← Back
Latest on Windows quality updates out of the box – now disabled by default
MC1194065 · build prod-20251231-200323
Category
stayInformed
Severity
normal
Major change
False
Last modified
2025-12-10 23:29:17
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
Action by (AI)
2026-01-01 00:00:00
Services
Windows
Tags
Admin impact
Master tags
Admin, Security
Roadmap IDs

One-line summary

The AllowOOBEUpdates CSP policy will be available and disabled by default starting January 2026, letting admins control Windows quality updates during OOBE on eligible Entra-joined Windows 11 devices.

Similar updates

More like this

Details

Body (from Message Center)

Starting with the January 2026 security update, the AllowOOBEUpdates CSP policy will be available and disabled by default. It shows up as a new setting on the Windows Autopilot Enrollment Status Page (ESP). This policy allows you to install the latest Windows quality updates during the out-of-box experience (OOBE) on eligible devices. Devices must be Microsoft Entra joined or Microsoft Entra hybrid joined and running Windows 11, version 22H2 or later. The original announcement and documentation are updated to reflect this change and to clarify device targeting. 
 
When will this happen: 
January 2026: The AllowOOBEUpdates CSP policy will be available and disabled by default. 
August 2025: The original announcement introduced this new capability. 
 
How this will affect your organization: 
With Windows Autopilot and Microsoft Intune (or alternative management solutions), you can maintain seamless control over quality update behavior during provisioning, while ensuring alignment with organizational security and compliance requirements. 
 
What you need to do to prepare: 
Review the prerequisite criteria in additional information. Make sure that your devices are imaged with the November 2025 Windows non-security update or later or are automatically updated with the November 2025 OOBE zero-day patch (ZDP) update. Learn more about these updates and the capability under additional information.  
 
Additional information: 

Raw JSON (for debugging)

Expand/collapse the full payload below.
Show/hide raw
{
  "snapshot_item": {
    "action_required_by": null,
    "ai_action_required_by": "2026-01-01T00:00:00Z",
    "ai_actions": [
      "Review device prerequisites",
      "Ensure devices have November 2025 Windows update or OOBE ZDP",
      "Update Autopilot/Intune provisioning processes"
    ],
    "ai_master_tags": [
      "Admin",
      "Security"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "The AllowOOBEUpdates CSP policy will be available and disabled by default starting January 2026, letting admins control Windows quality updates during OOBE on eligible Entra-joined Windows 11 devices.",
    "ai_topics": [
      "Windows",
      "Entra",
      "Intune"
    ],
    "category": "stayInformed",
    "details_map": {},
    "id": "MC1194065",
    "importance": 3,
    "is_major_change": false,
    "last_modified": "2025-12-10T23:29:17Z",
    "ms_products": [
      "Windows"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "Windows"
    ],
    "severity": "normal",
    "tags": [
      "Admin impact"
    ],
    "title": "Latest on Windows quality updates out of the box \u2013 now disabled by default"
  }
}