Microsoft Delays Mandatory OOBE Updates on MDM Devices After IT Admin Feedback on Lack of Control

Microsoft had long planned to enforce automatic updates during the Windows 10/11 Out-Of-Box Experience (OOBE), specifically targeting systems detected as outdated, e.g., those not running the latest cumulative updates. This update process would automatically download and install the latest patches during the OOBE.

This approach has already been implemented on consumer devices. Last week, Microsoft extended this update mechanism to enterprise devices managed by Microsoft Intune through Mobile Device Management (MDM).

When a Windows 11 22H2/23H2/24H2 version device under MDM management is identified as outdated during the OOBE, it will automatically download and install the updates. Microsoft claimed this feature was highly requested by customers.

The advantage of updating during the OOBE is that users can start with a system that's fully updated, ensuring security isn't compromised and eliminating the need for post-setup updates.

However, what Microsoft considers a highly requested feature might not reflect the broader sentiment, as numerous IT administrators have voiced concerns over the lack of control with this update mechanism, specifically the inability to select which updates are installed.

Following significant feedback, Microsoft announced a pause on advancing this update approach. The company stated it would halt automatic updates during the OOBE on Autopilot devices until a proper mechanism is established for IT administrators to manage and adhere to update policies accurately.

It's crucial to note that this pause only applies to enterprise MDM-managed devices. Non-MDM devices/systems used by general consumers will still undergo mandatory updates during the OOBE.

The only way to bypass these updates is through offline operations using the oobe\bypassnro command, which allows for a network-free OOBE, local account creation, and skipping updates.