Skip to main content
This Library Item is available for Windows devices
The Windows Update Library Item lets you manage Windows Update settings and the end-user update experience on Windows devices. You can control how and when updates are offered, configure active hours to avoid disruptive restarts, and control what users can do from the Windows Update UI.
For detailed technical background on each setting, refer to Microsoft’s official Update Policy CSP documentation.

Create a Windows Update Library Item

To add this Library Item to your Iru Endpoint Library, follow the steps outlined in the Library Overview article.
1

Navigate to Library

Navigate to the Library and select Add Library Item.
2

Select Windows Update

Search for and select Windows Update.
3

Name the Library Item

Give the Library Item a Name.
4

Assign to Blueprints

Assign the profile to one or more Blueprints. You can use Assignment Maps within Blueprints for conditional logic if needed.

Settings

The following settings are available for Windows Update.

Manage updates offered from Windows Update

Allow optional content

Controls whether devices receive optional updates and gradual rollouts (controlled feature rollouts, or CFRs) in addition to required updates. Options:
  • Don’t receive optional updates
  • Automatically receive optional updates (including CFRs)
  • Automatically receive optional updates only
  • Users can select optional updates

Manage end-user experience

Allow auto update

Controls how updates are installed: notify only, auto install, or auto install and restart. Options:
  • Notify the user before downloading the update
  • Auto install and then notify the user to schedule a restart
  • Auto install and restart (default)
  • Auto install and restart at a scheduled time
  • Allow the local administrator to choose the setting
  • Turn off automatic updates

Active hours start

Start of the active hours window (hour 0–23). Windows avoids restarting the device for updates during this time.

Active hours end

End of the active hours window (hour 0–23). Restarts can occur after this hour.

Set disable pause UX access

Controls whether users can pause updates from the Windows Update UI. Options: Users can pause updates, or Remove the pause option from the device UI. Choose the latter to prevent users from stalling updates.

Manage preview builds

Controls whether the device can receive Windows Insider Preview builds. Options:
  • Disable Preview builds
  • Disable Preview builds once the next release is public
  • Enable Preview builds
  • Preview builds is left to user selection

Update notification level

Controls which update notifications users see: default, hide all except restart warnings, or hide all including restart warnings. Options:
  • Use the default Windows Update notifications
  • Disable restart notifications for updates (excludes restart warnings)
  • Disable all notifications for updates (includes restart warnings)

Advanced settings

These settings appear in an expandable section of the Library Item. They are not configured by default and are for admins who need more control over update behavior.
  • Allow non-Microsoft signed update Allows the device to accept updates signed by someone other than Microsoft when using an intranet update service such as Windows Server Update Services (WSUS) for third-party patches.
  • Automatic maintenance wake up Allows Automatic Maintenance to wake the device for its daily scheduled maintenance if needed.
  • Disable Windows Update for Business (WUfB) safeguards When enabled, devices skip Microsoft safeguard holds that block upgrades when known compatibility issues exist. Use only for validation purposes; disabling safeguards can lead to poor upgrade experiences.
  • Exclude WU drivers in quality update Excludes driver updates from Windows quality updates. Use if you manage drivers separately.
  • Active hours max range Maximum number of hours (8 to 18) that users can set for their active hours window, starting from the active hours start time.
  • Allow auto Windows Update download over metered network Allows Windows Update to download updates over metered connections (such as cellular). This may incur data charges.
  • Allow MU update service Controls whether the device scans for app and other Microsoft product updates via Microsoft Update.
  • Allow temporary enterprise feature control When allowed, features delivered in monthly quality updates (servicing) are turned on before the next feature update. When disabled, those features stay off until the feature update that includes them.
  • Configure feature update uninstall period Number of days (2 to 60) that users can uninstall a feature update after it is installed.
  • No update notifications during active hours Reduces or turns off Windows Update notifications during active hours (optionally excluding restart warnings). Notifications can still appear after the deadline if configured.
  • Scheduled install day Day of the week (or every day) when updates are installed. Only applies when Allow auto update is set to Auto install and restart at a scheduled time or Allow the local administrator to choose the setting. Options: Every day, Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday.
  • Scheduled install every week When enabled, updates are scheduled every week. Only applies when Allow auto update is set to Auto install and restart at a scheduled time or Allow the local administrator to choose the setting.
  • Scheduled install first week Schedule install during the first week of the month (days 1 to 7). Use with Scheduled install day for a specific weekday (for example, the first Tuesday of the month).
  • Scheduled install second week Schedule install during the second week of the month (days 8 to 14). Use with Scheduled install day for a specific weekday.
  • Scheduled install third week Schedule install during the third week of the month (days 15 to 21). Use with Scheduled install day for a specific weekday.
  • Scheduled install fourth week Schedule install during the fourth week of the month (days 22 to 31). Use with Scheduled install day for a specific weekday.
  • Scheduled install time Hour of the day (0 to 23) when scheduled updates install. Only applies when Allow auto update is set to Auto install and restart at a scheduled time or Allow the local administrator to choose the setting. Updates install within approximately 30 minutes of the configured time.
  • Set disable UX WU access When enabled, users cannot scan, download, or install updates from the Windows Update settings UI.
  • Set EDU restart Allows the device to automatically restart outside active hours to finish updates. Intended for Education scenarios.

Considerations

  • Settings left as “Not configured” do not override the local device configuration.
  • Disabling access to the Windows Update UI (Set disable UX WU access) prevents users from manually checking for updates. Ensure your update policies apply to all relevant devices before you enable this.
  • Set active hours to match your organization’s work schedule so restarts do not disrupt users during the day.

Best Practices

Start with the defaults

The main settings have Iru-recommended defaults. Start with those, then adjust for your organization.

Define active hours for your fleet

Set Active hours start and Active hours end to match your users’ workday so restarts do not occur during work hours.

Disable pause access for managed fleets

Set the Set disable pause UX access setting to Remove the pause option from the device UI so users cannot stall updates indefinitely from the Windows Update UI.

Test before deploying broadly

Test your configuration on a small group of devices before rolling out to your entire fleet. A pilot group makes it easier to catch unexpected restart behavior.

Troubleshooting

Possible causes:
  • Allow auto update not set to the intended option
  • Scheduled install time or day misconfigured
  • Active hours configured too broadly (for example, close to the maximum allowed range)
Solutions:
  • Verify that Allow auto update is set to your intended option
  • Check that the scheduled install time and day are configured correctly
  • Ensure active hours are configured to a realistic workday window and respect the Active hours max range setting
Possible causes:
  • Set disable pause UX access is not enabled or is set to allow pausing
Solutions:
  • Set the Set disable pause UX access setting to Remove the pause option from the device UI
Possible causes:
  • Active hours start and end do not cover the full workday
  • Incorrect time zone or configuration
Solutions:
  • Review your Active hours start and Active hours end settings
  • Make sure the range covers the full workday for your users
Possible causes:
  • Manage preview builds is set to allow preview builds or left to user selection
Solutions:
  • Set Manage preview builds to Disable Preview builds to prevent devices from receiving Windows Insider builds

Library Overview

Curate, create, and manage Library Items and add them to Blueprints

Configure the Microsoft Defender Library Item

Configure Microsoft Defender antivirus and threat protection on Windows

Configure the Windows Firewall Library Item

Configure and enforce firewall settings for Windows devices

Configure the BitLocker Library Item

Configure BitLocker encryption on Windows devices

Configuring Windows Enrollment

Set up Windows device enrollment

Configure Managed OS for macOS

Configure managed OS updates for Mac computers