Microsoft did something subtle on June 23, 2026, that changes how your next PC—or your next clean install—will behave: it started pushing cumulative patches during the out-of-box experience (OOBE), long before you ever see the Windows desktop. The update, tagged KB5095189, applies to both Windows 11 version 24H2 and the newer 25H2, and it represents the first time Microsoft has delivered a full cumulative update at the earliest possible moment in a device’s lifecycle.

This is not your typical Patch Tuesday delivery. Instead of waiting for Windows Update to fetch fixes after you’ve already logged in, KB5095189 integrates directly into the final steps of setup. If your device is connected to the internet during initial configuration, the update downloads and installs right then, behind the “Hi, we’re getting things ready for you” screen. When you land on the desktop, you’re already running the most recent bits.

What actually changed

KB5095189 is a cumulative Out of Box Experience update. That term—“OOBE update”—has been part of Windows servicing lingo since Windows 10, but it typically referred to small, targeted packages that fixed showstopper bugs in the setup process itself, like a driver that prevented the keyboard from working or a licensing screen that failed to render. KB5095189 is different. It’s a broad cumulative update that bundles security patches, reliability fixes, and possibly even driver updates, all delivered before the first user account finishes being created.

Microsoft’s advisory pins the release date as June 23, 2026, and lists compatibility with Windows 11 versions 24H2 and 25H2. The update applies to all editions—Home, Pro, Enterprise, Education—and doesn’t distinguish between consumer and commercial devices. Once the OOBE sequence reaches the point where it checks for updates (a step many users blindly click through), KB5095189 downloads, installs, and triggers a reboot if necessary, all within the setup flow. You won’t see a separate progress bar labeled with the KB number; it simply becomes part of the “installing updates” phase of the final configuration.

The package is cumulative, meaning it contains all previously released fixes up to that point. For a user unboxing a device manufactured months earlier, this can mean a significant jump—from the factory image, possibly several patch cycles behind, to the very latest build in one motion. The update is also self-contained; once installed, Windows Update won’t re-download those same fixes when you first check for updates manually.

What it means for you

The impact splits neatly along two audience profiles: everyday users and IT professionals.

For the home user or new PC buyer

If you buy a new laptop or desktop that ships with Windows 11 24H2 or 25H2, or you perform a clean install using installation media created after mid-2026, you’ll likely never know KB5095189 exists—and that’s the point. The first time you see the desktop, your machine will already have the latest security patches. No more spending the first 30 minutes with a new PC watching Windows Update churn through a dozen patches. No more wondering if that fresh-out-of-the-box machine is vulnerable to exploits fixed months ago. You can start working, gaming, or browsing immediately, with fewer post-setup interruptions.

There’s a practical wrinkle: because the update may force an extra reboot during OOBE, the setup time can appear slightly longer. Microsoft’s on-screen messaging—generally a version of “This might take a few minutes”—will stretch a bit further, but the overall experience should feel smoother because you skip the post-desktop patching dance. For users with slow internet connections, the OOBE will simply take more time as it downloads the update.

For IT administrators and deployment professionals

KB5095189 alters the rhythm of image management. Traditionally, admins would slipstream updates into deployment images using tools like DISM or the Windows ADK. An OOBE-delivered cumulative update supplements that process: even if your image is slightly stale, the device catches up before a user ever touches it. This can reduce the window of vulnerability during provisioning and lighten the load on distribution points if you have many devices hitting the network at once.

However, there are new considerations:

  • Timing and bandwidth: If dozens or hundreds of devices run OOBE simultaneously—say, after a hardware refresh—they will all attempt to download KB5095189 from Microsoft’s servers. For environments with limited internet, this can create a bottleneck. IT teams may want to pre-stage updates in local caches using solutions like Delivery Optimization or third-party tools.
  • Customization and scripting: Some deployment workflows use unattended answer files or autopilot profiles that perform additional setup after OOBE. Because KB5095189 may trigger a reboot during OOBE, scripts that rely on specific timing after the desktop appears should be tested. The sequence of events might shift if a reboot occurs right at the end of OOBE.
  • Testing fresh images: When building a new reference image, you’ll want to mount the image and apply KB5095189 offline, or at least verify that the OOBE patching doesn’t interfere with domain join or policy application. Microsoft’s documentation notes that the update is compatible with all standard deployment methods, but as with any change in the setup flow, a test pass is wise.
  • Version awareness: KB5095189 only applies to 24H2 and 25H2. Organizations still deploying earlier Windows 11 releases (like 23H2) won’t see this behavior. If you’re planning to move to 24H2 or 25H2, this update becomes one more reason to finalize that migration.

How we got here

Microsoft’s push toward “pre-desktop patching” didn’t start with KB5095189. The concept of OOBE updates dates to Windows 10, when the company introduced the ability to download critical fixes during initial setup. Those early packages were narrowly scoped—fixing a crash in the wireless network adapter selection screen, for instance—and were rarely cumulative. They kept the setup process from failing, but they didn’t intend to bring the entire OS to a fully patched state.

Over the years, the cadence of post-desktop updates became a pain point. A user would unbox a new PC, sign in, and immediately be bombarded with a lengthy update process. Microsoft addressed part of this with “feature update” style servicing, but the gap between a fresh image and the current state of security fixes remained. IT pros resorted to monthly image maintenance, rebuilding .wim files with the latest patches. Home users simply waited.

In 2024, Microsoft began experimenting with “setup updates” that fetched a broader set of fixes during OOBE for Windows 11 23H2. Those were limited to specific hardware configurations and weren’t advertised as cumulative. KB5095189 represents the maturation of that idea into a general-purpose, cumulative-update-sized package. Its release alongside the 25H2 rollout suggests that Microsoft now expects every new Windows version to ship with a baseline OOBE update capability.

A key driver is security. The first moments of a device’s life are its most exposed: the firewall might not be fully configured, real-time protection might not be active, and a user might immediately launch a browser or connect to a network before patches are applied. By ensuring the most critical fixes are in place before the desktop loads, Microsoft hardens the very first boot. This aligns with the broader industry trend toward “secure by default” provisioning.

Another factor is the Windows 11 servicing model itself. With cumulative updates now the norm, the delta between a fresh installation and a fully patched system can be enormous. Shipping a large, all-in-one OOBE update simplifies the post-setup experience and reduces the risk that a user will ignore or delay updates because the initial batch seems overwhelming.

What to do now

KB5095189 is already live. There’s no toggle to turn it off, no group policy to bypass it, and no need to “install” it manually—it happens automatically when OOBE checks for updates on a supported system.

If you’re an individual user, you don’t need to do anything. The next time you reset your PC or unbox a new one, this update will take effect. You can confirm it worked by checking your update history after setup: look for KB5095189 listed as “Successfully installed on [date]” under Update History > Quality Updates. If you’re performing a clean install and prefer to skip network connectivity during OOBE, you can still do that (the classic “I don’t have internet” workaround), but you’ll then have to run Windows Update manually after reaching the desktop and you’ll miss out on the pre-desktop convenience.

For IT administrators, immediate action items are limited but important:

  1. Validate your deployment media. If you’re pushing out 24H2 or 25H2 to new devices or refreshing existing ones, run a pilot deployment with internet connectivity during OOBE. Observe the timing and ensure any post-OOBE automation still runs correctly.
  2. Check offline servicing options. If you want to embed KB5095189 directly into your image to avoid the OOBE download entirely (for air-gapped networks or large-scale deployments), you can download the update from the Microsoft Update Catalog and use dism /add-package to integrate it. The update is classified as “Critical” and can be applied offline to a mounted .wim file.
  3. Update documentation and helpdesk scripts. The extra reboot may trigger calls from users who think setup is stuck. Provide guidance that a longer-than-usual “getting ready” screen is normal for factory-fresh devices.
  4. Monitor bandwidth. If you have many devices going through OOBE simultaneously, especially at remote sites, consider enabling Delivery Optimization for peer-to-peer sharing or using a local update server. The update size hasn’t been published officially, but cumulative packages for Windows 11 typically range from 500 MB to over 1 GB. Plan accordingly.
  5. Stay alert for future OOBE updates. Microsoft’s support lifecycle page will list any replacement or follow-up OOBE packages. Bookmark the KB article (KB5095189) and check back before major deployment waves.

For developers and advanced users who maintain custom installation workflows (such as unattended scripts using autounattend.xml), note that KB5095189 may alter the exact timing of the OOBE reboot sequence. If your script assumes a specific order of processes after the final “Setting up your desktop” screen, test with the update present. You can simulate the behavior by creating installation media, connecting to a network, and letting OOBE download the update during a test run.

Outlook

Microsoft hasn’t said whether it will issue new OOBE cumulative updates on a regular cadence—monthly, quarterly, or only when a particularly severe zero-day makes them urgent—but the existence of KB5095189 suggests a pattern. With Windows 11 25H2 arriving fresh, it’s plausible that subsequent Patch Tuesday releases will also come with OOBE equivalents, eventually making the “patch before desktop” flow the norm for all new installs. That would fundamentally change the first-run experience: instead of a shiny but outdated desktop, you’d always land on a fully secured system.

The next logical step is integrating this into Microsoft’s Autopilot and Intune provisioning. While KB5095189 already runs during OOBE, toggling it on or off via policy could give admins finer control over when large updates download. Microsoft’s servicing team tends to move cautiously with such changes, but if telemetry shows a reduction in post-setup vulnerability windows, expect the feature to become a permanent fixture.

One unresolved question is how third-party drivers and firmware play into this. Traditional OOBE packages often included critical driver updates, but KB5095189’s advisory doesn’t specify whether it carries anything beyond the usual cumulative fix blend. As more devices ship with 24H2 or 25H2, we’ll learn whether pre-desktop patching eventually covers the full driver stack or remains a security-only channel.

For now, the takeaway is simple: Windows 11 just got a little more secure before you even say hello. It’s a quiet change that most people will never notice, and that’s exactly the point.