Use Microsoft Forms to request Windows 11 upgrade
Let people within your organization decide if they want to receive the upgrade to Windows 11. Use Microsoft Forms together with Azure Logic Apps and Azure Automation Accounts to make Microsoft Intune managed Windows 10 workplaces eligible for Windows 11 upgrade.
What we need
The following is needed to implement this:
- An active subscription and an account with enough permissions to deploy resources and assign roles.
- Microsoft Forms license for the (service) account that is used to set up the Microsoft Forms API connection for the Logic app.
- Workspace that is managed with Microsoft Intune so we can use Windows Update for Business.
- A Microsoft form that can be used by every employee with an input field for the device name.
- Automation Account where we can run our PowerShell runbook.
- The Azure Logic App that will use the Microsoft Forms connection to receive a trigger and the Automation Accounts connection to start the runbook.
All scripts can be found on my GitHub. Be careful check variables and test it first before implementing it in production. |
Microsoft Intune
Check if your organization is using Windows Update for Business rings and disable Upgrade Windows 10 devices to Latest Windows 11 release setting when active.
Create in Microsoft Intune a Feature update package (for example: Windows 11, version 23H2) and attach it to a device security group that we will use later in our Automation Accounts runbook. In my case I used a device security group called SG-CL-W11-UPGRADE-DEVICE.
Microsoft Forms
Create a Microsoft Form where people can submit a request to get the Windows 11 upgrade by filling in their device name. See for example the image below.
Add collaborators to the form so colleagues are also able to modify it. The link to the form is also found here and can be shared with end users.
Go to Settings and enable Record name. This is important otherwise the responder will always be Anonymous instead of the user’s email. We need the user’s email to verify if they are the primairy owner of the device they are requesting the upgrade for.
Write down the form id (all characters after id=), that’s visible in the explorer bar of your browser. We can use the form id later if we want to automate the deployment of the Azure Logic App via Azure DevOps.
The form id can be changed automatically when for example permissions are modified. This can break the whole process! |
Azure Automation accounts
Add the PowerShell runbook FormsW11UpdateRequest.ps1 in Automation Accounts. Check if specified variables in the script are declared in the Automation Account variables.
This runbook will be triggered by the Azure Logic App and will add the device to the group SG-CL-W11-UPGRADE-DEVICE. It will check if the device and user exist and if the device is assigned to the user. When error(s) occur, the user will be notified by mail.
Azure Logic Apps
Create a Consumption based Azure Logic App and call it for example logic-msforms-automation. Go to Identity and enable System assigned identity. This will create an object that we can use to assign roles.
The following roles need to be assigned Automation Job Operator and Reader role on the Automation Account where the FormsW11UpdateRequests.ps1 runbook is located. This is needed so the Azure Logic App can find the runbook and execute it.
Open your created Azure Logic App, go to Logic app designer and start with a blank canvas. Search for When a new response is submitted and add it.
Click on select connection or if none are found Add new. Microsoft Forms connection must be authorized with a regular account that has the Forms license assigned. Unfortunately at this time of writing the use of a service principal is not supported for this API.
If the connection is established successfully you will see the Microsoft Form we created earlier, you can also fill in the form id when there is nothing to select. Add Get response details and select List of response notifications Response id.
Add a new step and search for Create job. Select the one used for Automation Accounts and create the API connection when needed. The automation connection can be authorized with the Logic app system assigned identity.
When the System assigned identity of the Azure Logic App has the correct Azure roles assigned, it should be able to find the FormsW11UpdateRequest.ps1 runbook.
Specify the parameters with the output from the Microsoft Form. In my example I am running it from a Hybrid Automation Worker Group, but that is not necessary.
Beware the Automation Job Operator and Reader role must be set, otherwise the runbook cannot be found and triggered! |
It’s also possible to deploy the Azure Logic App with it’s needed API connections automatically by using Azure DevOps pipelines. The code for this can also be found on my GitHub.
I tried to make the ARM templates as flexible as possible. In the variables it’s necessary to specify the corresponding id for each question. Open your form and go to the corresponding question and right click on Enter your answer field and select inspect. This will open a side pane under Elements. Copy the value after QuestionId. This id will be used for the hostnameId we need in our Logic App deployment.
Happy testing!
Open the Windows 11 request form as a user and fill in your device name. Select submit and check if the Azure Logic App is triggered.
The Azure Logic App will handle all requests in chronological order, when multiple requests are submitted in a short period of time. The Automation Account runbook will finish each request before continuing to the next one. |
When triggered check if the FormsW11UpdateRequest.ps1 runbook is running.
If all ran as expected the user and specified device are added to the security groups and a log file is uploaded to SharePoint. This info can also be found in the runbook’s output in Automation Accounts.
Verify the output and wait a few minutes. Speed up the process by initiating a sync. Eventually the user will see that an upgrade is available on their Windows 10 workplace in Windows Update settings.
[avs_posts_tag]