Microsoft has taken a decisive step to eliminate the notorious day-one patch gap on new Windows 11 devices with a trio of updates that apply quality fixes during the initial setup experience. The company shipped KB5065813 for versions 22H2 and 23H2, and KB5065847 and KB5065848 for version 24H2 in late August 2025, delivering critical servicing and enrollment improvements directly within the Out-of-Box Experience (OOBE).

This move marks a significant shift in how newly imaged or factory-fresh Windows 11 devices handle their earliest moments of life. By moving quality updates into the final OOBE screen, Microsoft aims to ensure that managed devices reach the user’s hands already at the organization’s approved patch baseline, reducing the window of vulnerability that has long plagued enterprise deployments.

What Microsoft shipped: the three KB articles unpacked

KB5065813 — 22H2 / 23H2 OOBE servicing
Published on August 26, 2025, this package serves two purposes. First, it enables the capability for eligible managed devices to download and apply quality updates during OOBE. Second, it bundles an emergency combined Servicing Stack Update (SSU) and Latest Cumulative Update (LCU) that corrects recovery and reset regressions introduced by August 2025 cumulative rollups. Administrators must match the OOB package to the exact OS build to avoid inconsistency.

  • Enables the OOBE quality-update step for Windows 11 22H2 and 23H2 managed SKUs.
  • Delivers an OOB SSU+LCU rescue for broken reset, cloud reinstall, and remote-wipe functions.

KB5065847 — 24H2 OOBE quality-update rollout
Released on August 29, 2025, this update surfaces the OOBE quality-update step in the final page of setup for eligible devices running Windows 11 24H2 and Windows Server 2025. It ties that behavior to Autopilot and Enrollment Status Page (ESP) controls within Microsoft Intune, so that devices are patched to the tenant’s baseline before the first user sign-in.

  • Runs during the last OOBE screen and may install combined SSU+LCU packages, potentially requiring one or more automated reboots.
  • Applies only to eligible, managed SKUs—consumer unmanaged devices are not the primary target, though some retail hardware may see limited update activity if an internet connection is present.

KB5065848 — 24H2 OOBE enrollment & enrollment stack update
Also published August 29, 2025, this update refreshes the enrollment and management components used during OOBE for Windows 11 24H2 and Windows Server 2025. It patches binaries such as DeviceEnroller.exe, MdmDiagnosticsTool.exe, and policy manager DLLs. The package is applied only during OOBE when a network connection is available and ensures enrollment flows and the OOBE state machine behave correctly on newer 24H2 images.

Together, these three updates are complementary: KB5065813 for the 22H2/23H2 branch, KB5065847 to activate the OOBE quality-update behavior on 24H2, and KB5065848 to reinforce the enrollment plumbing. They address the longstanding weakness of fresh devices arriving out of date while repairing known regressions that could break recovery.

Step-by-step: how the OOBE update flow works

The new update stage is tightly integrated into Windows 11’s setup process and respects existing management policies. Here’s what happens:

  1. The device boots into OOBE and proceeds through language, keyboard, and network setup.
  2. At the final OOBE screen, if the device is eligible—running Windows 11 22H2 or later, Entra-joined or hybrid-joined, and managed via MDM—and the tenant’s ESP profile permits it, Windows Update checks for applicable quality updates.
  3. The device downloads and installs any LCU and required SSU. Because these packages are often combined, the process may trigger one or more automatic reboots.
  4. Once installation finishes, OOBE resumes, and the first user signs in to a device that is now at the organization’s patched baseline.

An important operational note: the OOBE quality-update step intentionally excludes feature updates and broad driver rollouts. Microsoft’s scope is limited to quality updates and critical zero-day patches to minimize risk during the provisioning phase. Additionally, if a device lacks a network connection during setup, the update step is simply skipped.

Benefits and tradeoffs for IT administrators

Benefits
- Day-one security: Devices arrive patched, shrinking the exposure window for new hardware and improving compliance from the first sign-in.
- Reduced early-life support churn: Applying updates during OOBE cuts down on the typical flurry of post-enrollment reboots and help-desk tickets in the first days of ownership.

Tradeoffs and operational risks
- Longer provisioning times: Field reports and Microsoft guidance indicate that OOBE can add an average of about 20 minutes to setup, though actual time varies by update size, network speed, and device hardware. Deployment runbooks must account for this.
- Bandwidth and network load: Large batches of new devices triggering OOBE updates simultaneously can saturate distribution points and internet egress. Staged rollouts or local caching are effective mitigations.
- Authentication timing: Short-lived enrollment credentials, such as Temporary Access Pass (TAP) codes, may expire before the device reaches the desktop if OOBE runs long. Administrators should extend TAP validity or adjust enrollment timing.
- SSU permanence: Because SSUs are combined into OOB packages, they cannot be removed via the usual uninstall methods. Once applied, they are effectively permanent, so treat SSU deployment as an irreversible operation.

Immediate actions Microsoft suggests
- Validate that reference images include the June 2025 non-security servicing payload (or equivalent vendor OOBE packages) so that the ESP option appears. Test in a lab before production.
- Review Autopilot/ESP profiles: newly created profiles will default to enabling OOBE quality updates, while existing profiles remain off and must be explicitly edited to opt in.
- Extend TAP or enrollment token lifetimes where appropriate, and test the full enrollment flow to avoid timeouts.
- Plan bandwidth: use distribution points, pre-staging, or staged enrollment to prevent congestion.
- Update deployment runbooks with expected OOBE durations and reboot counts, and communicate these to help-desk and business owners.

Deep dive: technical details and noteworthy implementation quirks

Enrollment stack refresh
The manifest for KB5065848 explicitly lists updated enrollment and MDM binaries—DeviceEnroller.exe, MdmDiagnosticsTool.exe, policymanager.dll, and several diagnostic DLLs. This confirms that the update targets the enrollment machinery rather than the broader servicing pipeline, ensuring that the OOBE state machine works flawlessly with new 24H2 builds.

Windows Update for Business (WUfB) policies are honored
Microsoft documented that the OOBE quality-update step respects configured WUfB deferrals and pause periods. Organizations using ring-based deployment will not see the OOBE stage silently override their update rings—a critical design choice that prevents unintended patch rollouts.

Enrollment signaling for restore capability
On some older devices, the OOBE servicing path modifies how the enrollment request reports its version. The ApplicationVersion is incremented by one relative to the BuildVersion to signal that the device is restore-capable after the OOBE package is applied. MDM controllers can use this subtle change to differentiate device states. Administrators and MDM vendors must be aware of this, as it may affect custom enrollment validation logic.

Correct OOB package matching
The OOBE packages that fix the August 2025 recovery regressions are combined SSU+LCU payloads. It is essential to deploy the correct OOB package for the device’s exact build number; a mismatch can leave devices in an inconsistent state or prevent recovery functions altogether.

Consumer experience: a slight ripple in retail

While the OOBE quality-update behavior is squarely aimed at managed enterprise scenarios, some consumer devices may observe additional update activity during setup if they connect to the internet. Historically, advanced users have bypassed network setup to avoid such online behavior, but the enterprise-grade Autopilot and ESP controls have no bearing on unmanaged Home editions. For most consumers, the impact will be limited to a few extra minutes on new hardware that ships with updated OOBE payloads.

Risks that demand attention

  • Image hygiene: Organizations using older offline images without the required servicing payloads will not see the ESP toggle and cannot benefit from the OOBE quality-update path. Updating images before mass deployment is non-negotiable.
  • Enrollment failures and stuck OOBE: Misaligned MDM logic, expired enrollment tokens, or mismatched OOB package builds can strand devices in OOBE. Documented community reports and Microsoft guidance flag this as a real hazard. Thorough testing and recovery playbooks are mandatory.
  • SSU permanence and rollback complexity: Accidental or premature deployment of an SSU-containing OOB package complicates rollbacks. Apply change-control rigor to all OOB SSU+LCU deployments.
  • Network disruption: Large-scale enrollments that hit the internet concurrently may suffer slow downloads, failed installs, or prolonged provisioning—plan for staged rollouts and local caching.

Monitoring, telemetry, and a testing checklist

  • Validate images: Ensure reference images contain the June 2025 servicing payload or vendor OOBE zero-day package.
  • Lab test: Run Autopilot/ESP enrollments with TAP extension scenarios to verify token life and network behavior.
  • Enrollment logs: Monitor Intune enrollment logs, device diagnostics output (MdmDiagnosticsTool), and Windows Update telemetry for partial installs or reboot loops.
  • Network simulation: Model concurrent enrollments to gauge bandwidth impact and fine-tune staged provisioning or caching.

A balanced look: why this matters and what to watch

Strengths
The OOBE updates address a perennial operational weakness—freshly imaged or factory-fresh devices arriving out of date—and immediately improve the security posture of managed fleets. This will cut early-life support tickets and simplify compliance reporting from day one.

Weaknesses and risks
The operational overhead—image updates, SSU irreversibility, enrollment token timing, and bandwidth planning—means the change is far from trivial for large deployments. Without adequate lab testing, staging, and runbook updates, organizations risk user disruption and enrollment failures during rollout.

Watch points
Keep an eye on OEM guidance for zero-day OOBE packages, Intune’s default behavior on new ESP profiles, and Microsoft’s continued refinement of the OOBE stage in subsequent servicing windows.

Final recommendations

  • Test before you roll: Validate images, ESP profiles, and token lifetimes in a lab that mirrors production.
  • Stage your rollout: Avoid mass simultaneous provisioning; use caching and staging to reduce network load.
  • Update runbooks: Add OOBE timing, expected reboots, and TAP extension guidance to help-desk and deployment documentation.
  • Treat SSU deployments as irreversible: Apply change-control rigor to all OOB SSU+LCU packages.
  • Monitor closely: Use Intune and device telemetry to detect partial installs, enrollment timeouts, or stuck devices, and retain recovery procedures for those scenarios.

Beyond OOBE: broader September updates for Windows 11

While the OOBE updates form the backbone of this servicing wave, Microsoft also shipped several companion updates that further refine the Windows 11 experience. Two dynamic updates—KB5065378 and KB5064097—target the installation media itself. KB5065378 improves Windows setup binaries for version 24H2, making future feature updates more reliable. KB5064097 enhances the Windows Recovery Environment (WinRE) on 24H2 and Windows Server 2025, strengthening built-in recovery and troubleshooting tools.

For users already running Windows 11 24H2, the optional non-security update KB5064081 introduces a redesigned Windows Hello interface, a personalized Recall homepage on supported Copilot+ PCs, and a corrected CPU metrics display in Task Manager that aligns with industry standards. The update also brings back the larger clock with seconds in the notification area and formally retires the deprecated Windows PowerShell 2.0. On versions 22H2 and 23H2, KB5064080 marks the general availability of Windows Backup for Organizations, offering enterprise-grade backup and restore to smooth hardware refreshes and migrations to AI-powered PCs.

Together with the OOBE updates, these releases underscore Microsoft’s concerted push to tighten security, streamline deployment, and modernize the core user environment—a trend that IT administrators and Windows enthusiasts alike would do well to follow.