Skip to main content
This Library Item is available for Windows devices
Managed OS Library Items let you define which major Windows 11 feature version devices must be on and set deadlines for installation and restart. Iru Endpoint provides one Library Item per supported Windows 11 release (for example, Windows 11, Version 24H2 or Windows 11, Version 25H2). Assigning a Managed OS Library Item pins devices to that version. Devices will not advance beyond it while the Library Item is assigned, and monthly quality updates within that version continue normally. Managed OS controls version destination and enforcement timing. For settings that affect the Windows Update end-user experience (notifications, active hours, and optional content), use the Configure the Windows Update Library Item.
For detailed technical background on each setting, refer to Microsoft’s official Update Policy CSP documentation.

Create a Managed OS Library Item

To add this Library Item to your Iru Endpoint Library, follow the steps in the Library Overview article.
1

Navigate to Library

Navigate to the Library and select Add Library Item.
2

Select the Windows 11 version

Search for and select the Windows 11 version you want to enforce, such as Windows 11, Version 25H2.
3

Name the Library Item

Give the Library Item a Name that identifies its purpose in your environment.
4

Assign to Blueprints

Assign the Library Item to one or more Blueprints. Only Windows devices in those Blueprints receive the Managed OS settings. You can use Assignment Maps within Blueprints for conditional logic if needed.
5

Configure settings

Set your deferral, deadline, grace period, and pause settings for both feature and quality updates. See Settings below.
6

Save the configuration

Click Save in the bottom right corner.
Only one Managed OS Library Item can be assigned to a device at a time. If a device already has one assigned, Iru Endpoint prompts you to confirm before replacing it.

Settings

Managed OS settings are organized into two sections on the Settings tab: Feature updates and Quality updates.
Feature updates are major Windows 11 version upgrades (for example, moving from 24H2 to 25H2). These settings control when that version becomes available to devices, when installation is required, and how restarts are handled.Branch readiness levelControls which Windows Update channel devices receive feature updates from.
  • Semi-Annual Enterprise Channel (Preview) (default): an early preview of the next semi-annual release. Recommended for most environments.
  • Release Preview: feature-complete builds ahead of public release.
  • Windows Insider (Slow) and Windows Insider (Fast): preview builds for testing; not recommended for production fleets.
  • Canary Channel: earliest preview builds; not recommended for managed environments.
Defer feature updates forDelays how many days after Microsoft releases a feature update before devices are offered the update. Range: 0 to 365 days (for the Semi-Annual Enterprise Channel (Preview)) or 0 to 14 days (for all other channels). Default: 30 days.Deadline for feature update installNumber of days after the end of the deferral period before the feature update must be installed and the device can be forced to restart. Range: 0 to 14 days. Default: 7 days.Grace period for restartMinimum number of days after the feature update is installed before an automatic restart is forced. Range: 0 to 3 days. Default: 2 days.Pause start dateSets a specific date to begin pausing feature updates. While a pause is active, the feature update is not offered to devices. Leave empty if you do not need to pause updates.
Quality updates are the monthly cumulative updates released within a feature version. These settings mirror the feature update controls and apply independently based on each device’s current feature version.Defer quality updates forDelays how many days after Microsoft releases a quality update before devices are offered it. Range: 0 to 30 days. Default: 7 days.Deadline for quality update installNumber of days after the end of the deferral period before the quality update must be installed and the device can be forced to restart. Range: 0 to 30 days. Default: 7 days.Grace period for restartMinimum number of days after the quality update is installed before an automatic restart is forced. Range: 0 to 7 days. Default: 2 days.Pause start dateSets a specific date to begin pausing quality updates. While a pause is active, quality updates are not offered to devices for up to 35 days from the pause start date. Leave empty if you do not need to pause updates.

Status

The Status tab shows the standard Library Item statuses for each assigned device.
StatusMeaning
PassThe Managed OS settings were successfully applied to the device.
PendingThe Managed OS settings have been assigned but the device has not yet received or applied them.
ErrorAn error occurred while applying the Managed OS settings to the device.
These statuses reflect whether the Managed OS settings were successfully delivered to the device, not whether the device has finished installing the required update. A device can show Pass on the Status tab while still in the process of downloading or installing an update.

Considerations

Only one Managed OS Library Item can be assigned to a Blueprint at a time. If you assign a new version to a Blueprint that already has a Managed OS Library Item assigned, Iru Endpoint prompts you to confirm the replacement. The previous Library Item is removed from the Blueprint when you confirm.
A Managed OS Library Item acts as a ceiling on the feature version. Devices will not advance beyond the targeted version while the Library Item is assigned. Monthly quality updates within that version continue unaffected.
Deferral and pause control when an update becomes available to devices. Deadline and grace period control how soon installation and restart are enforced once the update is available. Pausing an update stops it from being offered, but does not reset the deferral timeline once the pause ends.
If you set the grace period to a value greater than 0, the device will not force a restart at the deadline until the grace period ends. Setting the grace period to 0 allows the device to restart at the deadline without waiting.

Best Practices

Use multiple Library Items to create rings

Create multiple Library Items with different deferral periods to allow the update to roll out over time, reducing risk and enabling patching issues to be caught before rolling out to additional devices. Set a deferral to 0 days for the initial ring so those devices get updates immediately when released.

Start with a deferral period

A deferral of 7 to 30 days gives you time to validate updates on a small group of devices before they roll out to the full fleet.

Set a deadline for compliance

Configuring a deadline ensures devices install required updates within a predictable window, reducing exposure to unpatched vulnerabilities.

Use pause for planned freezes

Use the pause start date during major business events or when a release has known issues. Pausing stops the update from being offered without changing your deferral configuration.

Pair with the Windows Update Library Item

Managed OS controls version enforcement. Assign a Windows Update Library Item to the same Blueprint to also manage active hours, notifications, and end-user update experience settings.

Troubleshooting

Possible causes:
  • The device encountered an issue receiving the Managed OS settings via MDM.
  • A conflicting policy from another source is preventing the settings from applying.
Solutions:
  • Check the device record for recent activity and error details.
  • Confirm no other MDM profiles or policies are setting conflicting Windows Update CSP values on the device.
Possible causes:
  • The pause start date is set in the future and has not taken effect yet.
  • The device has not checked in since the pause was configured.
Solutions:
  • Confirm the pause start date is set to today’s date or earlier.
  • Trigger a device check-in or wait for the next scheduled check-in.

Library Overview

Learn how Library Items work and how to assign them to Blueprints

Configure the Windows Update Library Item

Configure end-user update experience settings, active hours, and optional content for Windows devices

Configure Managed OS for macOS

Configure managed OS updates for Mac computers

Using Conditional Logic in Blueprints

Use Assignment Maps to target Library Items to specific groups of devices within a Blueprint