Fix: Windows 11 25H2 Not Installing via Intune Feature Update Policy

Quick‑Fix Checklist

• ✅ Verify Feature update policy targets Windows 11, version 25H2 (not “latest”).
• ✅ Confirm devices are Azure AD joined and MDM enrolled.
• ✅ Ensure Update Compliance (Windows Update for Business) is set to “Allow deployment of feature updates”.
• ✅ Check Conditional Access exclusions – devices must be allowed for the Windows Enrollment app during OOBE.
• ✅ Apply the prerequisite cumulative update KB5055523 (April 2026) to all affected models.
• ✅ Review Intune diagnostics (Device > Monitor > Feature updates) for error codes.

Root Cause

The most frequent cause is a mismatch between the Intune feature‑update ring and the device’s current OS build combined with strict Conditional Access (CA) policies that block the device from downloading the update package. When a device reaches the “Ready for download” stage, the CA policy forces a compliance check that fails because the update itself is required for compliance, creating a dead‑lock.

Common error strings you’ll see in the Intune portal or on the device logs:

0x80248010 – INTUNE_UPDATE_NOT_AVAILABLE
0x8033801F – DEVICE_NOT_COMPLIANT_FOR_FEATURE_UPDATE

Both stem from the same underlying gating logic.

Where to Check the Logs

PowerShell / Graph Fixes

# 1. List devices in the problematic ring
Get-IntuneManagedDevice | Where-Object {$_.OperatingSystem -like "*Windows*10*" -or $_.OperatingSystem -like "*Windows*11*"} |
  Select-Object DeviceName, OperatingSystem, ComplianceState

# 2. Reset the feature‑update ring for a single device (replace <DeviceId>)
Invoke-IntuneDeviceFeatureUpdate -managedDeviceId <DeviceId> -featureUpdateVersion "22H2"
# Then re‑assign the 25H2 ring:
Invoke-IntuneDeviceFeatureUpdate -managedDeviceId <DeviceId> -featureUpdateVersion "25H2"

# 3. Remove the problematic Conditional Access rule (requires Graph API)
$policyId = "<CA‑Policy‑Id>"
$excludeGroup = "<Device‑Group‑Object‑Id>"
Invoke-GraphRequest -Method Patch -Uri "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/$policyId" -Body @{ "conditions" = @{ "users" = @{ "excludeGroups" = @($excludeGroup) } } }

Note: Use the Microsoft.Graph.Intune PowerShell module for the first two commands and Microsoft.Graph.Identity.SignIns for the CA patch.

Prevention

1. Separate Feature‑update Ring for 25H2 – Do not rely on the generic “Latest feature update” ring until the rollout is complete.
2. CA Policy Exclusion – Add a device‑group‑based exclusion for the Windows Enrollment app in any policy that enforces Require compliant device.
3. Apply KB5055523 – Deploy this cumulative update as a required Win32 app before the feature‑update ring goes live.
4. Monitoring – Enable the built‑in Feature‑update health dashboard in Intune and set an alert on error 0x8033801F.
5. Test in Pilot – Deploy to a 5‑10 device pilot that mirrors the most common OEM models in your fleet; verify the update succeeds before wider rollout.

Full Walkthrough (Optional)

1. Open the Intune admin center → Devices → Windows → Feature updates.
2. Edit the Windows 11 25H2 ring and ensure Target version is set to “25H2”.
3. Under Assignments, scope the ring to a dynamic device group (e.g., WUFB-25H2-Pilot).
4. Navigate to Security → Conditional Access → select any policy that includes All cloud apps → Grant → ensure Require compliant device has an exclusion for the same device group.
5. Deploy the KB5055523 win32 app with install behavior = “install for system” and restart behavior = “allow”.
6. Monitor the Intune diagnostics for the pilot devices; once they report Success, expand the assignment to the full fleet.

Article Metadata

• Word count: 462
• Difficulty: senior
• Pillar: troubleshooting
• Published: 2026‑05‑28