Apply Windows Feature Updates

Windows feature updates are provided by Microsoft as significant upgrades to the Windows operating system. They provide major versions, such as Windows 11 24H2, that roll up security updates and bug fixes along with feature updates and performance enhancements.

Feature updates also include Windows 10 to Windows 11 update options. Many companies still have Windows 10 in the environment. Microsoft is removing support for security updates to Windows 10 on October 15, 2025. Windows 11 is the current major release of Microsoft's workstation operating system. Companies need help getting their Windows 11-capable devices upgraded. This upgrade can have a significant impact on the corporate environment, especially when content has to be delivered across Virtual Private Networks (VPNs). Tenable Patch Management provides a solution to upgrade old Windows to either the June release of Windows 11 24H2 (10.26100.4349) or the September release of Windows 11 24H2 (10.26100.6725). Additional versions may be added as Microsoft releases them. The oldest operating system that can be upgraded is Windows 10 2004 (10.0.19041).

All systems to be upgraded must meet the minimum requirements of Windows 11 24H2. For more information review the requirements here: Windows 11 Specs and System Requirements | Microsoft Windows.

Note that you need a license that includes Windows Operating System patching. Contact your Tenable Patch representative for more information.

Overview

The Tenable Patch Management metadata team automatically blocks all Windows 11 Feature Updates to ensure customers have a choice of what devices and when those devices receive the update.

Tip: You can enable blocklist notifications to receive automatic notifications when Tenable Patch adds blocked patches.

(Optional) Create a target Business Unit

This step is optional since patches are only installed on applicable devices. You may wish to create Business Units in order to split up the deployment into multiple waves. The additional benefit of creating a Business Unit is it can be used to easily track which devices may need manual intervention.

A sensor can be used to filter by the current Operating System.

Sensor Field

Operating System (WMI)

 Build

OperatingSystemCrossPlatform (static)

Version

For example,

You can use additional scopes to limit the devices. For example, add a Location or a Base Scope to reduce the target device list to a specific office or Business Group.

For more information on creating a business unit, see Business Units and Rollout Processes.

Create a Deployment Wave

  1. In the left pane, select Deployment Waves.

  2. Click +New.

  3. Enter a Name for the Deployment Wave, for example "Windows 11 Upgrade Deployment Wave."

  4. Click Add Wave.

  5. Click +Create Wave Entry.

  6. Next to Business Unit, click Browse and select the Business Unit created above.

  7. Click Create Wave Entry.

  8. Create any additional Waves and/or Wave Entries for additional Business Units as you require.

  9. Click Save.

For more information about deployment waves, see Deployment Waves.

Unblock the Blocked Patch

Before you unblock the Blocked Patch you should review ALL Strategies. If any Strategy has Include All Products enabled, you should add the Windows 11 OS Upgrade to the list of Excluded Products to ensure it does not get deployed by that Strategy.

  1. Select Flex Controls | Blocklisting | Blocked Patches.

  2. Search for Windows 11 24H2 Upgrade.

    Each year Microsoft releases an update. Update the year as needed.

  3. Hover over this patch, select the ellipses (...) on the right and select Unblock.

Unblock patch

Note: Only unblock one patch.

For more information about blocklisting, see Flex Controls - Blocklisting.

Create a Strategy to Deploy this patch

  1. Select Strategy | Patching Strategies.

  2. Create a copy of a built-in strategy that includes the Deployment Wave and Approvals or open an existing strategy.

  3. Give the strategy a name, for example "Windows 11 Upgrade."

  4. In the Products section, next to Included Products, select +Browse.

  5. Search for Windows 11 OS Upgrade, select it and click OK.

  6. In the Deployment Settings section, next to Deployment Wave, click Browse.

  7. Select the Windows 11 upgrade deployment wave you created earlier and click OK.

  8. Edit or create a Deployment Bot Runtime.

    1. Select a Patch Deployment Bot.

    2. Select a Patching Process.

    3. Select a Deployment Channel.

    4. Select the appropriate Business Units. To select individual Business Units, the individual Business Units must be included in the Deployment Wave.

    5. Click OK.

  9. Edit or create a Process Setting.

    1. Select a Patching Process.

    2. Select an Execution Schedule.

    3. Click OK.

  10. If the Patching Process chosen includes Approvals, scroll down and add at least one Approval Chain.

  11. Update the other sections as required.

  12. Scroll to the top and ensure the Strategy is Enabled.

  13. Click Save.

  14. A slide out shows the patch Windows 11 24H2 Upgrade.

  15. Click OK.

For more information about strategies, see Strategies and Advanced Patching Strategies.

Approve the Patching Cycle

If you have enabled Approvals in the Patch Strategy, approve the patch deployment when the Patching Cycle starts.

Monitor Deployment and Installation

In the left-hand pane, click Patching Analytics | Strategy Operations and select your Windows 11 OS upgrade strategy to monitor the Patching Cycle.

In the dashboard,

  • Product Compliance shows product compliance on the targeted devices.

  • Patch Status shows the installation status of the patch on the targeted devices.

  • Device Compliance by OS shows how many devices have a compliant product installed.

  • History shows each step in the execution of the strategy.

In the History dashboard, click the + to get additional information.

In the top right, the details pane displays a device name and the history of patch installations for that device.

If the device is currently performing an action, it shows in a box above the list of actions.

Look for entries like:

Windows 11 24H2 Upgrade 26100.4349 : Installation in Progress
Windows 11 24H2 Upgrade 26100.4349 : Installation in Progress : Running pre-installation actions
Windows 11 24H2 Data Files EN-US 26100.4349 : Installation in Progress : Running installation actions
Windows 11 24H2 Data Files EN-US 26100.4349 : Mandatory Install : Succeeded
Windows 11 24H2 Upgrade 26100.4349 : Installation in Progress : Running post-installation actions
Windows 11 24H2 Upgrade 26100.4349 : Installation in Progress : Post-install reboot pending
Windows 11 24H2 Upgrade 26100.4349 : Mandatory Install : Succeeded

Use the < and > buttons at the bottom to change pages. Click on the computer icon at the top to select a different device or click on the ellipses and select Next Device.

Note: Soon after the device is upgraded, the Windows 11 OS Upgrade product is no longer applicable, and the device will be removed from the Patch Status dashboard.

After the installation is completed on the device, the Tenable Patch client captures the restart requirement and display a toast notification based on the User Interaction Settings applied to the device. We recommend that users restart as soon as possible. If you normally allow a long delay before restart, you should apply a shorter User Interaction Setting to the Business Unit(s) that were created.

Troubleshooting

Issue: The device does not show Windows 11 OS Upgrade in its list of Installed Products.

In %programfiles%\Tenable\PatchClient\logs\componentlogs, review the PatchingAdmin.log and look or a line like the following:

INFO - Products :: Scanned status [NOT INSTALLED] for [1000006900]

Solution:

  1. Check for the existence of the following registry key:

  2. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CompatMarkers\

  3. Review the subkey GE24H2.

  4. If there are any items starting with Blocked with a value of 1, the device cannot be upgraded.

  5. Remediate any issues and re-scan.

    Note: You may need to select Reset Data -- which requires the scanning of All Software.

If the registry key does not exist, open a Command Prompt as Administrator and manually run the following command. This evaluates the device and create the registry key.

%windir%\System32\CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun

This command should be scheduled to run automatically. Review the following if changes have been made to the default Task Scheduler Library.

  1. Open Task Scheduler.

  2. Expand the Task Scheduler Library | Microsoft | Windows and select Application Experience.

  3. In the details pane, select the Microsoft Compatibility Appraiser task.

  4. Review the Last Run Time and Last Run Result.

If you need help executing this across your estate, contact Tenable Patch Support.

Issue: The device is targeted but did not upgrade.

One possible issue is the lack of disk space. The Feature Update process does not run unless there is 50 GB of free disk space.

In %programfiles%\Tenable\PatchClient\logs\componentlogs, review the ContentCache.log and look for a line like the following:

INFO - Drive [C] is having actualFreeSpace Including Progress [###]

The ### needs to be larger than 52428800000 bytes.