With Windows 10 reaching end of support on October 14, 2025, the focus has fully shifted to Windows 11 feature update management. This guide updates and expands the original article to cover the current landscape: deploying Windows 11 feature updates manually, via SCCM Windows Servicing, via Intune Feature Update policies, and using WindowsUpdateBox.exe for scripted deployments — including the setupconfig.ini customisation options that have become essential for enterprise-grade rollouts.
| Detail | |
|---|---|
| Last Updated | March 2026 |
| Applies To | Windows 11 (all versions), SCCM/MECM 2503+, Microsoft Intune |
| Current Latest Version | Windows 11 25H2 (released September 2025) |
| Windows 10 Status | End of Support reached October 14, 2025 |
| Difficulty | Intermediate |
Windows 10 End of Support — What It Means for Your Fleet
If you still have Windows 10 devices in your environment, this is the most urgent item on your patching agenda. As of October 14, 2025, Windows 10 (all editions except LTSB/LTSC) no longer receives security updates from Microsoft unless you are enrolled in Extended Security Updates (ESU), which are paid and time-limited. The practical implication: every Windows 10 device in your fleet is accumulating unpatched vulnerabilities from that date forward.
Before proceeding with feature update deployment, run a hardware compatibility check across your fleet — Windows 11 requires TPM 2.0, Secure Boot, and a compatible CPU. Devices that do not meet the requirements cannot be upgraded and need a hardware refresh plan.
# Quick check: is this device eligible for Windows 11?
$tpm = Get-WmiObject -Namespace "root\cimv2\security\microsofttpm" -Class Win32_Tpm
$secureBoot = Confirm-SecureBootUEFI -ErrorAction SilentlyContinue
[PSCustomObject]@{
ComputerName = $env:COMPUTERNAME
TPMVersion = $tpm.SpecVersion
TPMEnabled = $tpm.IsEnabled_InitialValue
SecureBootOn = $secureBoot
OSVersion = (Get-CimInstance Win32_OperatingSystem).Caption
}Understanding the Update Package Files
Whether you download the feature update from SCCM/WSUS or let Windows Update cache it locally, the update package always consists of the same two files:
- *.esd — the compressed OS image payload containing the new Windows version
- WindowsUpdateBox.exe — the update orchestrator that drives the installation process
When downloaded via SCCM, these files land in your deployment package source folder. When cached by Windows Update on the device, they are placed in C:\Windows\SoftwareDistribution\Download\. Note that for Windows 11 25H2 (an enablement package), the total download size is significantly smaller than a full feature update — around 500 MB vs 3–4 GB for a full upgrade like 24H2.
Method 1: Manual Deployment via WindowsUpdateBox.exe
The original three-command approach still works in 2026 for manual or scripted deployments. Navigate to the folder containing the ESD and WindowsUpdateBox.exe files and run:
start /w WindowsUpdateBox.exe /Update /PreDownload /quiet
start /w WindowsUpdateBox.exe /Update /Install /quiet /noreboot
start /w WindowsUpdateBox.exe /Update /Finalize /quiet /norebootKey parameters:
- /PreDownload — stages the update files without beginning installation. Run this during business hours to pre-stage, then trigger /Install at a maintenance window
- /Install — begins the actual upgrade. Expect 30–90 minutes depending on hardware and whether it is a full upgrade or enablement package
- /Finalize — commits the upgrade after the reboot phase
- /noreboot — suppresses automatic reboots. Without this, a reboot is triggered automatically after /Install completes. Recommended for scripted deployments where you control the reboot separately
- /quiet — suppresses all UI dialogs
Wrap these in a PowerShell script for use in SCCM packages or Intune Win32 apps:
# install.ps1 — deploy feature update via WindowsUpdateBox
$scriptDir = Split-Path -Parent $MyInvocation.MyCommand.Path
$wub = Join-Path $scriptDir "WindowsUpdateBox.exe"
if (-not (Test-Path $wub)) {
Write-Host "WindowsUpdateBox.exe not found in $scriptDir"
exit 1
}
Write-Host "Pre-downloading update..."
Start-Process -FilePath $wub -ArgumentList "/Update /PreDownload /quiet" -Wait
Write-Host "Installing update..."
Start-Process -FilePath $wub -ArgumentList "/Update /Install /quiet /noreboot" -Wait
Write-Host "Finalizing update..."
Start-Process -FilePath $wub -ArgumentList "/Update /Finalize /quiet /noreboot" -Wait
Write-Host "Feature update deployment complete. Reboot required."
exit 0Method 2: SCCM Windows Servicing (Recommended for ConfigMgr Environments)
Windows Servicing in SCCM is the purpose-built, scalable approach for feature update deployment in Configuration Manager environments. It supports deployment rings, pilot collections, and automatic rollout rules — without needing to manually package the update files.
Prerequisites
- SCCM/ConfigMgr version 2503 or later for Windows 11 25H2 deployment
- Software Update Point configured with Windows 11 product enabled under SUP products
- Service Connection Point set to Online mode for update sync
- Dynamic Updates enabled in Client Settings (reduces deployment size by downloading drivers during upgrade)
Deployment Steps
- In the ConfigMgr console, navigate to Software Library → Windows Servicing → All Windows Feature Updates
- Right-click the target feature update (e.g. Windows 11, version 25H2 x64 2025-10) and select Download
- Create a new Deployment Package and specify the package source path (a shared folder)
- Once downloaded, right-click the update and select Deploy
- Target a pilot device collection first — never deploy directly to All Systems on the first run
- Configure the deployment deadline and maintenance window to control when devices actually upgrade
For automated ring-based rollouts, use Servicing Plans under Windows Servicing — these automatically deploy new feature updates to defined collections when they are released, mirroring Windows Update for Business deferral rings.
Method 3: Intune Feature Update Policy
For cloud-managed or co-managed devices, Intune’s Feature Update policies are the cleanest deployment method. No package downloads, no distribution points — Intune instructs the device to upgrade to a specific Windows version via Windows Update.
- Go to Devices → Windows → Update rings for Windows 10 and later — or for feature updates specifically: Devices → Windows → Feature updates for Windows 10 and later
- Click + Create profile
- Select the target Feature update version (e.g. Windows 11, version 25H2)
- Configure the Rollout options — you can make the update available immediately or set a specific date
- Assign to a pilot device group first
Intune feature update policies support gradual rollouts — you can specify that only a percentage of assigned devices upgrade per day, which limits blast radius if a problematic update is deployed.
Advanced: Customising the Upgrade with setupconfig.ini
Both SCCM and Intune deployments can be customised with a setupconfig.ini file — a configuration file that Windows Setup reads during the upgrade process. This is particularly powerful for scenarios where you need to run post-upgrade scripts, install drivers during the upgrade, or control BitLocker suspension behaviour.
Place the file at C:\Users\Default\AppData\Local\Microsoft\Windows\WSUS\setupconfig.ini before the upgrade runs. Deploy it via an Intune Remediation script or SCCM script prior to the feature update deployment.
[SetupConfig]
Quiet
Auto=Upgrade
EULA=Accept
BitLocker=AlwaysSuspend
Compat=IgnoreWarning
Priority=Normal
DynamicUpdate=Enable
ShowOOBE=None
Telemetry=Enable
PostOOBE=C:\ProgramData\FeatureUpdate\Scripts\PostOOBE.cmd
CopyLogs=C:\ProgramData\FeatureUpdate\LogsKey parameters explained:
| Parameter | Description |
|---|---|
| BitLocker=AlwaysSuspend | Suspends BitLocker during upgrade — prevents encryption issues on some hardware |
| Compat=IgnoreWarning | Suppresses compatibility warnings that would otherwise block the upgrade dialog |
| DynamicUpdate=Enable | Downloads latest drivers and updates during upgrade — recommended for hardware compatibility |
| PostOOBE | Path to a script that runs after the upgrade completes — ideal for post-upgrade configuration |
| CopyLogs | Copies setup logs to a specified location for centralised troubleshooting |
| InstallDrivers | Path to a folder of additional drivers to inject during the upgrade |
Deploy the setupconfig.ini via an Intune Remediation detection/remediation pair — the detection script checks if the file exists with the correct content, and the remediation script creates or updates it. This ensures the file is in place before the feature update policy triggers the upgrade.
Checking Current Windows Version Before Deployment
Before targeting a device for upgrade, verify its current OS version. Use this in an SCCM collection query or Intune Remediation detection script:
# Get current Windows build and version
$os = Get-CimInstance -ClassName Win32_OperatingSystem
[PSCustomObject]@{
Caption = $os.Caption
Version = $os.Version
BuildNumber = $os.BuildNumber
OSArchitecture = $os.OSArchitecture
}Windows 11 version reference for targeting:
| Version | Build Number | Support End Date |
|---|---|---|
| Windows 11 21H2 | 22000 | End of support reached |
| Windows 11 22H2 | 22621 | October 2024 (Home/Pro), October 2025 (Enterprise) |
| Windows 11 23H2 | 22631 | November 2025 (Home/Pro), November 2026 (Enterprise) |
| Windows 11 24H2 | 26100 | October 2026 (Home/Pro), October 2027 (Enterprise) |
| Windows 11 25H2 | 26200 | October 2027 (Home/Pro), October 2028 (Enterprise) |
Troubleshooting Failed Feature Update Deployments
| Issue | Cause | Fix |
|---|---|---|
| Upgrade completes but version unchanged | Compatibility hold applied by Microsoft for this hardware/software combination | Check Windows Update for Business reports in Intune or the Microsoft known issue tracker for your device model |
| 0xC1900208 — compatibility check failed | Installed application blocking the upgrade | Check C:\$WINDOWS.~BT\Sources\Panther\compat*.xml for the blocking app; uninstall or add Compat=IgnoreWarning to setupconfig.ini |
| 0x8007042B — process terminated unexpectedly | Antivirus or security software interfering with setup | Temporarily disable real-time protection during upgrade, or add an exclusion for Windows Setup |
| Device stays at “Pending” in Intune | Safeguard hold applied to the device by Microsoft | Check the Intune feature update report for safeguard hold details; these are lifted automatically when Microsoft resolves the underlying issue |
| SCCM deployment shows “compliant” but not upgraded | Co-management conflict — Intune and SCCM both targeting the device | Ensure the Windows Update workload is exclusively owned by one tool; split workloads consistently |
For detailed upgrade failure logs, check:
C:\$WINDOWS.~BT\Sources\Panther\setupact.logandsetuperr.log— primary setup logs during upgradeC:\Windows\Panther\— logs after upgrade completes or rolls back- Event Viewer → Setup log — overview of the upgrade phases and any errors
Summary
Feature update deployment in 2026 is primarily a Windows 11 servicing exercise, with Windows 10 ESU the only remaining exception. Choose your method based on your management tooling:
- Manual / scripted — WindowsUpdateBox.exe with the three-phase command sequence, wrapped in a PowerShell script
- SCCM-managed — Windows Servicing with deployment rings and pilot collections; requires ConfigMgr 2503+ for 25H2
- Intune-managed — Feature Update policy with gradual rollout options; cleanest approach for cloud-only environments
- Use setupconfig.ini for advanced scenarios: post-upgrade scripts, driver injection, BitLocker suspension, log collection
- Always deploy to a pilot collection first — Microsoft applies safeguard holds for a reason, and your environment may have compatibility issues not covered by them