Category
stayInformed
Severity
normal
Major change
False
Last modified
2025-12-10 23:29:17
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
—
Action by (AI)
2026-01-01 00:00:00
Services
Windows
Tags
Admin impact
Master tags
Admin, Security
Roadmap IDs
One-line summary
The AllowOOBEUpdates CSP policy will be available and disabled by default starting January 2026, letting admins control Windows quality updates during OOBE on eligible Entra-joined Windows 11 devices.
Similar updates
More like thisMC1188558 Take Action: Out-of-band update to address November 2025 hotpatch update being reoffered after Windows update scan
MC1193628 The December 2025 Windows security update is now available
MC1193371 How to use Microsoft Intune to update expiring Secure Boot certificates
MC1188557 The November 2025 Windows non-security preview update is now available for Windows 11, version 23H2
MC1191307 The November 2025 Windows non-security preview update is now available
MC1199746 Take Action: Out-of-band update to address MSMQ service issues leading to queue operations and resource-related errors
Details
Body (from Message Center)
Starting with the January 2026 security update, the AllowOOBEUpdates CSP policy will be available and disabled by default. It shows up as a new setting on the Windows Autopilot Enrollment Status Page (ESP). This policy allows you to install the latest Windows quality updates during the out-of-box experience (OOBE) on eligible devices. Devices must be Microsoft Entra joined or Microsoft Entra hybrid joined and running Windows 11, version 22H2 or later. The original announcement and documentation are updated to reflect this change and to clarify device targeting.
When will this happen:
January 2026: The AllowOOBEUpdates CSP policy will be available and disabled by default.
August 2025: The original announcement introduced this new capability.
How this will affect your organization:
With Windows Autopilot and Microsoft Intune (or alternative management solutions), you can maintain seamless control over quality update behavior during provisioning, while ensuring alignment with organizational security and compliance requirements.
What you need to do to prepare:
Review the prerequisite criteria in additional information. Make sure that your devices are imaged with the November 2025 Windows non-security update or later or are automatically updated with the November 2025 OOBE zero-day patch (ZDP) update. Learn more about these updates and the capability under additional information.
Additional information:
- Get ready for Windows quality updates out of the box
- AllowOOBEUpdates System Policy CSP
- KB5071430: Out of Box Experience update for Windows 11, version 24H2 and 25H2, and Windows Server 2025: November 21, 2025
- KB5071892: Out of Box Experience update for Windows 11, version 22H2 and 23H2: November 20, 2025
- Windows Autopilot Enrollment Status Page
Raw JSON (for debugging)
Expand/collapse the full payload below.
Show/hide raw
{
"snapshot_item": {
"action_required_by": null,
"ai_action_required_by": "2026-01-01T00:00:00Z",
"ai_actions": [
"Review device prerequisites",
"Ensure devices have November 2025 Windows update or OOBE ZDP",
"Update Autopilot/Intune provisioning processes"
],
"ai_master_tags": [
"Admin",
"Security"
],
"ai_model": "gpt-4.1",
"ai_summary": "The AllowOOBEUpdates CSP policy will be available and disabled by default starting January 2026, letting admins control Windows quality updates during OOBE on eligible Entra-joined Windows 11 devices.",
"ai_topics": [
"Windows",
"Entra",
"Intune"
],
"category": "stayInformed",
"details_map": {},
"id": "MC1194065",
"importance": 3,
"is_major_change": false,
"last_modified": "2025-12-10T23:29:17Z",
"ms_products": [
"Windows"
],
"platforms": null,
"roadmap_ids": [],
"services": [
"Windows"
],
"severity": "normal",
"tags": [
"Admin impact"
],
"title": "Latest on Windows quality updates out of the box \u2013 now disabled by default"
}
}