In this blog, we’ll explore the new Quality updates introduced in the out-of-box experience (OOBE), also known as the Windows Update Experience (NDUP), in the latest Windows build. With these enhancements, once a device finishes the Windows Autopilot Device Preparation Enrollment (OOBE), it will automatically update to the latest version and security build
Windows Update Introduction
Ensuring your devices are up to date is pretty important, particularly during device enrollment. Windows Autopilot’s initial concept was to ship the device directly from the supplier to the end user, a process that can present significant challenges with older Windows Builds.
One of the major issues here was that most of the time, those devices weren’t up to date and lacked the latest security updates. Sometimes, those devices were almost one year behind on updates. Microsoft’s support cycle ensures that devices receive timely security updates, which is crucial for maintaining compliance and security.
Having a device that is not up to date could potentially expose it to security issues and vulnerabilities, and I guess we don’t want those. From the compliance side, we could also define a compliance policy to ensure that only up-to-date devices can access our corporate data.
If a device has an older build than what’s inside your compliance policy, you need to update those devices as soon as possible; otherwise, you will lose access. Luckily, Microsoft seems to be working on something. I noticed something new after discovering the local administrator Windows Autopilot Device Preparation bug. Let me tell you what I saw!
Once the device was successfully enrolled and all the applications published by Patch My Pc were installed, I clicked on next, expecting to get prompted for Windows Hello for Business (Wh4B). Something else happened!
Quality Updates During out-of-box experience (NDUP)
Once the device finished installing all the third-party apps provided by PMPC, I was expecting to be prompted for WHfB, but somehow, it didn’t. Instead of the WH4B screen, it showed me this brand-new Quality Updates During out-of-box experience.
The first screen told me that “an update was in progress. We’ll take it from here”. Users receive a notification prompting them an update is in progress. After that initial new Windows Update screen, it also switched to another brand-new Update screen.
This new screen showed the download progress of the Windows Update it was trying to install. Just as Patch My PC ensures that Applications are kept up to date, Microsoft now ensures that Windows devices receive timely updates to protect against security vulnerabilities after the Windows Autopilot device Preparation enrollment.
In addition to this new Update window, it also showed us an option to cancel features and security updates. Let’s look at how it looks when we combine those screens I showed you!
As shown above, this flow looks pretty good and could fix our device’s lack of security vulnerability updates after enrollment.
Of course, we could ask the user to download the updates themselves, but wouldn’t it be nicer to have the option to deploy them during Oobe after the Windows Autopilot Device Preparation Enrollment?
Let’s explore and investigate how Microsoft appears to be experimenting with a new update feature called OobeOngoingSoftwareUpdateStatus, and how they implemented this feature to be executed after the Autopilot Device Preparation enrollment.
Oobe Ongoing Software Update Status
To find out how this new OobeOngoingSoftwareUpdateStatus feature works from the inside, we first need to take a brief tour through the Microsoft Cloud Experience Host and the corresponding Oobe code. Let’s start with zooming into this new Quality Updates During out-of-box experience.
Once your Windows Autopilot Device Preparation flow is finished, press next to accept the privacy settings.
Once you agree to the terms, in the background, we will notice that the CloudExperienceHost will try to discover (discovery.js) which features are enabled on the device and which capabilities are supported.
ExpediteUpdatePILess feature
The CloudExperienceHost will check if the ExpediteUpdatePILess feature is enabled. If so, it will add the osRevision to the headers.
From there on, it will navigate to sdx.microsoft.com (which is a weird url if you ask me). I assume it serves its purpose.
If this URL is reachable, the Cloud Experience host will initialize the configuration and switch to a regular “Checking For Updates” window.
Behind this existing screen, a lot of magic is happening because, with the latest Windows Insider build (26100) 24h2, Microsoft added a nice new feature called OobeNdupOngoingUpdateStatus.
OobeNdupOngoingUpdateStatus.
With some other features added in a previous build (26040.1000), those new Update and Oobe features will enable something unique.
With these Oobe NDUP features enabled, If an update is found, it will switch to the NDUP ongoing updates status experience. And now you are pretty much wondering what NDUP is, right?
NDUP is the Windows 11 rollout and update promotion for new devices (NDUP/New Devices Update Promotion). Using NDUP will result in a smooth customer experience and speed up the adoption of Windows 11 upgrades. Sounds like a great update experience, right? Let’s move on to what will happen when this feature is enabled.
To enable the NDUP expedited update, a registry key will be created just before the new Windows Update promotion/experience screen is shown.
Once the expedited update is enabled, you will receive the much-anticipated new Update window.
Your Update is in Progress
This new Update flow provides a streamlined and efficient way to manage and install critical updates, ensuring your system remains secure and up-to-date.
Please Note: It will only switch to this screen if updates are available. You will be redirected to the WH4B setup screen if no updates are available.
I learned this the hard way because it stopped working after I had captured all the traces and information. Somehow, this new Windows Update Oobe screen stopped showing on 06-06-2024. Microsoft decided to withdraw a specific update on 07-06-2024, Kb5037850. With this update being revoked, no updates were detected, and with it, the new update screen didn’t show up.
It is also good to know that .net security updates will not trigger these new quality updates during the out-of-box experience.
While the updates are downloaded and installed, you can monitor their status in the progress bar below. It will guide you through each step of the update process.
Once finished, your device is up to date, secure, and ready to use!!
The Quality Updates During out-of-box Experience Flow
What would one of my first blog posts on the Patch My PC website be without my weird mspaint flow? In the flow below, I will explain how the latest Windows Security Updates are installed after Windows Autopilot device Preparation.
Quality updates during the out-of-box experience Explained
Let’s explain the flow from above a bit better so everyone can make sense of it (and not only me)
By browsing the event logs, particularly in the Shell-core section, we can observe that the Cloud Experience Host is responsible for driving this UI change for quality updates. This same host manages several other features, including authentication and Windows Hello.
We’ll see the Out-of-box-experience New Device Update Page (OOBENDUP) kick in.
The new Windows Update Experience process begins by checking if the feature is enabled on the device
If the feature is enabled, it will check if the device is able to contact https://sdx.microsoft.com/frx/cloud-ndup. While it might seem unusual for the device to be offline, since Autopilot requires an internet connection, the check ensures the device is ready for updates in case of any unexpected connection issues.
The Cloud Experience Host gathers local data from the client and then reaches out to various endpoints to retrieve JSON files used for different purposes:
sdx.microsoft.com/areas/frx/resources/json/NDUP_error_lottie.jsonsdx.microsoft.com/areas/frx/resources/json/cloudndup/expeditedUpdatelottie.jsonsdx.microsoft.com/areas/frx/resources/json/cloudndup/mercurylossAversionLottie.jsonsdx.microsoft.com/areas/frx/resources/json/cloudndup/windowsLogoLottie.json
These JSON files influence the behavior of the Cloud Experience Host, but they don’t provide much insight when accessed directly. This JSON file will be stored in the default user’s local app data folder.
Next, the device identifies the necessary updates (KBs) to download and install. At this stage in OOBE, a registry key is created: EnableExpeditedUpdate is set to 1.
This triggers the Windows Update engine,
Which starts downloading the required patches. As the download progresses, you will see the progress in the UI and with it the New Update Experience will start installing the the latest Quality updates during OOBE!
Community Solutions to Prevent it!
During Workplace Ninjas 2024 Mattias Melkerson shared a clever way to stop OOBE updates for those who don’t want their Windows devices updated right after setup.
His solution is straightforward: modify the host file to block the sdx.microsoft.com URL by routing it to null.
Why this approach? It’s simple. One of the first things the NDUP process does is check if the device can access sdx.microsoft.com, which hosts the necessary JSON files for the update.
If the cloudexperiencehost process can’t access it (serveroffline:true) the JSON as shown above can’t be downloaded, and with it, exiting the process. Go check out the Pro-active remediation he build! It’s pretty awesome and very simple to implement
OOBE will force you to quality update during onboarding – MSEndpointMgr
Microsoft’s announcement and response
Almost six months ago, I wrote this blog about the new Windows Update experience during OOBE. At that time, MDM-enrolled devices would ALWAYS automatically receive quality updates right after Autopilot enrollment, ensuring they were fully patched before users even reached the desktop.
However, after rolling it out, Microsoft received significant feedback, and ultimately decided to pull it back.
Now, it looks like they’re working on a new approach, introducing an option to defer these updates instead of forcing them immediately during OOBE.
Upcoming Changes to Expedited Updates in OOBE
A new feature will introduce an option to defer quality updates during OOBE. This will give organizations greater flexibility in managing updates during initial device setup. Rather than forcing an immediate update, it appears Microsoft is adding a mechanism to delay the process when necessary.
This setting plays a major role in how updates are managed during OOBE. It allows IT administrators to postpone updates instead of applying them immediately. Since this is a big change in how Quality Update are deployed during OOBE, I’ve written a new blog post. This one will dive deeper into how deferral is handled, how policies interact with it.
👉 Read more about the new deferred update mechanism here
Conclusion
While I appreciate the new quality updates during the out-of-box experience, I have some questions regarding their implementation. It seems more like an OOBE addition than an Autopilot Device Preparation enhancement.
Is it possible that Microsoft was unaware that this new screen also appears during Device Preparation? Let me tell you why. I have observed this OOBE update flow occurring on non-Autopilot enrolled 24H2 devices and even on Windows Home devices.
I hope Microsoft ensures that this new OOBE update feature will continue to be displayed after Autopilot Device Preparation. Patch My PC enhances security by keeping all applications up to date. Microsoft should strive to achieve the same level of update management for Windows.