Windows 11 Readiness Check

What the Windows 11 readiness check does

This Automox Worklet™ audits Windows 11 upgrade readiness on Windows endpoints by inspecting the four hardware gates Microsoft enforces during in-place upgrade. The Worklet runs Get-Tpm to confirm a TPM 2.0 module is present and enabled. It calls Confirm-SecureBootUEFI to verify the firmware boots in UEFI mode with Secure Boot active. It then queries Win32_Processor via Get-CimInstance to read the CPU model and architecture.

The CPU check compares the detected processor against Microsoft's supported list for Windows 11. The list excludes most Intel 7th-generation Core and earlier parts, AMD Zen and Zen+ desktop CPUs, and any 32-bit silicon. Endpoints below the 1 GHz, 2-core, 64-bit threshold fail the gate even when the named CPU is technically on the list. The Worklet also reads Win32_PhysicalMemory and Win32_DiskDrive. These calls confirm the endpoint carries at least 4 GB of installed RAM and 64 GB of primary disk capacity.

The Worklet writes a per-endpoint result to the Automox activity log. Compliant endpoints record "Endpoint is Windows 11 Ready." Non-compliant endpoints record a structured failure message that names the specific gate that did not pass: TPM, Secure Boot, CPU, RAM, or disk. IT operations teams can then triage by failure class instead of re-running the audit per host. No changes are made to the endpoint. This is a read-only audit Worklet that returns exit code 0 on a compliant evaluation and exit code 1 when one or more gates fail.

Why audit Windows 11 readiness before the October 2025 deadline

Windows 10 reached end of support on October 14, 2025. Unpatched endpoints now accumulate vulnerability exposure with every Patch Tuesday. The four Windows 11 hardware gates – TPM 2.0, UEFI Secure Boot, a supported CPU, and the 4 GB / 64 GB minimums – enforce a hardware-rooted trust boundary. They also mean a meaningful share of any mixed fleet cannot upgrade in place. Without a fleet-wide audit, you cannot tell which endpoints are blocked by a BIOS toggle versus which are blocked by silicon that needs a refresh.

Knowing which Windows 10 endpoints can actually take a Windows 11 in-place upgrade is the data layer underneath every downstream migration decision. This Worklet checks the four readiness gates (CPU generation and instruction set, TPM 2.0, Secure Boot, and 4 GB minimum memory) on every endpoint and reports the result back to the console. Which endpoints get an in-place upgrade policy, which get scheduled for a BIOS or firmware refresh, and which become a hardware-refresh budget request all start with the same audit run.

How the Windows 11 readiness audit works

1. Evaluation phase: The Worklet runs Get-Tpm to read TpmPresent and TpmReady, then checks the SpecVersion property for a 2.0 entry. It calls Confirm-SecureBootUEFI to confirm UEFI firmware and active Secure Boot policy. CPU model, clock speed, core count, and architecture come from Get-CimInstance -ClassName Win32_Processor. The model string is matched against Microsoft's supported processor list for Intel, AMD, and Qualcomm. Installed RAM is summed across Win32_PhysicalMemory modules. Primary disk size is read from Win32_DiskDrive where Index = 0. If any gate fails, the evaluation script exits 1 and the failure reason is logged.

2. Remediation phase: Because the gates are hardware and firmware properties, the remediation script does not modify the endpoint. It re-runs the evaluation logic and writes a consolidated readiness verdict (Ready, BIOS-Fixable, or Hardware-Refresh) to the Automox activity log via Write-Output. The script then exits 0 so the policy run reports complete. TPM-Disabled and Legacy-BIOS results indicate firmware toggles a technician can flip on-site or via vendor management tools. CPU, RAM, and disk failures indicate the endpoint needs a hardware refresh and should be excluded from the in-place upgrade group.

Windows 11 readiness audit requirements

• Windows endpoint running Windows 10, Windows 11, or Windows Server 2016 and newer with the Automox agent installed

• PowerShell 5.1 or later (PowerShell 3.0 minimum; Get-Tpm and Confirm-SecureBootUEFI are available on Windows 8 and later)

• Administrator context for the Automox agent so the Worklet can read WMI classes Win32_Processor, Win32_PhysicalMemory, and Win32_DiskDrive

• Endpoint reaches the Microsoft Windows 11 minimums for an in-place upgrade verdict: 1 GHz 64-bit dual-core CPU on the supported list, 4 GB RAM, 64 GB primary disk, TPM 2.0, UEFI firmware with Secure Boot enabled, DirectX 12 / WDDM 2.x GPU

• No parameters required – the Worklet is read-only and runs without policy variables

• Schedule the policy on a recurring cadence so BIOS toggles or hardware refreshes are reflected in the next readiness report

Expected output after the readiness audit

The Automox activity log records one of three verdicts per endpoint. "Endpoint is Windows 11 Ready" means every gate passed and the host is eligible for an in-place upgrade policy. "BIOS-Fixable" means TPM 2.0 hardware is present but disabled, or UEFI is supported but the host booted in Legacy BIOS mode. Both are correctable by a technician with vendor BIOS access. "Hardware-Refresh Required" means the failed gate is the CPU, installed RAM, or primary disk. None of those can be resolved by a firmware change.

Validate the audit by spot-checking an endpoint with the same commands the Worklet runs: Get-Tpm | Select-Object TpmPresent, TpmReady, SpecVersion; Confirm-SecureBootUEFI; Get-CimInstance Win32_Processor | Select-Object Name, NumberOfCores, MaxClockSpeed, Architecture. Compare the output to the Automox verdict for that host. For audit evidence, export the Automox activity log filtered by this Worklet's policy ID. Group by verdict to produce the upgrade-ready count, the BIOS-fixable count, and the hardware-refresh budget line. Re-run the policy after each BIOS remediation batch to confirm the BIOS-Fixable cohort has crossed into the upgrade-ready group.