Category
stayInformed
Severity
normal
Major change
False
Last modified
2025-12-10 23:29:17
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
—
Action by (AI)
2026-01-01 00:00:00
Services
Windows
Tags
Admin impact
Master tags
Security
Roadmap IDs
One-line summary
The AllowOOBEUpdates CSP policy will be available and disabled by default starting January 2026, letting admins control Windows quality updates during OOBE on eligible Entra-joined Windows 11 devices.
Similar updates
More like thisMC999204 Coming soon: Quality updates during the out-of-box experience
Coming soon: Quality updates during the out-of-box experience A new policy in mid-2025 lets admins choose if new Windows 11 devices (22H2+) get the latest quality update during OOBE, configurable via Autopilot and Group Policy. Soon, you’ll get an improved out-of-box experience (OOBE) of new Windows 11 devices. By mid-2025, a new policy will.
MC1141830 Get ready for Windows quality updates out of the box
Get ready for Windows quality updates out of the box Starting September 2025, Windows quality updates will be applied by default during OOBE for eligible Windows 11 devices managed with Intune and Autopilot ESP. Starting in September 2025, the latest Windows quality updates will be available by default during the out-of-box experience (OOBE)..
MC1146698 Get started with August 2025 improvements in Windows 11
Get started with August 2025 improvements in Windows 11 Monthly recap highlights new Windows 11 features, hotpatching, AI, security, and management improvements, now roll... Discover enhancements to the Windows out-of-box experience (OOBE) for quality updates, hotpatching, productivity features, update and driver management, AI, and more..
MC1019027 Get started with February 2025 improvements in Windows 11
How this will affect your organization: You can start seeing improvements across various workflows in your organization with: Windows 11, version 24H2 Quality updates during the out-of-box experience (OOBE) for new Windows 11 devices Microsoft Purview to help secure and govern data Proactive and reactive incident responses Native Arm® versions.
MC1142494 Windows Backup for Organizations is now available
Windows Backup for Organizations is now available Windows Backup for Organizations is now generally available, enabling backup and restore of settings and Microsoft Store apps on eligible Windows 10/11 devices for faster recovery and streamlined migrations. ...s going through out-of-box experience (OOBE)Learn more about quality updates with OOBE.
MC1107364 Hotpatching now enabled by default for new Windows quality update policies
How this will affect your organization: Organizations using Windows Autopatch will benefit from faster security compliance and reduced downtime for devices running supported Windows editions. What you need to do to prepare: Create your new Windows Autopatch quality update policies today, with hotpatch enabled by default, to ensure your.
Details
Body (from Message Center)
Starting with the January 2026 security update, the AllowOOBEUpdates CSP policy will be available and disabled by default. It shows up as a new setting on the Windows Autopilot Enrollment Status Page (ESP). This policy allows you to install the latest Windows quality updates during the out-of-box experience (OOBE) on eligible devices. Devices must be Microsoft Entra joined or Microsoft Entra hybrid joined and running Windows 11, version 22H2 or later. The original announcement and documentation are updated to reflect this change and to clarify device targeting.
When will this happen:
January 2026: The AllowOOBEUpdates CSP policy will be available and disabled by default.
August 2025: The original announcement introduced this new capability.
How this will affect your organization:
With Windows Autopilot and Microsoft Intune (or alternative management solutions), you can maintain seamless control over quality update behavior during provisioning, while ensuring alignment with organizational security and compliance requirements.
What you need to do to prepare:
Review the prerequisite criteria in additional information. Make sure that your devices are imaged with the November 2025 Windows non-security update or later or are automatically updated with the November 2025 OOBE zero-day patch (ZDP) update. Learn more about these updates and the capability under additional information.
Additional information:
- Get ready for Windows quality updates out of the box
- AllowOOBEUpdates System Policy CSP
- KB5071430: Out of Box Experience update for Windows 11, version 24H2 and 25H2, and Windows Server 2025: November 21, 2025
- KB5071892: Out of Box Experience update for Windows 11, version 22H2 and 23H2: November 20, 2025
- Windows Autopilot Enrollment Status Page
Raw JSON (for debugging)
Expand/collapse the full payload below.
Show/hide raw
{
"snapshot_item": {
"action_required_by": null,
"ai_action_required_by": "2026-01-01T00:00:00Z",
"ai_actions": [
"Review device prerequisites",
"Ensure devices have November 2025 Windows update or OOBE ZDP",
"Update Autopilot/Intune provisioning processes"
],
"ai_master_tags": [
"Security"
],
"ai_model": "gpt-4.1",
"ai_summary": "The AllowOOBEUpdates CSP policy will be available and disabled by default starting January 2026, letting admins control Windows quality updates during OOBE on eligible Entra-joined Windows 11 devices.",
"ai_topics": [
"Windows",
"Entra",
"Intune"
],
"category": "stayInformed",
"details_map": {},
"id": "MC1194065",
"importance": 3,
"is_major_change": false,
"last_modified": "2025-12-10T23:29:17Z",
"ms_products": [
"Windows"
],
"platforms": null,
"roadmap_ids": [],
"services": [
"Windows"
],
"severity": "normal",
"tags": [
"Admin impact"
],
"title": "Latest on Windows quality updates out of the box \u2013 now disabled by default"
}
}