Out of Office Hours

Get ready to manage updates in OOBE, but only with Autopilot v1?

As Rudy Ooms discovered on the Microsoft 365 Message Center, bulletin MC1134168 announced a change coming with the September 2025 cumulative update: You’ll be able to install updates at the end of OOBE again, and you’ll get a new control that enables you to turn that on or off. Weirdly, I don’t see that same bulletin on my own tenants (was it pulled?), but there is enough proof of it on the internet that it must be true. The text from that includes this blurb:

Beginning with the September 2025 Windows security update, quality updates will get installed by default during the out-of-box experience (OOBE) for devices that are on Windows 11, version 22H2 or later.

Expected in Intune’s August (2508) service release, we will introduce a new setting “Install Windows updates” in the Enrollment Status Page (ESP) to allow you to manage the installation of quality updates during OOBE. Stay tuned to What’s new in Intune for the release.

You can read Rudy’s blog for more details here:

https://patchtuesday.com/blog/quality-updates-during-oobe-how-deferral-works/

Great if you are using Autopilot v1. But if you are using Autopilot v2, it won’t be available. I guess that’s a reasonable tradeoff as it’s rare to actually find customers who are using Autopilot v2 in a production environment. I would imagine that will be added eventually. But there’s one more piece:

So you can only block updates if you are using ESP. If you aren’t using Autopilot, you’re out of luck. Well, technically you can enable ESP without using Autopilot v1 (it will track policies and apps regardless), so I guess that’s a workaround.

At least this should respect your deferral and ring policies.

I don’t see anything that confirms the default value — will it be on or off by default? At least you’ll have from late August (when the Intune UI changes are available) to September 9th (Patch Tuesday) to explicitly choose so you aren’t surprised by the default. [Update: It will be off for existing ESP profiles and on by default when you create new ESP profiles. So most people will be safe — opt in at your leisure.]

Discover more from Out of Office Hours

Subscribe to get the latest posts sent to your email.

2 responses to “Get ready to manage updates in OOBE, but only with Autopilot v1?”

  1. Parrington Avatar
    Parrington

    I’m not part of a managed domain, but plan to block sdx.microsoft.com from the HOSTS file. Thanks MS.

    Like

    1. Charles McDonald Avatar
      Charles McDonald

      This is one reason why I love running Pi-Hole on a separate system. Thanks for mentioning that domain, I have it blocked now. 🙂

      Like

Trending