Deploy Windows 11 Feature Updates via WUA Silently

What the Windows 11 feature update Worklet does

This Automox Worklet™ performs an in-place feature update on Windows 11 endpoints by invoking the Windows Installation Assistant in silent mode. The Worklet downloads the current Installation Assistant binary from Microsoft, executes it with /QuietInstall, /SkipEULA, and /NoRestartUI switches, and waits for the upgrade to stage to the SoftwareDistribution\Download folder. After staging completes, the endpoint boots into the new feature update at the next scheduled reboot or at the time the maintenance-window reboot policy fires.

The script reads two parameters from the policy. The first, InstallerURL, is the Microsoft download URL for the Installation Assistant binary; default points to the current production endpoint, override it for a specific build. The second, StagingDir, controls where the binary is downloaded before execution; default is C:\Windows\Temp\WIN11_FUA. The script verifies the downloaded binary's digital signature with Get-AuthenticodeSignature before running it, so a hijacked InstallerURL parameter cannot push an unsigned executable through this Worklet.

Evaluation reads CurrentVersion from HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion and compares the DisplayVersion against the target build before the Installation Assistant runs, so endpoints already running the target Windows 11 release pass at exit code 0 and remediation is skipped. Endpoints running an older Windows 11 build are flagged, the upgrade runs through the Installation Assistant, and the next evaluation after the reboot confirms the new build number in the activity log.

Why deploy Windows 11 feature updates this way

Windows 11 feature updates ship through Windows Update, but the default user prompt is easy to defer. A laptop user clicks "later tonight" once, then never sees the prompt again until the build it had pending is superseded by a newer one. The deferral pattern compounds: the security team's compliance dashboard fills with endpoints stuck on a feature update Microsoft retired months ago, and the next round of security baselines arrives before the previous wave of upgrades has even completed.

Windows 11 feature updates carry the same security baseline as the build the security team has approved, but the in-product deferral path lets an end user push the upgrade out indefinitely. This Worklet invokes the Windows Installation Assistant from the Automox SYSTEM context with /QuietInstall, /SkipEULA, and /Auto Upgrade switches, bypassing the user-deferral surface so the staged upgrade actually lands on the approved build. Pair this Worklet with a maintenance-window reboot policy so the upgrade completes during the approved window instead of waiting for the user's next reboot.

How the Windows 11 feature update deployment works

1. Evaluation phase: The Worklet runs (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion').DisplayVersion to read the current Windows 11 feature release (24H2, 25H2, etc.) and compares it to the target. It also checks Test-Path C:\Windows\Temp\WIN11_FUA\Windows11InstallationAssistant.exe to see if a previous run staged the binary. If the endpoint is below target and no in-progress upgrade is staged, the endpoint is flagged for remediation.

2. Remediation phase: The remediation script downloads the Installation Assistant binary from InstallerURL into StagingDir using Invoke-WebRequest, verifies the signature with Get-AuthenticodeSignature, and runs Start-Process with arguments /QuietInstall, /SkipEULA, /NoRestartUI, and /Auto Upgrade. The script captures the Installation Assistant exit code, writes the activity log entry with the result, and exits 0 if the upgrade staged successfully or non-zero with the Installation Assistant exit code in stderr on failure.

Windows 11 feature update requirements

• Windows 11 endpoint that meets the published hardware requirements for the target feature release (TPM 2.0, Secure Boot, supported CPU, sufficient free disk space)

• Local administrator or SYSTEM privileges for the Automox agent (the default agent context satisfies this) so the script can invoke the Installation Assistant and write to C:\Windows\Temp

• Outbound network access from the endpoint to download.microsoft.com so the Installation Assistant binary can be retrieved; pre-stage the binary on an internal mirror for air-gapped or bandwidth-constrained sites

• At least 10 GB free space on the system drive for the Installation Assistant download and the staged upgrade payload

• A companion maintenance-window reboot policy that runs after this Worklet so the staged upgrade lands during an approved window rather than at the next ad-hoc user reboot

Expected Windows 11 state after the upgrade lands

After the staged upgrade completes at the next reboot, (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion').DisplayVersion reports the target feature release. The endpoint's installed software inventory survives the upgrade; the user's profile, browser state, and desktop shortcuts are preserved. Subsequent Automox policy runs report the endpoint as compliant unless Microsoft has published an even newer feature release since the policy ran.

Validate on a single Windows 11 endpoint by capturing DisplayVersion before the policy, running the Worklet, scheduling the maintenance-window reboot, and confirming DisplayVersion advances to the target. For audit evidence, export the Worklet's activity log entry showing the Installation Assistant exit code and pair it with the post-reboot version capture. Endpoints that stage the upgrade but never finalize it almost always have a pending update conflict (Get-WindowsUpdateLog will show the blocking KB); resolve that conflict before rerunning the Worklet to avoid stacking staged upgrades.