Feature Updates
Manage Windows feature updates (major version upgrades) across your device fleet through Microsoft Intune. Control which versions are deployed, schedule rollouts, and monitor upgrade compliance.
Note: Feature update policies keep devices on a specific Windows version or allow upgrade to a target version. Requires Windows 10/11 Pro, Enterprise, or Education.
Current Version Distribution
Windows 11 Versions
- 23H2 (Latest) — 2,456 (47%)
- 22H2 — 1,234 (24%)
- 21H2 (End of Service) — 234 (4%)
Windows 10 Versions
- 22H2 — 1,089 (21%)
- 21H2 (End of Service) — 156 (3%)
- Older (Unsupported) — 65 (1%)
Feature Update Policies
Configure policies to control which Windows version devices should run:
| Policy Name | Target Version | Assigned Devices | Compliant | Status |
|---|---|---|---|---|
| Windows 11 23H2 - All Users | Windows 11 23H2 | 3,500 | 2,456 (70%) | Active |
| Windows 10 22H2 - Legacy Apps | Windows 10 22H2 | 500 | 489 (98%) | Active |
| Windows 11 22H2 - Finance | Windows 11 22H2 | 234 | 234 (100%) | Paused |
Create Feature Update Policy
- Policy Name — Give the policy a descriptive name (e.g., “Windows 11 23H2 Rollout”)
- Target Feature Update — Select the target version (Windows 11 23H2, Windows 11 22H2, Windows 10 22H2). Devices will be upgraded to this version and held there.
- Rollout Start Date — When to begin offering the update
- Gradual Rollout End Date — When all devices should have the update
- Override safeguard holds — Make update available immediately regardless of holds (optional, use with caution)
Deployment Rings
Use deployment rings for staged rollout of feature updates:
- Preview — IT team and early adopters (50 devices, immediate deployment, 100% complete)
- Pilot — Representative sample from each department (500 devices, 7 days after Preview, 75% complete)
- Broad — All remaining devices (4,000 devices, 14 days after Pilot, 25% complete)
Safeguard Holds
Microsoft may place safeguard holds on devices that could experience issues with a feature update:
- Safeguard ID: 41991278 — Compatibility issue with Intel SST audio drivers (156 devices). Resolution: Update Intel Smart Sound Technology driver to version 10.30.00.5714 or later.
- Safeguard ID: 42156890 — Incompatible security software detected (89 devices). Resolution: Update third-party antivirus to compatible version.
Note: Safeguard holds are automatically released when Microsoft determines the issue is resolved. You can override holds if necessary, but this may cause upgrade failures.
Readiness Reports
- 3,245 Ready to Upgrade (No known issues)
- 456 Action Needed (App/driver issues)
- 123 Not Capable (Hardware limitations)
Common Blockers:
- TPM 2.0 not detected — 89 devices
- Insufficient disk space (less than 64GB) — 156 devices
- Incompatible app: LegacyApp v2.1 — 234 devices
- Secure Boot disabled — 67 devices
Rollback Options
If a feature update causes issues, users can roll back within the recovery window:
- Recovery Window — Default: 10 days (configurable 2-60 days). After this period, rollback requires reinstall.
- Uninstall Command — Settings > Recovery > Go back, or remote command via Intune.
Best Practices
- Use deployment rings — Roll out to preview, then pilot, then broad to catch issues early.
- Check readiness reports before deployment — Address app and driver compatibility issues proactively.
- Respect safeguard holds — Don’t override holds without understanding the risk.
- Extend rollback window for large rollouts — Consider 30+ days for organization-wide feature updates.
API Reference
GET /api/devices/feature-updates— List feature update policiesPOST /api/devices/feature-updates— Create feature update policyGET /api/devices/feature-updates/readiness— Get upgrade readiness reportGET /api/devices/feature-updates/safeguards— Get active safeguard holdsPOST /api/devices/:id/rollback-feature-update— Initiate feature update rollback