSON, parsing it into an Action1 data source would not be terribly hard… But I find it interesting I have now run that script on three systems that are running Windows11 and it said all three were not capable :confused: Albeit I have not broken it down to find out why.

1 Spice up
7

Maybe secureboot, the script is checking if it is enabled or capable to be enabled, but win11 can actually be installed without it, so maybe those machines were…

1 Spice up
8

I usually just check the CPU in my inventory, since already use the TPM. My remaining Windows 10 machines are due to unsupported hardware.

1 Spice up
9

Try Microsoft’s PC Health Check tool or WhyNotWin11 for a quick compatibility check. If you’re looking for a more automated approach, using PowerShell with WMI queries to check TPM, Secure Boot, and CPU compatibility.

2 Spice ups
10

It should tell you why after the return code (if not capable)

e.g.

{"returnCode":1,"returnReason":"Processor, ","logging":"Storage: OSDiskSize=221GB. PASS; Memory: System_Memory=8GB. PASS; TPM: TPMVersion=2.0, 0, 1.16. PASS; Processor: {AddressWidth=64; MaxClockSpeed=2496; NumberOfLogicalCores=4; Manufacturer=GenuineIntel; Caption=Intel64 Family 6 Model 94 Stepping 3; }. FAIL; SecureBoot: Capable. PASS; ","returnResult":"NOT CAPABLE"}

the problem is the CPU

{"returnCode":1,"returnReason":"TPM, Processor, ","logging":"Storage: OSDiskSize=221GB. PASS; Memory: System_Memory=32GB. PASS; TPM: TPMVersion=1.2, 2, 3. FAIL; Processor: {AddressWidth=64; MaxClockSpeed=4008; NumberOfLogicalCores=8; Manufacturer=GenuineIntel; Caption=Intel64 Family 6 Model 94 Stepping 3; }. FAIL; SecureBoot: Capable. PASS; ","returnResult":"NOT CAPABLE"}

is the TPM and CPU

{"returnCode":0,"returnReason":"","logging":"Storage: OSDiskSize=472GB. PASS; Memory: System_Memory=32GB. PASS; TPM: TPMVersion=2.0, 0, 1.38. PASS; Processor: {AddressWidth=64; MaxClockSpeed=2304; NumberOfLogicalCores=16; Manufacturer=GenuineIntel; Caption=Intel64 Family 6 Model 141 Stepping 1; }. PASS; SecureBoot: Capable. PASS; ","returnResult":"CAPABLE"}

is an example of all test passes (in this case the endpoint is already running W11).

You should see a return code of 0 where all checks pass, 1 for where one or more tests fail, -1 for an exception or -2 if the script fails to run

1 Spice up
11

You might want to check with the computer vendor for a readiness list. I know Dell has one that shows which models are Windows 11 capable and which ones aren’t. I’m also waiting on my manager to say yes to getting Action 1 in place so I can use that to run some scripts to compare with the lists I got from Dell that I applied to my Inventory lists. We have quotes for Action1 since we are over 200 machines but I need manager approval before I can sign them for purchasing or even start implementing it via GPO.

1 Spice up
12

I have now decided to use the script from Microsoft and run it via Remote Powershell on the computers that I can reach. I can then compare the data with that from WSUS and a self-built script that has made various queries.

I ran into a double hop problem because the script was initially stored on a remote server and I connected to the remote console from my workstation via psexec \\RemoteHost powershell. But now I just copy the script to the local C:\Windows\Temp directory of the remote computer.

I solved the problem with the almost 300 outdated objects in the Active Directory by first querying a list of all Windows 10 computers from the AD with the lastLogonTimestamp. Then I removed all PCs from the list that had not logged on for more than 12 months. Then 200 objects were already gone.

I then queried the remaining ones for TPM, CPU and SecureBoot using a self-made script and the computers that were not online were now queried using the script from Microsoft. There are still quite a few that have not responded, but that is to be expected when the timestamp is set back 12 months. The time period is only for control purposes, but the computers are no longer included in the calculation.

I will check on site why this is the case for the computers on which an upgrade should actually be possible, but still came up with a negative result. Presumably the Secure Boot is simply not activated. This may well be the case if the system has been reinstalled in the meantime and the admin has used an unsigned installer.

I estimate that I will end up with around 30 to 40 computers that need to be replaced. The problem wouldn’t be quite so dramatic if the management didn’t want a list of the computers that need to be replaced by the middle of next week.

Many thanks to all contributors for the many valuable tips.

1 Spice up
13

filter out every machine with 8gb of RAM since windows 11 requires 16gb

1 Spice up
14

Basically, that’s one of my biggest worries, because a RAM upgrade could be enough and the PC doesn’t need to be replaced.

15

Nothing that helps me here. We also have Intune, but it fails due to the telemetry data settings, which are not sufficient for this. Other inventory programs will probably also be based on this. I didn’t pursue this approach any further because we only have devices in Intune whose users also have a Mcrosoft 365 license anyway. All the PCs in production and supporting production don’t have anything like that. That’s not even that few and there are also a disproportionate number of older PCs among them.

1 Spice up
16

We use PDQ Inventory…just set a dynamic group for Win10 machines so that it pulls out all the Win10 machines into that group.

Within the Win10 group, further created more groups for

  • CPU type (those that cannot use Win11)
  • TPM availability (so can target to turn on and see if can upgrade to Win11)
  • very old machines (those older than 5 yrs which will be replaced soon, do not bother to upgrade to win11)

Now that we have “bite-sized” information, it will be easier to target machines ?

17

Unfortunately, I no longer have the time to implement such a system. I have to provide the report to the management on Wednesday. But I think I can also apply the argument to the older machines. The time pressure is due to the fact that the management believes that higher prices will have to be expected in the near future. This is already a factor with 30, 40 or 50 machines. But precisely this argument can also be applied to machines that have already reached or will soon reach the end of their service life. Even if they could still be upgraded. We are currently negotiating with the supplier and are apparently getting a very attractive project price.

But that’s just an afterthought. Something I can use to spice up the report. The task of identifying the machines that cannot be upgraded by Wednesday remains the mandatory task.

But thanks for your advice. That could still be useful.

18

I think PDQ inventory is free for 50 machines…if you suspect that you may have 50 or less Win10 machines ?

Installing PDQ Inventory takes minutes and running the scan takes minutes…if most of machines are online, you can have the report within 1 hour

19

At the moment we have over 200 desktop devices. 130 of them are still Windows 10 and we estimate that we need to replace 30 to 50 of them.

20

I am not sure if the 14 days trial is still available…