MC1194065: Latest on Windows quality updates out of the box – now disabled by default

Starting with the January 2026 security update, the AllowOOBEUpdates CSP policy will be available and disabled by default. It shows up as a new setting on the Windows Autopilot Enrollment Status Page (ESP). This policy allows you to install the latest Windows quality updates during the out-of-box experience (OOBE) on eligible devices. Devices must be Microsoft Entra joined or Microsoft Entra hybrid joined and running Windows 11, version 22H2 or later. The original announcement and documentation are updated to reflect this change and to clarify device targeting.  When will this happen: January 2026: The AllowOOBEUpdates CSP policy will be available and disabled by default. August 2025: The original announcement introduced this new capability.  How this will affect your organization: With Windows Autopilot and Microsoft Intune (or alternative management solutions), you can maintain seamless control over quality update behavior during provisioning, while ensuring alignment with organizational security and compliance requirements.  What you need to do to prepare: Review the prerequisite criteria in additional information. Make sure that your devices are imaged with the November 2025 Windows non-security update or later or are automatically updated with the November 2025 OOBE zero-day patch (ZDP) update. Learn more about these updates and the capability under additional information.   Additional information: 

• Get ready for Windows quality updates out of the box 
• AllowOOBEUpdates System Policy CSP 
• KB5071430: Out of Box Experience update for Windows 11, version 24H2 and 25H2, and Windows Server 2025: November 21, 2025 
• KB5071892: Out of Box Experience update for Windows 11, version 22H2 and 23H2: November 20, 2025 
• Windows Autopilot Enrollment Status Page