Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.iru.com/llms.txt

Use this file to discover all available pages before exploring further.

This Library Item is available for Windows devices
The Windows Update Library Item lets you manage Windows Update settings and the end-user update experience on Windows devices. Control how and when updates are offered, set active hours to avoid disruptive restarts, and limit what users can do from the Windows Update UI.
For detailed technical background on each setting, refer to Microsoft’s official Update Policy CSP documentation.

Create a Windows Update Library Item

To add this Library Item to your Iru Endpoint Library, follow the steps in the Library Overview article.
1

Navigate to Library

Navigate to the Library and select Add Library Item.
2

Select Windows Update

Search for and select Windows Update.
3

Name the Library Item

Give the Library Item a Name.
4

Assign to Blueprints

Assign the profile to one or more Blueprints. You can use Assignment Maps within Blueprints for conditional logic if needed.

Settings

The following settings are available for Windows Update.

Manage updates offered from Windows Update

Allow optional content

Controls whether devices receive optional updates and gradual rollouts (controlled feature rollouts, or CFRs) in addition to required updates. Options:
  • Don’t receive optional updates
  • Automatically receive optional updates (including CFRs)
  • Automatically receive optional updates only
  • Users can select optional updates

Manage end-user experience

Allow auto update

Controls how updates are installed: notify only, auto install, or auto install and restart. Options:
  • Notify the user before downloading the update
  • Auto install and then notify the user to schedule a restart
  • Auto install and restart (default)
  • Auto install and restart at a scheduled time
  • Allow the local administrator to choose the setting
  • Turn off automatic updates

Active hours start

Start of the active hours window (hour 0–23). Windows avoids restarting the device for updates during this time.

Active hours end

End of the active hours window (hour 0–23). Restarts can occur after this hour.

Set disable pause UX access

Controls whether users can pause updates from the Windows Update UI. Options: Users can pause updates, or Remove the pause option from the device UI. Choose the latter to prevent users from stalling updates.

Manage preview builds

Controls whether the device can receive Windows Insider Preview builds. Options:
  • Disable Preview builds
  • Disable Preview builds once the next release is public
  • Enable Preview builds
  • Preview builds are left to user selection

Update notification level

Controls which update notifications users see: default, hide all except restart warnings, or hide all including restart warnings. Options:
  • Use the default Windows Update notifications
  • Disable restart notifications for updates (excludes restart warnings)
  • Disable all notifications for updates (includes restart warnings)

Advanced settings

These settings appear in an expandable section of the Library Item. They are not configured by default and are for admins who need more control over update behavior.
  • Allow non-Microsoft signed update Lets the device accept updates signed by someone other than Microsoft when using an intranet update service (for example, WSUS for third-party patches).
  • Automatic maintenance wake up Allows Automatic Maintenance to wake the device for its daily scheduled maintenance if needed.
  • Disable WUfB safeguards Windows Update for Business (WUfB). When enabled, devices skip Microsoft safeguard holds that block upgrades when known compatibility issues exist. Use only for validation; it can lead to poor upgrade experiences.
  • Exclude WU drivers in quality update Excludes driver updates from Windows quality updates. Use if you manage drivers separately.
  • Active hours max range Maximum number of hours (8–18) that users can set for their active hours window, starting from the active hours start time.
  • Allow auto Windows Update download over metered network Allows Windows Update to download updates over metered (for example, cellular) connections. May incur data charges.
  • Allow MU update service Controls whether the device scans for app and other Microsoft product updates via Microsoft Update.
  • Allow temporary enterprise feature control When allowed, features delivered in monthly quality updates (servicing) are turned on before the next feature update. When disabled, those features stay off until the feature update that includes them.
  • Configure feature update uninstall period Number of days (2–60) that users can uninstall a feature update after it is installed.
  • No update notifications during active hours Reduces or turns off Windows Update notifications during active hours (optionally excluding restart warnings). Notifications can still appear after the deadline if configured.
  • Scheduled install day Day of the week (or every day) when updates are installed. Only applies when Allow auto update is set to Auto install and restart at a scheduled time or Allow the local administrator to choose the setting. Options: Every day, Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday.
  • Scheduled install every week When enabled, updates are scheduled every week. Only applies when Allow auto update is set to Auto install and restart at a scheduled time or Allow the local administrator to choose the setting.
  • Scheduled install first week Schedule install during the first week of the month (days 1–7). Use with Scheduled install day for a specific weekday (for example, first Tuesday).
  • Scheduled install second week Schedule install during the second week of the month (days 8–14). Use with Scheduled install day for a specific weekday.
  • Scheduled install third week Schedule install during the third week of the month (days 15–21). Use with Scheduled install day for a specific weekday.
  • Scheduled install fourth week Schedule install during the fourth week of the month (days 22–31). Use with Scheduled install day for a specific weekday.
  • Scheduled install time Hour of the day (0–23) when scheduled updates install. There is about a 30-minute window. Only applies when Allow auto update is set to Auto install and restart at a scheduled time or Allow the local administrator to choose the setting.
  • Set disable UX WU access When enabled, users cannot scan, download, or install updates from the Windows Update settings UI.
  • Set EDU restart Allows the device to automatically restart outside active hours to finish updates. Intended for Education (EDU) scenarios.
  • Allow update service When using an intranet update service, this controls whether the device can still use Microsoft Update, WSUS, or Microsoft Store. Disabling can break Store and other public services.
  • Detection frequency How many hours Windows waits before checking for updates, plus a 0–4 hour random offset. Only applies when using a WSUS server. Range: 1–22 hours.
  • Do not enforce enterprise TLS cert pinning for update detection When enabled, the Windows Update client does not enforce TLS certificate pinning for update detection. Microsoft recommends keeping TLS pinning enabled for WSUS environments.
  • Fill empty content URLs Lets Windows Update Agent determine download URLs when metadata does not include them. Use when working with an alternate download server or ISV cache that does not populate all content URLs.
  • Set policy driven update source for driver updates Chooses whether driver updates come from Windows Update or your WSUS server. Requires Update service URL to be set.
  • Set policy driven update source for feature updates Chooses whether feature updates come from Windows Update or your WSUS server. Requires Update service URL to be set.
  • Set policy driven update source for other updates Chooses whether other updates come from Windows Update or your WSUS server. Requires Update service URL to be set.
  • Set policy driven update source for quality updates Chooses whether quality updates come from Windows Update or your WSUS server. Requires Update service URL to be set.
  • Set proxy behavior for update detection Allows using the user proxy as a fallback when detecting updates with an HTTP WSUS server. Using the user proxy can reduce security; prefer system proxy when possible.
  • Update service URL URL of your WSUS server so devices check for updates there instead of Microsoft Update (for example, https://server:8531 or http://server:8530). Per-type update source settings require this field to be configured before they take effect.
  • Update service URL alternate Alternate intranet server for update detection, download, or statistics reporting. Use this to specify a secondary download server or redirect reporting traffic separately from the main WSUS server.

Considerations

When settings are left as “Not configured,” they do not override the local device configuration. This is how Not configured interacts with existing device config.
When you disable access to the Windows Update UI (Set disable UX WU access), users cannot manually check for updates. Ensure your update policies apply to all relevant devices before you enable this.
Set active hours to match your organization’s work schedule so restarts do not disrupt users during the day.
For per-type source settings (feature, quality, driver, other), Update service URL must be configured before they take effect.
Disabling Allow update service can break Microsoft Store and other public Microsoft services. Verify those services remain accessible before disabling.
Detection frequency only applies when a WSUS server is in use; it has no effect in cloud-only Windows Update configurations.
When using Set proxy behavior for update detection, enabling the user proxy fallback reduces security. Prefer system proxy unless your environment requires otherwise.
For update detection, enabling Do not enforce enterprise TLS cert pinning for update detection turns off TLS pinning and reduces the security of update scanning. Disabling pinning has security impact. Enable only if required by your WSUS infrastructure.

Best Practices

Start with the defaults

The main settings have Iru-recommended defaults. Start with those, then adjust for your organization.

Define active hours for your fleet

Set Active hours start and Active hours end to match your users’ workday so restarts do not occur during work hours.

Disable pause access for managed fleets

Set Set disable pause UX access to Remove the pause option from the device UI so users cannot stall updates from the Windows Update UI.

Test before deploying broadly

Test your configuration on a small group of devices before rolling out to the full fleet. A pilot group helps you catch unexpected restart behavior.

Troubleshooting

When updates are not installing on schedule, check the schedule, active hours, and Allow auto update.Possible causes:
  • Allow auto update is not set to the intended option
  • Scheduled install time or day misconfigured
  • Active hours configured too broadly (for example, close to the maximum allowed range)
Solutions:
  • Verify that Allow auto update is set to your intended option
  • Check that the scheduled install time and day are configured correctly
  • Ensure active hours are configured to a realistic workday window and respect the Active hours max range setting
Possible causes:
  • Set disable pause UX access is not enabled or is set to allow pausing
Solutions:
  • Set Set disable pause UX access to Remove the pause option from the device UI
Restarts during business hours often relate to active hours and time zone.Possible causes:
  • Active hours start and end do not cover the full workday
  • Incorrect time zone or configuration
Solutions:
  • Review your Active hours start and Active hours end settings
  • Make sure the range covers the full workday for your users
Possible causes:
  • Manage preview builds is set to allow preview builds or left to user selection
Solutions:
  • Set Manage preview builds to Disable Preview builds to prevent devices from receiving Windows Insider builds
When devices do not receive updates from the WSUS server, verify the following. Common causes include Update service URL and reachability.Possible causes:
  • Update service URL not configured or not reachable from devices
Solutions:
  • Verify that Update service URL is configured and reachable from your devices. Per-type source settings will not take effect without a valid Update service URL.
When Microsoft Store or other public Microsoft services are broken or inaccessible, check the following.Possible causes:
  • Allow update service is disabled
Solutions:
  • Check whether Allow update service is disabled. Disabling it can block access to Microsoft Store and other public Microsoft services.
When updates are not detected on the expected schedule, review the following. This often involves Detection frequency and the random offset.Possible causes:
  • Detection frequency misconfigured or not accounting for random offset
Solutions:
  • Review Detection frequency. Windows adds a 0–4 hour random offset to the configured interval. If detection frequency is not configured, the CSP default is 22 hours.
When update scanning fails with TLS errors (for example, with WSUS), check the following. Common causes include WSUS certificate and TLS pinning.Possible causes:
  • WSUS server certificate conflicts with TLS pinning
Solutions:
  • If your WSUS server uses a certificate that conflicts with TLS pinning, enable Do not enforce enterprise TLS cert pinning for update detection after confirming the certificate configuration on the WSUS server.
When download URLs are missing or broken (for example, with an alternate download server or ISV cache), try the following.Possible causes:
  • Alternate download server or ISV cache not populating content URLs in metadata
Solutions:
  • If you use an alternate download server or ISV cache, enable Fill empty content URLs so Windows Update Agent can resolve download paths when they are absent from update metadata.

Library Overview

Curate, create, and manage Library Items and add them to Blueprints

Configure the Microsoft Defender Library Item

Configure Microsoft Defender antivirus and threat protection on Windows

Configure the Windows Firewall Library Item

Configure and enforce firewall settings for Windows devices

Configure the BitLocker Library Item

Configure BitLocker encryption on Windows devices

Configuring Windows Enrollment

Set up Windows device enrollment

Configure Managed OS for macOS

Configure managed OS updates for Mac computers