MC1194065 – Latest on Windows quality updates out of the box – now disabled by default

Product:

Entra, Intune, SharePoint, Windows, Windows Server

Platform:

Online, Windows Desktop, World tenant

Status:

Change type:

Admin impact

Links:

Details:

Starting with the January 2026 security update, the AllowOOBEUpdates CSP policy will be available and disabled by default. It shows up as a new setting on the Windows Autopilot Enrollment Status Page (ESP). This policy allows you to install the latest Windows quality updates during the out-of-box experience (OOBE) on eligible devices. Devices must be Microsoft Entra joined or Microsoft Entra hybrid joined and running Windows 11, version 22H2 or later. The original announcement and documentation are updated to reflect this change and to clarify device targeting.

When will this happen:
January 2026: The AllowOOBEUpdates CSP policy will be available and disabled by default.
August 2025: The original announcement introduced this new capability.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2025-12-11

updated:
2025-12-11

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Quality Updates Installation
Without preparation, devices may not receive the latest quality updates during the out-of-box experience, leading to potential security vulnerabilities and performance issues.
   - roles: IT Administrators, End Users
   - references: https://learn.microsoft.com/autopilot/enrollment-status, https://techcommunity.microsoft.com/blog/windows-itpro-blog/get-ready-for-windows-quality-updates-out-of-the-box/4434498

Device Compliance and Security
Disabling the AllowOOBEUpdates policy by default may result in non-compliance with organizational security standards, affecting the overall security posture of the organization.
   - roles: Compliance Officers, IT Security Managers
   - references: https://learn.microsoft.com/windows/client-management/mdm/policy-csp-system#allowoobeupdates, https://support.microsoft.com/topic/kb5071430-out-of-box-experience-update-for-windows-11-version-24h2-and-25h2-and-windows-server-2025-november-21-2025-9510f154-a605-47d2-ae1c-f0d18260c5e6

Configutation Options**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

Starting in January 2026, a new policy called AllowOOBEUpdates will be introduced for Windows devices. This policy is designed to manage how Windows quality updates are handled during the initial setup process, known as the out-of-box experience (OOBE). Think of OOBE as the welcome tour you get when you first start using a new device. This policy will be disabled by default, meaning that unless you actively choose to enable it, the latest updates won't automatically install during this setup phase.

Imagine buying a new car. When you drive it off the lot, you might have the option to install the latest navigation software or system updates right away. However, with this new policy, it's like the car comes with the option turned off, and you need to decide if you want to enable it to get those updates immediately.

For organizations using Windows Autopilot and Microsoft Intune, this change means they can better control when and how updates are applied to new devices, ensuring that everything aligns with their security and compliance standards. It's like having a valet service that checks your car's software before you start driving, making sure everything is up to the company's standards.

To take advantage of this policy, devices need to be connected to Microsoft Entra, which is a bit like having a membership card that gives you access to certain services and features. Devices also need to be running a specific version of Windows 11 or later, similar to needing a certain model year for your car to be compatible with new features.

Organizations should ensure their devices are updated with the latest non-security updates or patches to make sure everything runs smoothly. It's like making sure your car has the latest safety features installed before hitting the road.

In summary, this change provides more control over how updates are handled during the initial setup of Windows devices, helping organizations maintain security and compliance without unnecessary interruptions.