Windows - Configuration - Windows 10 22h2 Feature Update

What the Windows 10 22H2 feature update Worklet does

This Automox Worklet™ performs an in-place feature update from earlier Windows 10 releases to 22H2 (build 10.0.19045), the final servicing version of Windows 10. The Worklet detects the current release on each endpoint, sets the Windows Update Group Policy keys that pin the target version, and invokes the Microsoft Windows Update Assistant silently to cache and install the 22H2 package.

Windows 10 reaches end of support on October 14, 2025. After that date, Microsoft stops shipping security patches and quality fixes to Home, Pro, Enterprise, and Education editions. Consolidating endpoints on 22H2 is the prerequisite for either an Extended Security Updates (ESU) subscription or an in-place migration to Windows 11 23H2 / 24H2 once hardware passes the TPM 2.0 and CPU compatibility gates.

The Worklet writes three values under HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: TargetReleaseVersion (DWORD = 1) to enable the pin, TargetReleaseVersionInfo (REG_SZ = 22H2) to name the target, and DisableWUfBSafeguards (DWORD = 1) to bypass the Windows Update for Business safeguard holds that otherwise block known-issue rollouts. These keys persist after the update completes, so the endpoint stays anchored to 22H2 instead of drifting to a newer Windows release.

Remediation downloads the Windows Update Assistant (Win10Upgrade.exe) directly from go.microsoft.com using System.Net.WebClient. If the endpoint has TLS 1.2 disabled, the script enables [Net.SecurityProtocolType]::Tls12 and retries. The Assistant runs with /auto upgrade /dynamicupdate /compat ignorewarning enable /skipeula /quietinstall, which suppresses user prompts and lets the Worklet reboot the endpoint when caching finishes.

Why upgrade Windows 10 endpoints to 22H2

Windows 10 21H2, 21H1, 20H2, and 2004 are already past their end-of-service dates. Endpoints stuck on those releases stop receiving monthly cumulative updates and accumulate unpatched CVEs. That posture fails PCI-DSS Requirement 6.3.3 for timely patching of critical vulnerabilities, HIPAA 164.308(a)(1)(ii)(B) for risk management, and CIS Critical Security Control 7 for continuous vulnerability management. Auditors flag mixed-version Windows 10 fleets every cycle, and the finding is hard to remediate at the keyboard one machine at a time.

22H2 also unlocks the KB5015684 enablement package path on endpoints already at 21H2, which flips the build identifier without a full feature update payload. For older releases the Windows Update Assistant carries the full 4 GB+ image. Either way, the destination is the same: every Windows 10 endpoint reporting 10.0.19045 and receiving Microsoft security patches through the EOL date or any subsequent ESU window.

Windows 10 22H2 is the terminal feature update before the October 2025 end-of-support deadline, and any endpoint still on 21H2 or earlier loses security updates the moment the calendar turns. This Worklet pins TargetReleaseVersion under HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate, drives the Windows Update Assistant when the in-place upgrade is needed, and reports compliance back to the Automox console. The Windows 10 sunset becomes a scheduled policy run rather than a building-by-building deskside visit.

How the 22H2 feature update deployment works

1. Evaluation phase: The Worklet calls Get-CimInstance Win32_OperatingSystem and reads the Caption and Version properties. If Caption contains "Windows 11", the endpoint exits 0 as compliant. Otherwise it compares Version against the target build 10.0.19045. Endpoints already at 22H2 exit 0; every other Windows 10 build (19044 = 21H2, 19043 = 21H1, 19042 = 20H2, 19041 = 2004, and earlier) exits 1 and is queued for remediation.

2. Remediation phase: Remediation writes TargetReleaseVersion, TargetReleaseVersionInfo, and DisableWUfBSafeguards under HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate, creates C:\Win10UpgradeTemp and C:\Win10UpgradeTemp\Logs, and downloads Win10Upgrade.exe from https://go.microsoft.com/fwlink/?LinkID=799445. The script enables TLS 1.2 on the fly if the initial WebClient call hits a "Could not create SSL/TLS secure channel" error, then launches the Assistant with Start-Process and the silent argument list. Caching typically runs one to two hours; the Assistant reboots the endpoint automatically once the payload is staged.

Windows 10 22H2 feature update requirements

• Windows 10 endpoint on a build older than 10.0.19045 (Worklet exits compliant on Windows 11 and on 22H2)

• Approximately 12 GB of free disk space on C: for the cached feature update payload and Windows Update Assistant logs

• Outbound HTTPS reachability to go.microsoft.com and the Windows Update content delivery network

• TLS 1.2 available (the remediation script enables it via [Net.ServicePointManager]::SecurityProtocol when the initial download fails)

• Local administrator rights for the Automox agent context – required to write HKLM:\SOFTWARE\Policies and to start the Windows Update Assistant elevated

• Automox install and reboot notifications set to off – the Windows Update Assistant owns user messaging and the reboot countdown

• No conflicting WSUS or Windows Update for Business policy pinning a different TargetReleaseVersion; if one exists, this Worklet's value will be overwritten on the next gpupdate

Expected Windows 10 state after the 22H2 upgrade

Once the Windows Update Assistant completes its caching and reboot cycle, Get-CimInstance Win32_OperatingSystem returns Version 10.0.19045 and the Caption still reads "Microsoft Windows 10". The endpoint passes through a short Out-of-Box Experience (OOBE) finalization screen on first boot, then returns to the lock screen. winver.exe reports Version 22H2 (OS Build 19045.x), and the registry retains TargetReleaseVersionInfo = 22H2 so subsequent feature updates stay blocked until the pin is intentionally cleared.

Validate with three concrete checks. Run [System.Environment]::OSVersion.Version and confirm Build = 19045. Inspect the pinned policy with Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' and confirm TargetReleaseVersion = 1 and TargetReleaseVersionInfo = 22H2. Trigger a check with UsoClient.exe StartScan (or StartDownload / StartInstall on managed endpoints) and watch %WINDIR%\SoftwareDistribution\ReportingEvents.log for the scan result – a healthy 22H2 endpoint reports no available feature updates, only monthly cumulative ones.

The Automox activity log will not always show the remediation run as completed, because the final installation stage requires a reboot that ends the agent session. The next scheduled evaluation closes the loop: when it detects 10.0.19045, the endpoint is marked compliant and the policy stops triggering remediation. For pilot rings, schedule the Worklet against a small group, validate via winver and the registry, then widen the deployment across the rest of the Windows 10 fleet ahead of the October 14, 2025 end-of-support date.