Update September 20, 2024: We’ve heard your feedback regarding the Windows update experience during the OOBE, and while we understand the importance of keeping devices updated from the start, we’re committed to implementing this change in the best way for IT admins to manage their environments.
This change has been postponed. Updates will continue to not be applied during OOBE for Autopilot devices until we’ve established the right mechanisms for IT admins to properly manage and adhere to update policies. We appreciate your patience and understanding as we strive to enhance the Windows enrollment experience. Stay tuned for more updates!
Windows updates are essential for keeping your devices secure and up to date with the latest security, performance, and reliability improvements. One of the top customer requests we receive is to enable Windows updates during provisioning in the out-of-box experience (OOBE), so that devices are fully patched and ready to use as soon as they are enrolled with mobile device management (MDM).
In the coming weeks, the Windows MDM enrollment experience will be updated to automatically enable quality updates during OOBE. Quality updates are monthly updates that provide security and reliability fixes, as well as enhancements to existing features. These updates are critical for the performance and security of your devices, and we want to make sure they’re delivered as soon as possible. Please note that not every monthly quality update will be made available through the OOBE. Microsoft will determine the availability of these updates based on the value of the update and how it relates to a device setup situation.
What's changing
With the upcoming October Windows update, all Windows 11, version 22H2 and higher, devices that are enrolled with an MDM, e.g. Microsoft Intune, will automatically download and install quality updates during OOBE. This will apply to all MDM-enrolled devices, regardless of whether they’re pre-registered with Windows Autopilot or not. The updates will be applied before the user reaches the desktop, ensuring that the device is fully patched before logging in.
The new experience will look like this:
- After the device connects to the internet and checks for updates, if there are available quality updates found, the device displays a message on the updates page stating that updates are available and being installed.
- The device then downloads and installs the quality updates in the background, while showing installation progress.
- Once the updates are installed, the device restarts and continues to the desktop. The user then signs in to the device and the device completes enrollment.
Please note that this change only applies to quality updates. Feature updates, which are major updates that introduce new functionality, and driver updates, which provide hardware-specific fixes or enhancements will not be applied during OOBE but will be managed by your MDM according to your policies.
Impacts and what this means for you
While we believe that this change will improve the Windows enrollment experience and provide more security and reliability for your devices, we also want to make you aware of some potential impacts and what you need to do to prepare.
Additional time in OOBE
Quality update installation during OOBE adds some additional time to the device setup process, depending on when the device was most recently updated, internet speed, and device performance. We recommend notifying your vendors and customers of this additional time, and plan accordingly for your device deployment scenarios.
Organizations using temporary passwords
With the additional time for setup, if using Temporary Access Pass (TAP), the passcode may expire before the user signs onto the desktop. To avoid this, we recommend that you extend the validity period of the temporary passwords during enrollment.
Summary
There may be instances where the update is not initiated if the Windows Update for Business (WUfB) policies that block or delay updates are applied to the device before reaching the New Device Update Page (NDUP). This is particularly possible if app installations significantly delay the Enrollment Status Page (ESP).
At this time, there’s no option to control or disable quality updates during OOBE. As mentioned earlier in this blog, we’re exploring when all monthly quality updates can be available and manageable during OOBE to provide the best overall experience.
We hope that this change will improve your Windows Autopilot experience and provide more security and reliability for your devices. If you have any feedback or questions, please let us know in the comments or reach out on X @IntuneSuppTeam.
Microsoft
