From mid-2025, Microsoft will let organizations determine whether fresh Windows 11 install will press on with cumulative updates out of the box. The adjustment comes in response to feedback from sysadmins who objected to an earlier iteration that would remove all control.
The new policy option will be available later this year for Windows 11 devices with version 22H2 or newer. It now gives administrators more control over the update process, in this case at the Out-of-the-Box Experience (OOBE) as Microsoft calls it.
Previously, Microsoft planned to always force the latest updates upon the first boot. However, certain fixes may not work after a Windows update or other critical features may not work. Validating a new version is now required for some applications. The large number of various problems that arise after a new update is (even outside of Windows) enough reason to be cautious. This was the cause of the widespread criticism, which Microsoft has now thankfully responded to.
Also read: Microsoft reassures users: bug in Windows 10 patch is not a problem
Implementation via Windows Autopilot
The new configuration can be enabled via Windows Autopilot. Existing settings for quality updates, such as deferral and pause policies, are synchronized with the device. This ensures that only the latest approved security update is offered.
These are only cumulative or quality updates, not the optional renewals delivered to Windows users each month from Microsoft. Since most devices ideally run on the latest Windows 11 version, this saves a lot of unnecessary friction during the preparation of an installation.
Options for organizations without Autopilot
Organizations not using Autopilot through Microsoft Intune can disable quality updates during OOBE via Group Policy. This option becomes available as a mobile device management (MDM) policy and Group Policy setting. The update process takes an average of 20 minutes, depending on the update size, network conditions and hardware capabilities.