Now that Windows 11 only receives one feature update per year, Microsoft is delivering many new features via optional non-security updates or CUs in the second week of each month. A new group policy causes the automatic installation of optional updates, either with or without new features.
By default, new features are downloaded with updates but remain disabled on managed devices. PCs that receive their updates either through Windows Update for Business (WUfB) or through WSUS are considered managed.
This behavior can be controlled through a group policy that was shipped with the February 2023 cumulative update for Windows 11 22H2. It is called ” Enable features introduced through servicing that are disabled by default “.
Subscribe to optional updates
The August 2023 update added another policy to control how optional updates are installed and how users can influence this process.
The setting is called Enable optional updates and is located under Computer Configuration => Policies => Administrative Templates => Windows Components => Windows Update => Manage updates offered by Windows Update .
Only relevant for WUfB and Intune
From the path for the setting you can see that it only applies to computers that are updated via Windows Update for Business (WUfB) or managed via Intune.
Microsoft’s announcement, however, locates the setting in the Manage End User Interface folder and therefore incorrectly concludes that it also applies to WSUS.
New group policy for installing optional updates
If you do not configure them or disable them, the PC’s current behavior will not change, ie it will not receive optional updates. However, end users can then configure the receipt of optional updates as they see fit via the Settings app.
If you activate it, it offers three options:
- Automatically receive optional updates (including CFRs): This ensures that devices receive the latest non-security updates including the new features (CFRs – Controlled Feature Rollouts);
- Automatically receive optional updates: This ensures that devices receive the latest non-security updates, but without the new features;
- Users can select what optional updates to receive: This option allows users to specify when optional updates are installed in the app settings .
The first two options mean that the optional updates are installed automatically as soon as they are released, either with or without new features.
In both cases, the GPO then blocks the Get the latest updates as soon as they are available option in the app setting .
The August update also brings a new update option in the Settings app.
If you choose the third option, users can decide for themselves in the app settings whether they want to receive optional updates.
If a user decides against this, the optional updates will still be downloaded, but the user must first initiate the installation under Windows Update => Advanced Options => Optional Updates .
It also includes new features, although Microsoft will not install them immediately after they become available, but only later.
However, if users enable the Get the latest updates as soon as they are available option in the Settings app , WUfB behaves in the same way as with the first option of the new group policy (automatic installation of optional updates including CFRs).
During installation, the August update asks users in advance which variant they would like to choose.
The August update asks users what setting they want for optional updates.
Regardless of which of the three options you choose, the new Group Policy will generally respect the deferral for optional updates if you have configured one.
The new policy sets deadlines for deferring optional updates.
Conclusion
The new policy allows admins to automatically receive optional updates for Windows 11 22H2 or later when PCs are updated via Windows Update for Business. New features can be installed at this time or left out.
Delegating the configuration of optional updates and their case distinctions to users is probably not an option in most environments. However, it should be noted that users have this option via the app settings even if they do not configure the new policy.
After Microsoft has phased out numerous old group policies for managing updates, the new settings have created unnecessary complexity. This seems to be overwhelming the manufacturer itself, as it is unable to announce the new option correctly.
