Cumulative updates will be installed during OOBE, like it or not

A while back, I noticed that updates were installing at the end of the Autopilot process, after device ESP had completed and before the user signed in. Per Microsoft’s post, this is now going to happen on all Windows 11 devices starting soon:

📣 Important changes to the @Windows enrollment experience coming soon.

➡️ Learn more: https://t.co/jBM4dCOivJ #MSIntune #Windows
— Intune Support Team (@IntuneSuppTeam) September 16, 2024

The summary:

Affects Windows 11 22H2 and above.
All MDM-enrolled devices, Autopilot or not.
Updates install at the end of OOBE,
Devices will reboot after installing updates.
Autologon will not happen after the reboot because credentials are not saved; the user will have to sign in again.

At the moment, there are no controls available for this. Depending on how long the OOBE process (e.g. device ESP) takes, WUfB deferral policies may or may not apply. Autopatch device configuration may or may not be complete either. So which update will be installed? Assume it will be the latest available, but it is possible through deferrals and Autopatch rings that an earlier update is installed.

Here’s what this will look like:

This starts on Patch Tuesday in October, so it’s less than a month away.

Discover more from Out of Office Hours

Subscribe to get the latest posts sent to your email.

7 responses to “Cumulative updates will be installed during OOBE, like it or not”

DanZi

September 17, 2024 at 12:20 am

Hi Michael,

would this mean the updater script will be rendered useless, or with it the reboot can be supressed and the user won’t have the bad experience

LikeLiked by 1 person
1. Michael Niehaus
  
  September 17, 2024 at 12:32 am
  
  In a perfect world, yes, this would eliminate the need for the UpdateOS script.
  
  LikeLike
Brecht

September 17, 2024 at 4:35 am

I noticed this behaviour during MDT deployment of W11 23H2. No MDM management.

Updates and even drivers are installed at the end of the windows installation process. I was unable to block this applying the usual tricks like the ProtectMyPC value.

Is this the same process?

LikeLike
1. Michael Niehaus
  
  September 17, 2024 at 4:39 am
  
  Same process, yes. They have said it would be MDM only, but time will tell if that is actually true.
  
  LikeLike
Parrrington

September 18, 2024 at 6:48 am

I’ve seen this OOBE update feature on my 24H2 test installs, three times so far. The strange part is it’s on a personal VM, which is definitely not part of AutoPilot or any enrollment.

My suspicion it was random A/B testing from OOBE. Another person posted to me they’ve seen it too in their environment, again outside of Autopilot. Which means the safeguards can be removed on MS’s server end.

LikeLike
1. Michael Niehaus
  
  September 17, 2024 at 9:03 pm
  
  That’s definitely true — MS did test it on 24H2, they do control it on their end, and that control does allow them to differentiate between home and org devices. So the “rules” could change any time.
  
  LikeLike
JGtime

September 24, 2024 at 8:48 am

Just saw they postponed this due to feedback. Thanks for the info!

LikeLike