Skip to main content

Windows 11 Version 25H2: A Technical Overview for IT Professionals

  • Audience: IT Administrators
  • Assumed knowledge: Windows servicing, Windows Update for Business, Group Policy, Intune, legacy Windows scripting tools (PowerShell 2.0, WMIC)
  • Scope / Out of scope: This guide covers the key changes, security focus, and deployment model for Windows 11 Version 25H2 (the Windows 11 2025 Update). It emphasizes the shift to a servicing-focused update rather than a major feature release.
TL;DR
  • Servicing Model Update: 25H2 is delivered as a small enablement package for devices already on version 24H2, making the update extremely fast (a single reboot). It is not a major feature release.
  • Security and Streamlining: The update's primary focus is on security enhancements and making the OS "leaner." This includes significant removals of legacy components.
  • Legacy Tools Removed: PowerShell 2.0 and the Windows Management Instrumentation command-line (WMIC) tool are removed in 25H2. IT admins must update any scripts relying on these components.
  • New IT Admin Capabilities: The update introduces the ability for admins to remove select pre-installed Microsoft Store apps on Enterprise and Education devices via Group Policy and Intune, and adds support for Wi-Fi 7 for enterprise connectivity.

Background & context

Windows 11 Version 25H2, also known as the "Windows 11 2025 Update," represents a shift in Microsoft's annual update strategy. Unlike previous feature-heavy releases, 25H2 is a streamlined, security-focused update delivered as an enablement package. This means that version 25H2 shares the same core operating system and codebase as version 24H2.

For IT professionals, this approach simplifies the update process for devices already on 24H2, reducing downtime significantly. However, the update also formalizes the removal of key legacy tools and introduces new management capabilities that require attention and planning. This release resets the support lifecycle to 36 months for Enterprise/Education editions and 24 months for Home/Pro editions.

Release Timeline and Availability
  • General Availability Date: The phased rollout began on September 30, 2025.
  • Deployment Channels:
    • Windows Update: Available for "seekers" on eligible 24H2 devices.
    • Commercial Channels: Available via Windows Autopatch and the Microsoft 365 admin center.
    • WSUS and VLSC: Becomes available via Windows Server Update Services (WSUS) on October 14, 2025. ISOs are also available for download.

Prerequisites

RequirementMinimum / versionNotes
Eligible DevicesDevices running Windows 11, version 24H2 for enablement package.Devices on 23H2 or earlier will undergo a full OS swap.
Management ToolsWSUS, MECM, Intune, Windows AutopatchRequired for controlled enterprise deployment.
Admin PermissionsGroup Policy or Intune administrator rightsNeeded to configure new policies, especially for app removal.
Script Validation-Review and update any scripts using the now-removed WMIC or PowerShell 2.0 components.

What’s new / Key changes

Version 25H2 is primarily a servicing and security release. Most user-facing features were previously delivered in a disabled state via monthly updates to version 24H2 and are now enabled by default.

AreaPrior behaviorNew / changed behavior
Update DeliveryAnnual feature updates were large, requiring a full OS swap.For 24H2 users, 25H2 is activated by a small, fast enablement package (eKB).
Legacy ComponentsPowerShell 2.0 and WMIC were available but deprecated.PowerShell 2.0 and WMIC are removed. Scripts relying on wmic.exe will fail.
App ManagementLimited native ability to remove pre-installed inbox apps via policy.IT admins can remove select pre-installed Microsoft Store apps on Enterprise/EDU editions using Group Policy or Intune.
ConnectivityWi-Fi 6/6E was the latest standard supported.Wi-Fi 7 support is included for enterprise-grade wireless connectivity.
SecurityStandard security development lifecycle.Enhanced focus on the Microsoft Secure Future Initiative, with improvements in vulnerability detection and AI-assisted secure coding.

Procedure / Implementation

Step 1 – Audit and Remediate Legacy Scripts
Action Required

Before deploying 25H2, you must identify and update any automation, management scripts, or monitoring tools that rely on wmic.exe or PowerShell 2.0.

  1. Identify WMIC Usage: Search your script repositories (e.g., logon scripts, deployment task sequences, monitoring agents) for calls to wmic.exe.
  2. Convert to PowerShell CIM: The modern replacement for WMIC is using PowerShell's CIM/WMI cmdlets (e.g., Get-CimInstance, Invoke-CimMethod).
    • Legacy WMIC Example: 
      wmic bios get serialnumber
    • Modern PowerShell Equivalent: 
      Get-CimInstance -ClassName Win32_BIOS | Select-Object -ExpandProperty SerialNumber
  3. Validate PowerShell Versions: Ensure your scripts do not force or rely on PowerShell 2.0 features. Most modern scripts will not be affected, but legacy scripts may require updates.
Step 2 – Plan for Pre-installed App Removal

For the first time, you can declaratively remove specific, non-essential inbox applications during or after deployment on managed enterprise devices.

  1. Identify Target Apps: Determine which pre-installed apps (e.g., Mail, Calendar, etc.) you wish to remove from your corporate environment.
  2. Configure Policy:
    • In Intune: Navigate to Devices > Configuration Profiles and create a new profile using the Settings Catalog. Search for the policies related to "Application Management" or "Allow App Removal" to configure which inbox apps to remove.
    • In Group Policy: Locate the corresponding policy settings under Computer Configuration > Administrative Templates > Windows Components > Store.
  3. Deploy and Test: Assign the policy to a pilot group of 25H2 devices.

Verification: After the policy applies and the device reboots, verify that the specified applications are no longer present for the user. Check the device's Intune sync status or run gpresult to confirm the policy has been applied successfully.

Step 3 – Deploy the 25H2 Enablement Package

For devices already on version 24H2, deployment is straightforward and minimally disruptive.

  1. Using Windows Update for Business (WUfB):
    • Ensure devices are in a deployment ring that is targeted for the 25H2 update.
    • Users can also proactively install it by going to Settings > Windows Update and enabling "Get the latest updates as soon as they're available".
  2. Using WSUS:
    • After October 14, 2025, synchronize your WSUS server.
    • Approve the "Feature Update to Windows 11, version 25H2 via Enablement Package" for your target computer groups.
  3. Using Intune:
    • In the Intune admin center, go to Devices > Feature updates for Windows 10 and later.
    • Create a new policy, select Windows 11, version 25H2 as the target, and assign it to your device groups.
Environment assumptions

The update will only appear as a small enablement package if the device is already running Windows 11, version 24H2 with the latest cumulative updates. Otherwise, it will be offered as a full feature update.

Troubleshooting & Known Issues

Because 25H2 and 24H2 share a core operating system, they also share the same known issues. As of September/October 2025, there are no issues unique to 25H2.

IssueDescriptionStatus
Protected Content PlaybackSome apps using Enhanced Video Renderer or DRM for digital audio may fail to play protected content, resulting in errors or black screens. This does not affect streaming services.Mitigated
WUSA Update Failures from Network ShareInstalling .msu updates using the Windows Update Standalone Installer (WUSA) from a network share containing multiple files may fail.Mitigated
Media Creation Tool on Arm64The media creation tool may fail to run on devices with Arm64 processors when trying to create media for x64 devices.Investigating

Workarounds & Mitigations:

  • Protected Content: This is partially resolved in the September 2025 preview update. A full fix is pending.
  • WUSA Failures: This is resolved for most non-managed devices via Known Issue Rollback (KIR). IT admins can deploy a specific Group Policy to fix it on managed devices. The primary workaround is to copy the .msu file locally before installation.
  • Media Creation Tool: Use an x64-based device to run the tool.

For the latest status, always refer to the official Microsoft resources:

Security & Compliance Considerations

  • Deprecation of Legacy Tools: The removal of WMIC and PowerShell 2.0 is a security-positive move, as it reduces the attack surface and forces the adoption of modern, more secure management protocols (CIM over WinRM). Compliance and security teams should validate that all system management tools have transitioned away from these legacy components.
  • App Removal Policy: The new ability to remove inbox apps allows organizations to better enforce a least-privilege software environment and reduce the potential attack surface from unused applications.

Best Practices & Recommendations

  • Prioritize Script Auditing: Do not deploy 25H2 until you are confident that no critical infrastructure relies on WMIC or PowerShell 2.0. This is the most significant breaking change for IT operations.
  • Embrace the Enablement Package Model: For devices on 24H2, leverage the fast, low-impact update process to bring devices up to date quickly and reset their support lifecycle.
  • Test App Removal Policies: Before a broad rollout, test the new app removal policies on a pilot group to ensure they behave as expected and do not inadvertently remove an application that a department relies on.

References & FAQs

This article was collaboratively developed by a human subject matter expert and an AI assistant to ensure it is both comprehensive and easy to understand.