This blog will examine the new Windows Update Oobe Experience added to the 26100 Windows Insider Build. With this new experience, the device will automatically be updated to the latest version and security build after finishing the Windows Autopilot Device Preparation Enrollment.
Introduction
Ensuring your systems are up to date is vital, particularly during device enrollment. Windows Autopilot’s initial concept was to ship the device directly from the supplier to the end user, a process that can present significant challenges with older Windows Builds.
One of the major issues here was that most of the time, those devices weren’t up to date and lacked the latest security updates. Sometimes, those devices were almost one year behind on updates. Microsoft’s support cycle ensures that devices receive timely security updates, which is crucial for maintaining compliance and security.
Having a device that is not up to date could potentially expose it to security issues and vulnerabilities, and I guess we don’t want those.
From the compliance side, we could also define a compliance policy to ensure that only up-to-date devices can access our corporate data.
If a device has an older build than what’s inside your compliance policy, you need to update those devices as soon as possible; otherwise, you will lose access.
Luckily, Microsoft seems to be working on something. I noticed something new after discovering the local administrator Windows Autopilot Device Preparation bug. Let me tell you what I saw!
Once the device was successfully enrolled and all the applications published by Patch My Pc were installed, I clicked on next, expecting to get prompted for Windows Hello for Business (Wh4B). Something else happened!
Your Windows Security Updates are in progress
Once the device finished installing all the third-party apps provided by PMPC, I was expecting to be prompted for WHfB, but somehow, it didn’t. Instead of the WH4B screen, it showed me this brand-new screen.
The first screen told me that “an update was in progress. We’ll take it from here”. Users receive a notification prompting them an update is in progress. After that initial new Windows Update screen, it also switched to another brand-new Update screen.
This new screen showed the download progress of the Windows Update it was trying to install. Just as Patch My PC ensures that Applications are kept up to date, Microsoft now ensures that Windows devices receive timely updates to protect against security vulnerabilities after the Windows Autopilot device Preparation enrollment.
In addition to this new Update window, it also showed us an option to cancel features and security updates. Let’s look at how it looks when we combine those screens I showed you!
As shown above, this flow looks pretty good and could fix our device’s lack of security vulnerability updates after enrollment.
Of course, we could ask the user to download the updates themselves, but wouldn’t it be nicer to have the option to deploy them during Oobe after the Windows Autopilot Device Preparation Enrollment?
Let’s explore and investigate how Microsoft appears to be experimenting with a new update feature called OobeOngoingSoftwareUpdateStatus, and how they implemented this feature to be executed after the Autopilot Device Preparation enrollment.
Oobe Ongoing Software Update Status
To find out how this new OobeOngoingSoftwareUpdateStatus feature works from the inside, we first need to take a brief tour through the Microsoft Cloud Experience Host and the corresponding Oobe code. Let’s start with zooming into the Out of box Experience (oobe)
Once your Windows Autopilot Device Preparation flow is finished, press next to accept the privacy settings.
Once you agree to the terms, in the background, we will notice that the CloudExperienceHost will try to discover (discovery.js) which features are enabled on the device and which capabilities are supported.
ExpediteUpdatePILess feature
The CloudExperienceHost will check if the ExpediteUpdatePILess feature is enabled. If so, it will add the osRevision to the headers.
From there on, it will navigate to sdx.microsoft.com (which is a weird url if you ask me). I assume it serves its purpose.
If this URL is reachable, the Cloud Experience host will initialize the configuration and switch to a regular “Checking For Updates” window.
Behind this existing screen, a lot of magic is happening because, with the latest Windows Insider build (26100) 24h2, Microsoft added a nice new feature called OobeNdupOngoingUpdateStatus.
OobeNdupOngoingUpdateStatus.
With some other features added in a previous build (26040.1000), those new Update and Oobe features will enable something unique.
With these Oobe NDUP features enabled, If an update is found, it will switch to the NDUP ongoing updates status experience. And now you are pretty much wondering what NDUP is, right?
NDUP is the Windows 11 rollout and update promotion for new devices (NDUP/New Devices Update Promotion). Using NDUP will result in a smooth customer experience and speed up the adoption of Windows 11 upgrades. Sounds like a great update experience, right? Let’s move on to what will happen when this feature is enabled.
To enable the NDUP expedited update, a registry key will be created just before the new Windows Update promotion/experience screen is shown.
Once the expedited update is enabled, you will receive the much-anticipated new Update window. This new Update flow provides a streamlined and efficient way to manage and install critical updates, ensuring your system remains secure and up-to-date
Please Note: It will only switch to this screen if updates are available. You will be redirected to the WH4B setup screen if no updates are available.
I learned this the hard way because it stopped working after I had captured all the traces and information. Somehow, this new Windows Update Oobe screen stopped showing on 06-06-2024. Microsoft decided to withdraw a specific update on 07-06-2024, Kb5037850. With this update being revoked, no updates were detected, and with it, the new update screen didn’t show up.
It is also good to know that .net security updates will not trigger this new Windows update experience.
While the updates are downloaded and installed, you can monitor their status in the progress bar below. It will guide you through each step of the update process.
Once finished, your device is up to date, secure, and ready to use!!
The Flow
What would one of my first blog posts on the Patch My PC website be without my weird mspaint flow? In the flow below, I will explain how the latest Windows Security Updates are installed after Windows Autopilot device Preparation.
Conclusion
While I appreciate the new Windows update feature added to the OOBE, I have some questions regarding its implementation. It seems more like an OOBE addition than an Autopilot Device Preparation enhancement.
Is it possible that Microsoft was unaware that this new screen also appears during Device Preparation? Let me tell you why. I have observed this OOBE update flow occurring on non-Autopilot enrolled 24H2 devices and even on Windows Home devices.
I hope Microsoft ensures that this new OOBE update feature will continue to be displayed after Autopilot Device Preparation. Patch My PC enhances security by keeping all applications up to date. Microsoft should strive to achieve the same level of update management for Windows.