Mandatory OOBE Updates coming to W11 22H2+ in the September 2025 CU

G

garlin

Moderator
Staff member
Messages
8,267
Reaction score
4,024
Beginning with the September 2025 Windows security update, quality updates will get installed by default during the out-of-box experience (OOBE) for devices that are on Windows 11, version 22H2 or later.

Expected in Intune’s August (2508) service release, we will introduce a new setting “Install Windows updates” in the Enrollment Status Page (ESP) to allow you to manage the installation of quality updates during OOBE. Stay tuned to What’s new in Intune for the release.
Click to expand...

Previously, cris2k47 suggested this reg tweak to prevent OOBE from performing a forced Update:
Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent]
"DisableCloudOptimizedContent"=dword:00000001

While this reg file continues to work, it does interfere with Content Delivery Manager. If you only wanted to block OOBE Updates without affecting other Windows features, another workaround is to block sdx.microsoft.com in the HOSTS file:
Code: 
127.0.0.1 sdx.microsoft.com

Get ready to manage updates in OOBE, but only with Autopilot v1?
Windows Quality Updates during the out-of-box experience

This won't affect users who add the Setup Dynamic Update to their install images, because you're already asking WU to download any pending Monthly Updates in the middle of the install process. Basically MS is making a second attempt to force updates if Setup DU wasn't added.
 
Maybe they're changing the server responses, and 22H2/23H2 machines are no longer exempted.
 
abbodi86 said:
I thought 24H2 do that since the beginning
Click to expand...
That's the case, I installed 24h2 from an .1742 image, and the update was done during OOBE
And with the option in the unattended, no update

More for 22h2/23h2 maybe
 
Ntlite runs a command to block all TCP/UDP outbound on firewall on my image, and that block isnt removed until the end of my post install script, of which by then a group policy is imported that sets WU to notify only.
 
You must log in or register to reply here.
Back
Top