[18 December 2020: This article has been updated to reflect changes in the way Microsoft offers Windows 10 Feature Updates and the way that ZENworks supports the updates.]

In a previous article I explained that the ZENworks Patch Management content feed includes Windows 10 Quality Updates (security and reliability patches) but not Windows 10 Feature Updates (version updates). This is primarily due to the larger file size and installation mechanism for Feature Updates.  

Even though the content feed does not include Feature Updates, you can still use ZENworks Patch Management to deploy Windows 10 Feature Updates. There are a couple of methods--enablement packages and custom patches--you can utilize depending on the currently installed Windows 10 version and the target update version.

Updating via an Enablement Package

Starting in 2019, Microsoft began ensuring that both versions (H1 and H2) released in the same year share a common core operating system with an identical set of system files. The new features for the H2 version are delivered starting in the last H1 monthly Quality Update prior to the H2 release. The H2 features remain dormant until they are turned on by applying the enablement package. Microsoft published an article explaining the details and benefits of this method that I'll let you review rather than rehashing here.

The ZENworks Patch Management content feed contains the enablement package for both Windows 10 1909 and Windows 10 20H2. The following applies to the enablement package:

• The enablement package only provides an update path from the H1 version to the H2 version of the same year (i.e. 1903 to 1909 and 2004 to 20H2). It does not work for updating versions from different years (for example, 1909 to 2004).
• The H1 version being updated must have its October Quality Update installed (or any monthly Quality Update released after October since they are cumulative). Starting with October the monthly Quality Update contains the dormant H2 features. IMPORTANT: You should always check the enablement package's KB article to confirm the required monthly Quality Update and any other requirements such as Servicing Stack Update versions.
• The device will require a restart after applying the update.

In ZENworks Patch Management, the enablement package works the same as other patches. Follow the steps below to use the package:

1. In ZENworks Control Center, go to the zone Patches list and verify that the enablement package is available in your zone. As of the writing of this article, four packages are available:
   • Feature Update to Win 10 Version 20H2 x64 2020-10 via Enablement Package for Win 10, version 2004 and later (KB4562830)
   • Feature Update to Win 10 Version 20H2 x86 -based systems 2020-10 via Enablement Package for Win 10, version 2004 and later (KB4562830)
   • Feature Update to Win 10 Version 1909 x64 2019-11 via Enablement Package for Win 10, version 1903 and later (KB4517245)
   • Feature Update to Win 10 Version 1909 x86 -based systems 2019-11 via Enablement Package for Win 10, version 1903 and later (KB4517245)
2. Perform a patch scan on your devices. The scan results will show to which devices the enablement package applies.
3. Deploy the enablement package to the applicable devices using a Remediation deployment or Patch policy.

Updating via a Custom Patch

The second update method is to manually download the Feature Update and distribute it as a custom patch in ZENworks. This works for updating from any version to another version (provided Microsoft supports the update path).

The process includes a few additional steps on your part but allows you to automate the deployment of the Feature Update while using the Patched status to track which devices are updated and which ones still need to be updated. The basic process is this:

1. Get the Windows 10 Feature Update ISO from your normal Windows OS distribution source.
2. Extract the ISO to a location (for example, a network share) that the Windows 10 devices being updated can access. The devices need to be able to run the update executable from this location.
3. In ZENworks Control Center, create a Windows bundle that launches the update executable.
4. Create a custom patch containing the Windows bundle.
5. Deploy the custom patch via a Remediation deployment or Patch policy.

The remainder of this article shows how to use this process to update devices from Windows 10 Enterprise version 1909 to version 2004.

Getting a Windows 10 ISO

You need to download the Windows 10 ISO from a source such as the Volume Licensing Service Center, the MSDN Portal, or the Academic Products page. For example, I get my Windows 10 ISOs from my MSDN account.

For this article, I will update a device running Windows 10 Enterprise version 1909 to version 2004 using the Windows 10 (business editions), version 2004 (Updated Oct 2020) (x64) - DVD (English) ISO with the following filename:

en_windows_10_business_editions_version_2004_updated_oct_2020_x64_dvd_732b2088.iso

Extracting the ISO to a Network Location

Your Windows 10 devices need to run the update executable from somewhere on your network. In my lab environment, I chose to copy the contents of the ISO to a Win10bus_2004update_x64 folder on my ZENworks Server and then share the folder (read access) with a local server account called WindowsUpdateAdmin.

 I also defined the WindowsUpdateAdmin account credentials in the ZENworks Control Center Credentials Vault to make the credentials available when installing the Feature Update.

My configuration worked for my lab environment. Obviously, you’ll need to find the appropriate access solution for your lab and production environments.

Creating a Windows Bundle for the Feature Update

In ZENworks Control Center, create a Windows bundle that launches the Feature Update executable from your network location.

1. Create a new empty Windows bundle:
   1. In the Bundles list, click New > Bundle to launch the Create New Bundle Wizard.
   2. For the Bundle Type, select Windows Bundle.
   3. For the Bundle Category, select (Empty Bundle).
   4. Give the bundle a name. For my bundle I used Win10ent 2004 Update - x64.
   5. Select the Create as Sandbox option and leave the Define Additional Properties option selected so that the bundle is created as a sandbox version with the bundle properties displayed.
      
2. Add an Install - Launch Executable action:
   1. In the Actions tab, click the Install tab.
   2. Click Add > Launch Executable to display the Add Action – Launch Executable dialog box.
      
   3. In the Command field, add the UNC path to the Feature Update setup.exe file. For example, \\win2016server\win10ent_2004update_x64\setup.exe.
   4. In the Command Line Parameters field, add the following: /auto upgrade /quiet.
      .These parameters force the setup program into silent upgrade mode.
   5. In the Working Directory field, add the UNC path to the setup.exe directory. For example, \\win2016server\win10ent_2004update_x64\.
      The configuration for my bundle looked like this:
      
   6. Click the Advanced tab.
      
   7. Select the Proceed when an action is complete option.
   8. Select the Run as a dynamic administrator option, then select the credential you added to the Credential Vault to provide access to the setup.exe. In my case, this was the WindowsUpdateAdmin credential.
      
   9. Click the Requirements tab, then add the requirements that the device must meet in order for ZENworks to launch the Feature Update setup.exe.
      In this case, I want to update any device not at version 2004 so I used the Registry Key Value condition to check that the ReleaseID value (String Type) of the \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion key is less than string type 2004.
      
   10. Click OK to add the Launch Executable action to the list of Install actions.
   11. Click Apply to save the action. Your bundle should now look similar to the following screenshot.
       
3. Click the Requirements tab, add the requirements that the device must meet in order for the Feature Update bundle to apply to the device, then click Apply to save the requirements.
   .The bundle's System Requirements determine the devices on which the bundle is effective. In my case, I want the bundle to be effective on all Windows 10 Enterprise 64-bit devices. Even after the Feature Update is installed and the device is updated to the version 2004, the bundle is still effective on the device, which allows the Patched status to be reported for the device. I used the Operating System – Windows condition to specify Windows 10, the Architecture condition to specify 64 bit, and the Registry Key Value condition to check that the EditionID value (String Type) of the \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion key is equal to string type Enterprise.
   
4. Click Publish to publish the bundle.
   

At this point, you could simply assign the bundle to the Windows 10 devices you want to update. After refreshing and getting the bundle assignment, the devices (on which the bundle is effective) would launch the setup program and install the Feature Update (unless the device is already version 2004).

However, if you include the bundle in a patch (as explained in the next sections), you can use Patch Management to see which Windows 10 devices have been updated (Patched) and which Windows 10 devices still need the update (Not Patched).

Alternate Method: Local Installation

Installing the Feature Update from a network location is the preferred method, but it is also possible to create a bundle that copies the Feature Update to the device and runs the update from the local drive. Because most Feature Updates are quite large (around 5 GB), copying the update to all devices could impact your network. Before using this method widely, we strongly recommend that you evaluate the impact by targeting a smaller set of devices. Once you know the impact, you can perform a controlled update by targeting the appropriate number of devices at different times.

NOTE: In the Comments section following this article, Craig Wilson of our Support team mentions a ZENworks Agent issue that caused the Feature Update to fail when run via the Dynamic Administrator user. As he notes, the issue was fixed in ZENworks 2017 Update 4. We strongly recommend updating the ZENworks Agent on your devices to ZENworks 2017 Update 4 or newer. Otherwise, you will need to use the local installation method for the Feature Update.

If you choose to do the local installation method, modify the Windows 10 Feature Update bundle as follows:

• Use the Copy Directory or Install Directory action to copy the contents of the Feature Update ISO to the local drive. If you use the Install Directory action, select the Do not compress or encrypt uploaded content option to avoid the long compression times associated with the large file size.
• Configure the Launch Executable action to run the setup.exe from the local drive location.
• Configure the bundle’s Launch Executable action to run as System rather than Dynamic Administrator.

Creating a Custom Patch

You can now create a custom patch that includes the Feature Update bundle. Using a patch to distribute the Feature Update bundle allows you to easily track which devices have the patch applied and which ones do not.

We enhanced the Custom Patch wizard in ZENworks 2020 Update 1 to provide additional methods of detecting the Patched status of devices. Therefore, I have provided instructions below for creating a custom patch in ZENworks 2020 Update 1 or in ZENworks 2020 or older versions.

Creating a Custom Patch in ZENworks 2020 Update 1 or Newer Versions

1. In ZENworks Control Center, click Security.
2. Click the Patches tab.
   
3. In the Patches list, click New to launch the Create Custom Patch wizard.
4. In the Name field, select the Windows bundle you created for the Feature Update.
   
5. Select the Impact level for the patch, specify a Vendor name, and select Requires Reboot.
   In my case, I selected Critical for the Impact and specified Microsoft Corp. for the Vendor. You can fill in other details as desired. For example, I like to know the size of the update as well as its original release date.
   
6. Review the Applicability requirements. These requirements determine the devices to which the custom patch applies.
   The Applicability requirements are the same as the bundle’s requirements. If you change them here (or in the custom patch after it is created), the bundle requirements are also changed. NOTE: You could have defined the requirements here rather than when creating the bundle. I had you do it at bundle creation so that you could see the relationship between the patch’s Availability requirements and the bundle’s system requirements.
   
7. Define the Patched requirements. These requirements determine if a device has the patch installed.
   By default, a device is only considered patched if ZENworks has installed the custom patch’s bundle (i.e., Bundle Installed = Yes). In this case, that requirement could provide an incorrect Patched status for a device that has already been updated to Windows 10 2004 by another means (such as Windows Update). To improve the accuracy of the Patched status, I used the Registry Key Value condition to check that the ReleaseID value (String Type) of the \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion key is equal to string type 2004.
   
8. Select the Run the subscription update… option, then click Finish to create the custom patch.
   Running the subscription update adds the custom patch to the Windows 10 patch scan (DAU) file.
   
9. Locate the Feature Update custom patch in the Patches list.
   
   At this point, the custom patch does not have any Patched status associated with it. You must run a patch scan on your Windows 10 devices to have them evaluate and report the status. Skip to “Scanning Devices” below.

Creating a Custom Patch in ZENworks 2020 or Older Versions

1. In ZENworks Control Center, click Security (or Patch Management in versions older than ZENworks 2020).
2. Click the Patches tab.
3. In the Patches list, click New to launch the Patch wizard.
4. In the Name field, select the Windows bundle you created for the Feature Update.
   
5. Select the Impact level for the patch, specify a Vendor name, and select Requires Reboot.
   For example, select Critical for the Impact and specify Microsoft Corp. for the Vendor. You can fill in other details as desired.
   
6. Finish creating the patch.
7. Run a subscription update.
   The subscription update adds the custom patch to the patch scan (DAU) file.
8. Locate the Feature Update custom patch in the Patches list.
   At this point, the custom patch does not have any Patched status associated with it. You must run a patch scan on your Windows 10 devices to have them evaluate and report the status. Continue with “Scanning Devices” below.

Scanning Devices

After you have created the custom patch and run the subscription to include it in the Windows 10 DAU file, you need to run a patch scan on your Windows devices. At that point, the devices will report their Patched status for the custom patch and you can view the status in ZENworks Control Center.

You can wait for the scheduled patch scan to run or you can use a Quick Task to initiate a patch scan on devices. The Quick Task is available from the Devices list.

Once you have the Patched status for devices, you are ready to deploy the Feature Update custom patch to the unpatched devices.  

Deploying the Patch

You can deploy the patch via a manual remediation or a Patch policy.

Deploying via a Manual Remediation

1. In ZENworks Control Center, click Security (or Patch Management in versions older than ZENworks 2020). 
2. Click the Patches tab.
3. In the Patches list, select the check box in front of the Feature Update custom patch, then click Action > Deploy Remediation.
4. Select the devices to which you want to deploy the update (by default, all applicable devices that do not have the update installed are selected), then complete the wizard.
   While completing the wizard, you can schedule the update to be installed immediately or later.

Deploying via a Patch Policy

1. In ZENworks Control Center, click Security (or Patch Management in versions older than ZENworks 2020). 
2. Click the Patch Policies tab.
3. In the Patch Policies list, click New to display the Create New Patch Policy wizard.
4. Specify a Patch Policy name. For my Patch policy I used Windows 10 2004 Update.
   I left Enterprise out of the title so that I could also use the policy to deliver Feature Updates for other Windows 10 editions, such as Professional. Because the bundle system requirements control which devices an update is applied to, I can have the policy include multiple patches, such as one for Enterprise devices and one for Professional devices or even one for 32-bit devices and another for 64-bit devices.
5. Do not add any Patch policy rules.
6. Complete the wizard, selecting the Define Additional Properties option to display the Patch policy after it is created.
   
7. Click the Members tab, and then click Add to add the patch you created for the Feature Update. In my case, this is the Win10ent 2004 Update – x64 patch.
   
8. Click the Relationships tab and assign the policy to Windows 10 devices.
   I assigned the policy to the Windows 10 dynamic group. This assigns the policy to all Windows 10 devices. However, because the Applicability requirements for the Feature Update custom patch specify that the operating system must be Windows 10 Enterprise x64, the Feature Update is applicable only to those Windows 10 devices.
   
9. Click Publish to publish the policy.
10. Devices will receive the policy and apply the Feature Update at the time designated by their assigned Patch policy schedule.