Worklet: Finalize Windows 10 Feature Update to 2004 or 20H2 Applied From a Patch Policy

UPDATE: January 8, 2021
Windows 10 Feature Updates can be finalized by using the Automox Reboot process. All Feature Update versions released to date are supported.

As older versions of Windows 10 are retired, upgrades to newer versions of Windows 10 begin to become available through Windows Update, and you can deploy them through patch policies to your devices. Please review our best practice policy for a Feature Update Policy guide: https://support.automox.com/help/what-are-the-recommended-best-practices-for-patching-in-automox
NOTE: This is one of the few places I suggest switching on the “Install Optional and Recommended Windows Updates” option.

Automox natively handles the finalization of feature updates within the reboot functionality. That reboot could either be triggered by a policy, or from the console… in either case it send down a command to finalize the upgrade, and the device complete the upgrade as part of the process.

This Worklet will finalize Windows 10 Feature Upgrades when Automox reboots are not used. The evaluation block detects when a feature update is staged and ready to apply. The remediation block runs the upgrade finalization command.
User experience will be a hidden upgrade process, and then the device will reboot to continue with the upgrade process.

Only run this policy if upgrading to 2004 or 20H2 from a previous version.

Evaluation:

if (Test-Path $($env:SystemDrive + '\$WINDOWS.~BT\Sources')) { 
    # $WINDOWS.~BT is only present when a OS Upgrade is staged. 
    exit 1
} else { 
    exit 0
}

Remediation:

<#
.SYNOPSIS
Finalize Windows 10 Feature Update to version 2004 or 20H2

.DESCRIPTION
  Runs finalization command to complete Windows 10 feature upgrade after staged, and complete upgrade with a reboot.  

.NOTES
Author: Automox

.PREREQUISITES
  Upgrade to 2004 or 20H2 must be successfully staged and ready to be applied.
#>

#Handle Exit Codes:
trap {  $host.ui.WriteErrorLine($_.Exception); exit 90 }

function reboot ($isUpgrade) {
    if ($isUpgrade) {
        Write-Host "Finalizing OS Upgrade" 
        $arguments = "/Update", "/Finalize" 
        $patchPath =  Get-ChildItem C:\WINDOWS\SoftwareDistribution -Filter WindowsUpdateBox.exe -Recurse | ForEach-Object { $_.FullName } 

        & "$patchPath" $arguments 
    } 
    else { 
        Write-Host "No Upgrade Staged"
         exit 0 
    }
}
if (Test-Path $($env:SystemDrive + '\$WINDOWS.~BT\Sources')) {
# $WINDOWS.~BT is only present when a OS Upgrade is staged. In order for the upgrade to apply on reboot this command needs to # be executed which will finalize a bunch of settings then reboot the machine to apply the update. 
    reboot $true
    } 
else { 
    reboot $false
}
2 Likes

Thanks - I did wonder why I had to manually update devices to 20H2.

Is there a way to filter on devices that have staged updates pending?

At this time, there is not a filter specifically for identifying devices with staged upgrades.

The Evaluation code block above is a pretty good indicator that an upgrade is staged. If the $WINDOWS.~BT directory exists, an upgrade was attempted. It is either sitting and waiting for completion, or the upgrade attempt failed and the files there provide information on to what caused the error.

That’s interesting - I’m sure I recall (back in the old days) that Automox put up a banner at the top of the dashboard which allowed you to see all devices that had not yet been patched to remediate a particular zero day exploit.

When exactly is the upgrade staged? I haven’t had any luck getting this to work. It either shows an error message or it says there are no upgrades staged.

HI @JustinS, this is a worklet that you would run in addition to a Feature Update installed as a patch from Automox. By itself, it does not install or stage the upgrade. It is meant to complete a staged update to 2004 or 20H2 that installed and needs to complete the installation which normally would be handled with a reboot from Automox.

Hello Rob,

I am curious if there was an error in the upgrade after the reboot. Upgrades to 2004 and 20H2 should automatically run SetupDiag if there is an error. Can you verify if this key exists?
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupDiag

If that key exists, please take a look at the following article: https://docs.microsoft.com/en-us/windows/deployment/upgrade/setupdiag#setupdiag-in-windows-10-version-2004-and-later
You can also check the logs in Panther directory to see what happened (https://docs.microsoft.com/en-us/windows/deployment/upgrade/troubleshoot-upgrade-errors and additional detail in the article above)

Please let me know what you find.

Best regards,

1 Like

Hi David, yes that key exists.
I’ve just realised it might be our devices, being on 1909 we’re still having the safegaurd due to https://support.microsoft.com/en-us/help/4592819/error-when-plugging-in-a-thunderbolt-nvme-ssd

Hi David,
Figured out the issue, due to an MS prevention on certain hardware which is now resolved.

Also, for this finalisation, it seems to automatically restart the device to apply the update - is this normal I take it?
If I am using ‘automox reboots’ as part of other patch policies can I ignore this?

I am glad MS resolved the hardware block!

Yes, if you are using the Automox reboots, your device will properly finalize the upgrades when next run. Just be aware that it will not complete the upgrade until the “Automox reboot” runs.

It may be worth a review through the upgrade logic. If you do stage an upgrade, and the reboot flag is cleared, it will run the standard patch policy and only reboot if the patches require a reboot. IMO, I would rather not patch again on an older OS version when I will be upgrading at reboot… so a reboot following the upgrade installation is a pretty good idea when possible.

1 Like