Enable and control optional updates for your organization
Published Aug 22 2023 05:00 PM 66.9K Views
Microsoft

Editor's note 11.27.2023: Starting with the November 2023 non-security update, this policy is also available for Windows 10 devices. Read about it at Enable optional updates for Windows 10 devices.

You can now have greater control over how users of devices in your organization receive optional Windows updates. We care deeply and work hard to develop optional updates that support productivity. Now you have greater timing flexibility to preview and implement improvements on Windows 11, version 22H2 and later.

Let’s review what’s special about optional updates before jumping into practical ways for you to control them.

 

Editor's note 8.23.2023: We have corrected the location of the policy for devices managed with Windows Update for Business or Windows Server Update Services (WSUS) inline below.

About optional Windows updates

Optional non-security preview releases are part of regular device maintenance. You’re probably most familiar with the optional latest cumulative updates (LCUs), which are typically released every fourth week of the month. These optional updates include non-security updates, fixes, features, and improvements. By getting these updates, you can get new productivity features and some fixes early, such as important time zone changes. To see how optional updates fit in the monthly update cadence, consult Windows monthly updates explained.

One form of optional updates are gradual feature rollouts. These are also known as controlled feature rollouts (CFR) or continuous innovation. This is the unique Windows 11 commitment to bring you the best experiences year-round through proven and controllable mechanisms. You can review how these updates work in Delivering continuous innovation in Windows 11.

So how can you ensure that your organization gets these valuable improvements with the right level of control?

A new policy to control optional updates in Windows 11

So far, you’ve had access to Commercial control for continuous innovation (Windows 11) for select features that might significantly affect organizational productivity. These features are intentionally introduced in an “off” state, but you’ve been able to turn them on with the policy “Enable features introduced via servicing that are off by default [1]."

Today, you can go even further to enable optional non-security updates, including gradual feature rollouts (also known as CFRs). This new policy is called “Enable optional updates.” If you enable this policy, you can further select how users receive these updates:

  • Automatically receive optional updates (including CFRs). Select this option for devices to get the latest optional non-security updates, including gradual feature rollouts. There is no change to feature update offering.
  • Automatically receive optional updates. Select this option for devices to only get the latest optional non-security updates. They won’t automatically receive gradual feature rollouts. There is no change to feature update offering.
  • Users can select what optional updates to receive. Select this option to allow users to set their own preferences with respect to optional non-security updates. There is no change to feature update offering.

Note: All options respect all of your configured quality update deferral settings.

Devices should see no changes unless this policy is set. 

Screenshot of the policy for “Enable optional updates”Screenshot of the policy for “Enable optional updates”

Here’s where you can find this policy for devices managed with Windows Update for Business or Windows Server Update Services (WSUS):

  • Group Policy: Computer Configuration\Administrative Templates\Windows Components\Windows Update\Enable optional updates
  • Configuration Service Provider (CSP) Policy: /Policy/Config/Update/AllowOptionalContent

Learn more about this policy at Configure Windows Update for Business: Enable optional updates.

What your users should do

Until you configure or disable this policy, there’s nothing for your users to do. However, if you decide to configure this policy and enable your users to choose what updates to receive, please remind them that they have two ways to do so:

  • Select which optional non-security updates to get from Settings > Windows Update > Advanced options > Optional updates.
  • Enable the toggle “Get the latest updates as soon as they’re available” under Settings > Windows Update. Note: This will require a restart of the device.

Of course, some users might opt for doing nothing until these optional updates make their way to the device as usual. No matter which option they choose, be assured that your user devices will still get the regular security updates just the way you have them configured.

Use the following support article to help get your users ready to experience the new improvements as early as possible: Get Windows updates as soon as they're available for your device.

Please refer to official documentation for this policy at Configure Windows Update for Business and Configure Windows Update for Business via Group Policy.


Continue the conversation. Find best practices. Bookmark the Windows Tech Community and follow us @MSWindowsITPro on Twitter. Looking for support? Visit Windows on Microsoft Q&A.


[1] There is no change to the commercial control for continuous innovation that we announced in February. Innovations behind this control will only be delivered in the next feature update.

23 Comments
Copper Contributor

@anton_fontanov what about the optional "driver" updates. Will these updates also install automatically when this policy is enabled? 

You just forgot to inform that this change arrives with the KB5029351 update. :suprised:

GabrielLuiz_0-1692739578523.png

 

https://support.microsoft.com/en-us/topic/august-22-2023-kb5029351-os-build-22621-2215-preview-9af25...

@anton_fontanov The GPO path is not correct. The correct way would be Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage update offered from Windows Update.

After KB5029351 update.

As shown in the image below.

 

GabrielLuiz_0-1692744337160.png

 

Hello
at the start of this post you mentioned this applies to Windows 11 22H2 or later, however this applies only for Windows Insider builds
This can be confirmed by checking the CSP page https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update/?WT.mc_id=M365-MVP...

BenoitHAMET_0-1692750539259.png

 

@Martin Zonderland drivers update can be managed with Intune using the new "Driver updates for Windows 10 or later" functionality (Intune – You can now manage Windows drivers update with Intune (hametbenoit.info)

@Benoit_Hamet I believe this information is out of date.

@gabriielluizbh which information? The CSP one? If the CSP one I can confirm this is NOT out of date as I deployed the corresponding CSP and it failed; nor I have the corresponding GPO neither.

After deploying the KB5029351 update (which is for Insider) the CSP deployment was successful

@Benoit_Hamet The information found in the link that information must be out of date.

https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update/?WT.mc_id=M365-MVP...

 

@anton_fontanov 

For anyone using central repository-based administrative templates?
Is there any update on Windows Server that will update?
Or should I manually copy the updated ADMX templates?

GabrielLuiz_0-1692802451590.png

 

@anton_fontanov 

Check that Windows Update ADMX and ADML files was updated on date 08/22/2023, there is also a 1k size difference of the old and new updated ADMX and ADML files.

GabrielLuiz_0-1692809840687.png

 

Copper Contributor

Intune guide?

Copper Contributor

Issue with the latest preview update? 

https://www.bleepingcomputer.com/news/microsoft/new-windows-updates-cause-unsupported-processor-blue...

 

Given that issue above, under win 11 Settings\Windows Update  - how can I disable the ability of users to turn on "Get the latest updates as soon as they are available"? Its off by default but we don't want users turning it on. Preferably through Intune "Configuration profiles"?

 

 

Copper Contributor

@amartinez yes this is a known issue: Windows 11, version 22H2 known issues and notifications | Microsoft Learn

 

But I cannot find in the Setting Catalog or Administrative Templates this new policy, so maybe only possible with Custom policy with OMA-URI:
Update Policy CSP - Windows Client Management | Microsoft Learn

Copper Contributor

 

The latest official Group Policy Templates files available to download for Windows 11 (v3.0) are dated: 2023-07-21:

https://www.microsoft.com/en-us/download/details.aspx?id=105390

Where are the ones dated 2023-08-22 mentioned by @gabriielluizbh available from?

 

Brass Contributor

I have set this Enable optional updates on some devices, but cant seems to get any updates.

Would it work behind Configuration manager that mangaged updates ?

Copper Contributor

is there a way to control this with Intune or it requires using GPO?

@ccsjnw - you have to install a the preview update on a Windows 11 22H2 pro sku or higher and then dig them out of the Windows policies folder.  I've not seen them posted on a MS download page

Copper Contributor

Yes @SusanBradleyGeek has it right.  This is a bit more detail on how you do it:

 

Go to C:\Windows\PolicyDefinitions on a later build machine (such as install a preview of 23H2) and pull the asdm files out of there and put them on your domain controller.

The latest ASDM from a recent preview build has these ASDM updates.

Sorting by date the files newer than those on my DC are:

 

Reuben_Farrelly_0-1696760583382.png

If you copy those four files to the DC sysvol (C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions) along with other policies then you should be good to go and be able to see the policy in GPO along with some slightly newer updates to the other ASDM files.  You also MUST copy the associated locale settings as well, in my case the files with the same name in en-US or else you will get warnings about missing variables.

The policy will then show up in Group Policy Management Editor and can be edited.

 

Copper Contributor

@anton_fontanov 

 

As IT Admin, how can they grey out this option so that end user cannot change it?

 

I tried policy: Remove access to use all Windows Update features. But it does not grey out the option 'get the latest updates as soon as they're available'.

 

Any comment is appreciated.

Copper Contributor

@KevinJMLiang 

Have you read the post and the comments? Disable the following option via policy:

 

"Enable optional updates" = Disabled

Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage updates offered from Windows Update

 

This will also disable the Option "get the latest updates as soon as they're available".

Microsoft

Hi Kevin,

yes, I did read it. I think your question is about the combination of the two policies, correct?

Copper Contributor

@CC_Engineer I tried "Enable optional updates" but it does not grey out the option, I suppose it is to turn off it, but not to grey out it.

Co-Authors
Version history
Last update:
‎Nov 27 2023 02:25 PM
Updated by: