The New Windows Update Experience during OOBE (NDUP)

by | Jun 26, 2024 | Blog

This blog will examine the new OOBE Windows Update Experience (NDUP) in the latest Windows Build. With this new Windows Update experience, the device will automatically be updated to the latest version and security build after finishing the Windows Autopilot Device Preparation Enrollment (OOBE).

Windows Update Introduction

Ensuring your systems are up to date is vital, particularly during device enrollment. Windows Autopilot’s initial concept was to ship the device directly from the supplier to the end user, a process that can present significant challenges with older Windows Builds.

One of the major issues here was that most of the time, those devices weren’t up to date and lacked the latest security updates. Sometimes, those devices were almost one year behind on updates. Microsoft’s support cycle ensures that devices receive timely security updates, which is crucial for maintaining compliance and security.

Having a device that is not up to date could potentially expose it to security issues and vulnerabilities, and I guess we don’t want those.

From the compliance side, we could also define a compliance policy to ensure that only up-to-date devices can access our corporate data.

Device Restrictions to block devices lower than a certain windows build

If a device has an older build than what’s inside your compliance policy, you need to update those devices as soon as possible; otherwise, you will lose access.

Luckily, Microsoft seems to be working on something. I noticed something new after discovering the local administrator Windows Autopilot Device Preparation bug. Let me tell you what I saw!

Once the device was successfully enrolled and all the applications published by Patch My Pc were installed, I clicked on next, expecting to get prompted for Windows Hello for Business (Wh4B). Something else happened!

The New Windows Update Experience Screen (NDUP)

Once the device finished installing all the third-party apps provided by PMPC, I was expecting to be prompted for WHfB, but somehow, it didn’t. Instead of the WH4B screen, it showed me this brand-new screen.

New Windows Update Feature, mentioning your update is in progess

The first screen told me that “an update was in progress. We’ll take it from here”. Users receive a notification prompting them an update is in progress. After that initial new Windows Update screen, it also switched to another brand-new Update screen.

Your Windows update is in progress

This new screen showed the download progress of the Windows Update it was trying to install. Just as Patch My PC ensures that Applications are kept up to date, Microsoft now ensures that Windows devices receive timely updates to protect against security vulnerabilities after the Windows Autopilot device Preparation enrollment.

In addition to this new Update window, it also showed us an option to cancel features and security updates. Let’s look at how it looks when we combine those screens I showed you!

As shown above, this flow looks pretty good and could fix our device’s lack of security vulnerability updates after enrollment.

Of course, we could ask the user to download the updates themselves, but wouldn’t it be nicer to have the option to deploy them during Oobe after the Windows Autopilot Device Preparation Enrollment?

Let’s explore and investigate how Microsoft appears to be experimenting with a new update feature called OobeOngoingSoftwareUpdateStatus, and how they implemented this feature to be executed after the Autopilot Device Preparation enrollment.

Oobe Ongoing Software Update Status

To find out how this new OobeOngoingSoftwareUpdateStatus feature works from the inside, we first need to take a brief tour through the Microsoft Cloud Experience Host and the corresponding Oobe code. Let’s start with zooming into the Out of box Experience (oobe)

Once your Windows Autopilot Device Preparation flow is finished, press next to accept the privacy settings.

After clicking next on the privacy screen, Windows will check for updates.

Once you agree to the terms, in the background, we will notice that the CloudExperienceHost will try to discover (discovery.js) which features are enabled on the device and which capabilities are supported.

ExpediteUpdatePILess feature

The CloudExperienceHost will check if the ExpediteUpdatePILess feature is enabled. If so, it will add the osRevision to the headers.

The CloudExperienceHost will check if the ExpediteUpdatePILess feature is enabled. If so, it will add the osRevision to the headers.

From there on, it will navigate to sdx.microsoft.com (which is a weird url if you ask me). I assume it serves its purpose.

It will navigate to sdx.microsoft.com

If this URL is reachable, the Cloud Experience host will initialize the configuration and switch to a regular “Checking For Updates” window.

the Cloud Experience host will initialize the configuration and switch to a regular “Checking For Updates” window.

Behind this existing screen, a lot of magic is happening because, with the latest Windows Insider build (26100) 24h2, Microsoft added a nice new feature called OobeNdupOngoingUpdateStatus.

OobeNdupOngoingUpdateStatus.

OobeNdupOngoingUpdateStatus. feature added

With some other features added in a previous build (26040.1000), those new Update and Oobe features will enable something unique.

other NDUP features and updates features were also added

With these Oobe NDUP features enabled, If an update is found, it will switch to the NDUP ongoing updates status experience. And now you are pretty much wondering what NDUP is, right?

NDUP is the Windows 11 rollout and update promotion for new devices (NDUP/New Devices Update Promotion). Using NDUP will result in a smooth customer experience and speed up the adoption of Windows 11 upgrades. Sounds like a great update experience, right? Let’s move on to what will happen when this feature is enabled.

To enable the NDUP expedited update, a registry key will be created just before the new Windows Update promotion/experience screen is shown.

Registry showing the oobe NDUP keys

Once the expedited update is enabled, you will receive the much-anticipated new Update window.

Your Update is in progress

This new Update flow provides a streamlined and efficient way to manage and install critical updates, ensuring your system remains secure and up-to-date.

Your update is in progress

Please Note: It will only switch to this screen if updates are available. You will be redirected to the WH4B setup screen if no updates are available.

I learned this the hard way because it stopped working after I had captured all the traces and information. Somehow, this new Windows Update Oobe screen stopped showing on 06-06-2024. Microsoft decided to withdraw a specific update on 07-06-2024, Kb5037850. With this update being revoked, no updates were detected, and with it, the new update screen didn’t show up.

It is also good to know that .net security updates will not trigger this new Windows update experience.

While the updates are downloaded and installed, you can monitor their status in the progress bar below. It will guide you through each step of the update process.

Once finished, your device is up to date, secure, and ready to use!!

The Windows Update Experience Flow

What would one of my first blog posts on the Patch My PC website be without my weird mspaint flow? In the flow below, I will explain how the latest Windows Security Updates are installed after Windows Autopilot device Preparation.

The New Windows Update Experience Explained

Let’s explain the flow from above a bit better so everyone can make sense of it (and not only me)

By browsing the event logs, particularly in the Shell-core section, we can observe that the Cloud Experience Host is responsible for driving this UI change for quality updates. This same host manages several other features, including authentication and Windows Hello.

We’ll see the Out-of-box-experience New Device Update Page (OOBENDUP) kick in.

The new Windows Update Experience process begins by checking if the feature is enabled on the device

If the feature is enabled, it will check if the device is able to contact https://sdx.microsoft.com/frx/cloud-ndup. While it might seem unusual for the device to be offline, since Autopilot requires an internet connection, the check ensures the device is ready for updates in case of any unexpected connection issues.

The Cloud Experience Host gathers local data from the client and then reaches out to various endpoints to retrieve JSON files used for different purposes:

  • sdx.microsoft.com/areas/frx/resources/json/NDUP_error_lottie.json
  • sdx.microsoft.com/areas/frx/resources/json/cloudndup/expeditedUpdatelottie.json
  • sdx.microsoft.com/areas/frx/resources/json/cloudndup/mercurylossAversionLottie.json
  • sdx.microsoft.com/areas/frx/resources/json/cloudndup/windowsLogoLottie.json
expeditedUpdatelottie.json

These JSON files influence the behavior of the Cloud Experience Host, but they don’t provide much insight when accessed directly.

This JSON file will be stored in the defaultuser’s local appdata folder.

the json file that contains the instruction to enable the Windows Update Experience is saved in defaultuser appdata folder

Next, the device identifies the necessary updates (KBs) to download and install. At this stage in OOBE, a registry key is created: EnableExpeditedUpdate is set to 1.

the enableexpediteupdate key is set to 1 which will trigger the new Windows Update Experience

This triggers the Windows Update engine,

Windows Update Experience screen showing it is started downloading the windows updates

Which starts downloading the required patches. As the download progresses, you will see the progress in the UI and with it the New Update Experience will start installing the the latest Quality updates during OOBE!

Community Solutions!

During Workplace Ninjas 2024 Mattias Melkerson shared a clever way to stop OOBE updates for those who don’t want their Windows devices updated right after setup.

His solution is straightforward: modify the host file to block the sdx.microsoft.com URL by routing it to null.

Why this approach? It’s simple. One of the first things the NDUP process does is check if the device can access sdx.microsoft.com, which hosts the necessary JSON files for the update.

If the cloudexperiencehost process can’t access it (serveroffline:true) the JSON as shown above can’t be downloaded, and with it, exiting the process. Go check out the Pro-active remediation he build! It’s pretty awesome and very simple to implement

OOBE will force you to quality update during onboarding – MSEndpointMgr

Microsoft’s announcement and response

Almost three months ago, I wrote about the new Windows Update experience during OOBE. MDM-enrolled devices would automatically receive quality updates after Autopilot enrollment. This was aimed at ensuring devices were fully patched before users even reached the desktop.

Microsoft officially announced this new update process just last week. However, after immediate feedback from the community, including concerns about IT admins’ lack of control, they’ve decided to postpone the feature.

On September 20, 2024, Microsoft confirmed that updates will not be automatically applied during OOBE for Autopilot devices until better mechanisms are in place to give admins more control over managing these updates.

This “postpone” closely mirrors what Mattias Melkerson and I advocated for with the host file workaround. This gives IT admins the flexibility to manage updates according to their own needs. Microsoft is now working on officially implementing those controls, so stay tuned for more updates.

How the New OOBE Update Experience Works with Intune and Patch My PC

The new OOBE Windows Update Experience (NDUP) activates after device enrollment, ensuring that devices are updated to the latest OS build before users reach the desktop. While this helps maintain a secure baseline, it’s important to consider how NDUP impacts Intune compliance and Patch My PC workflows during and after Autopilot.

Interaction with Intune Compliance Policies

When NDUP kicks in at the end of OOBE, it serves as a proactive update mechanism, applying critical OS patches before Intune’s compliance policies start evaluating the device. This timing ensures that devices start from a secure baseline, minimizing the risk of devices being flagged as non-compliant due to missing updates. However, this also means NDUP could add time to the initial setup, especially if large OS patches or multiple updates are required.

For environments using Intune compliance policies to enforce specific OS versions or patch levels, it’s essential to consider how NDUP’s timing affects the compliance evaluation process. Intune policies will still apply post-enrollment, but if NDUP is not completed, devices could temporarily be out of compliance until the OS updates are finished.

Role of Patch My PC in the Workflow

Patch My PC plays a different but complementary role in this setup. If Patch My PC publishes third-party apps as required during Autopilot, those applications are installed before NDUP starts applying the OS updates. This sequence ensures that all necessary applications are in place before the OS gets patched, creating a streamlined deployment process.

If Apps are installed post-enrollment, NDUP finishes its OS updates first, and Patch My PC steps in afterward to complete the app deployment. This setup guarantees that the OS is fully patched and secured before third-party applications are updated, reducing the risk of vulnerability exposure.

Putting It All Together

Understanding how NDUP fits into your update workflow is vital to optimizing the overall Autopilot experience. The best results come from coordinating the order and timing of updates between Patch My PC and Intune, ensuring that devices are fully patched and compliant before the user even signs in.

Conclusion

While I appreciate the new Windows update feature added to the OOBE, I have some questions regarding its implementation. It seems more like an OOBE addition than an Autopilot Device Preparation enhancement.

Is it possible that Microsoft was unaware that this new screen also appears during Device Preparation? Let me tell you why. I have observed this OOBE update flow occurring on non-Autopilot enrolled 24H2 devices and even on Windows Home devices.

I hope Microsoft ensures that this new OOBE update feature will continue to be displayed after Autopilot Device Preparation. Patch My PC enhances security by keeping all applications up to date. Microsoft should strive to achieve the same level of update management for Windows.