Microsoft has published KB5065813 — an out‑of‑box experience (OOBE) update for Windows 11, versions 22H2 and 23H2 — on August 26, 2025, delivering two tightly related outcomes: first, a platform change that enables Windows quality updates to be taken during OOBE for eligible managed devices; and second, an emergency servicing patchset that addresses reset/recovery failures introduced by the August 2025 cumulative rollups. The KB brings a combined Servicing Stack Update (SSU) + Latest Cumulative Update (LCU) payload for affected 22H2/23H2 branches and surfaces an Enrollment Status Page (ESP) control in Microsoft Intune so administrators can opt devices in or out of applying quality updates during initial provisioning. (techcommunity.microsoft.com)
Windows setup’s Out‑of‑Box Experience (OOBE) has gradually evolved from a cosmetic first‑run wizard into a security‑aware provisioning flow. The core idea behind the latest servicing work is simple: let managed devices check for and install quality updates (monthly cumulative security and reliability fixes) before the first user sign‑in so endpoints arrive day‑one patched and compliant rather than requiring multiple immediate reboots and help‑desk calls. That capability is being gated to devices that meet specific criteria — Windows 11 (22H2 or later), Pro/Enterprise/Education/SE SKUs, Entra‑joined (Azure AD) or Entra hybrid‑joined, and managed by Intune (or an MDM that supports ESP). The OOBE update behavior explicitly excludes feature upgrades and broad driver rollouts; critical zero‑day packages (ZDPs) remain a separate, required flow. (techcommunity.microsoft.com, learn.microsoft.com)
At the same time, Microsoft pushed targeted out‑of‑band fixes after August 2025’s cumulative updates caused serious regressions in recovery flows — failures of “Reset this PC”, “Fix problems using Windows Update” (cloud reinstall), and RemoteWipe operations for managed fleets. The OOB packages that repair those regressions are combined SSU+LCU installers and are offered as optional updates in Windows Update, via the Microsoft Update Catalog and managed update channels. Administrators are advised to match the OOB package to the device’s exact OS build before deployment. (tomshardware.com)
However, the operational exposure is non‑trivial. The combined SSU+LCU packages can complicate rollback and tie organizations to a servicing stack version. The August 2025 experience — where cumulative rollups introduced a recovery regression and required targeted OOB fixes — is a vivid case study: a widely distributed monthly update produced real recovery failures for admins and end users until Microsoft deployed emergency patches. That incident underscores three enduring lessons: test updates in representative environments, keep recovery options available and verified, and plan communication for expected provisioning delays. (tomshardware.com)
Where claims could not be deterministically proven from public documents (for example, precise OOBE time penalties on every hardware class or undisclosed OEM customizations that might alter behavior), those items are flagged as environment‑dependent and require local validation. Administrators are urged to pilot broadly and report telemetry during initial rollouts.
Recommended posture for IT teams:
Conclusion
KB5065813 combines a new OOBE quality‑update capability for eligible Windows 11 (22H2/23H2) managed devices with urgent repair tooling for reset and recovery regressions introduced by the August 2025 cumulative updates. The changes offer meaningful day‑one security improvements for managed fleets while introducing predictable operational tradeoffs — longer setup times, SSU permanence, and the need for careful pilot testing. Administrators should verify image servicing state, update ESP profiles deliberately, and stage deployments to reduce risk and ensure reliable recovery paths remain intact. (techcommunity.microsoft.com)
Source: Microsoft Support KB5065813: Out of Box Experience update for Windows 11, version 22H2 and 23H2: August 26, 2025 - Microsoft Support
Windows setup’s Out‑of‑Box Experience (OOBE) has gradually evolved from a cosmetic first‑run wizard into a security‑aware provisioning flow. The core idea behind the latest servicing work is simple: let managed devices check for and install quality updates (monthly cumulative security and reliability fixes) before the first user sign‑in so endpoints arrive day‑one patched and compliant rather than requiring multiple immediate reboots and help‑desk calls. That capability is being gated to devices that meet specific criteria — Windows 11 (22H2 or later), Pro/Enterprise/Education/SE SKUs, Entra‑joined (Azure AD) or Entra hybrid‑joined, and managed by Intune (or an MDM that supports ESP). The OOBE update behavior explicitly excludes feature upgrades and broad driver rollouts; critical zero‑day packages (ZDPs) remain a separate, required flow. (techcommunity.microsoft.com, learn.microsoft.com)At the same time, Microsoft pushed targeted out‑of‑band fixes after August 2025’s cumulative updates caused serious regressions in recovery flows — failures of “Reset this PC”, “Fix problems using Windows Update” (cloud reinstall), and RemoteWipe operations for managed fleets. The OOB packages that repair those regressions are combined SSU+LCU installers and are offered as optional updates in Windows Update, via the Microsoft Update Catalog and managed update channels. Administrators are advised to match the OOB package to the device’s exact OS build before deployment. (tomshardware.com)
What KB5065813 actually changes
The two headline effects
- OOBE quality‑update capability: Eligible machines can download and apply Windows quality updates during the final stage of OOBE — controlled by an Enrollment Status Page (ESP) toggle in Intune. New ESP profiles created after the update default to enabling this behavior; existing profiles default to No and must be edited to opt in. (techcommunity.microsoft.com)
- Repair of reset/recovery regression: The KB delivers an OOB SSU+LCU combination that corrects the August 2025 regression that caused Reset/Cloud Reinstall/RemoteWipe to fail on 22H2/23H2 builds. This addresses an operationally severe issue for admins relying on those recovery paths. The OOB package supersedes the problematic August rollup for affected branches. (tomshardware.com)
Scope and limitations
- Applies to Windows 11 versions 22H2 and 23H2 on supported SKUs (Pro, Enterprise, Education, SE). Consumer Home devices and unmanaged PCs are not the primary targets for the ESP‑driven OOBE quality update behavior. (techcommunity.microsoft.com)
- Only quality updates (monthly cumulative security/reliability fixes) are targeted for the OOBE install step. Feature updates and major driver packages are intentionally excluded to avoid introducing larger, higher‑risk changes during first sign‑in. Critical zero‑day patches remain possible and are treated separately.
- Devices must have the relevant servicing payloads present (for example, June 2025 non‑security setup payloads or the August OOB/ZDP) for the ESP setting to appear; images that predate those servicing updates will not expose the toggle.
Why this matters: benefits for IT and users
- Day‑one security baseline. Devices enrolled and configured for the OOBE quality‑update path will sign in for the first time already patched against the latest known vulnerabilities, shrinking the exposure window for new hardware. (techcommunity.microsoft.com)
- Fewer first‑day help‑desk incidents. With updates applied before first sign‑in, there are fewer surprise reboots and fewer “my new laptop keeps updating” support tickets during the initial user session.
- Policy fidelity from the start. The OOBE step respects tenant Windows Update for Business deferrals and pause settings, ensuring that the device’s first update check aligns with the organization’s chosen update rings.
- Cleaner compliance reporting. Inventory and compliance tools report endpoints that are closer to a current baseline immediately after provisioning, simplifying reporting and auditing tasks for IT.
Operational tradeoffs and risks
Longer provisioning times
Installing quality updates during OOBE will increase setup time. Microsoft guidance and field reports indicate commonly adding 20–30 minutes or more depending on update size, network speed, and device hardware, and could be longer if multiple restarts are required. For distributed rollouts and end‑user expectations, that delay is the principal operational impact. Devices should be plugged in and on a reliable network during provisioning.Recovery and rollback complexity
Because the OOB packages are combined SSU+LCU payloads, the servicing stack component is effectively permanent on systems that install it (SSUs are not removable via wusa once applied). This reduces rollback flexibility and means administrators should stage deployments carefully, test in pilot groups, and keep rollback/playbook steps for exceptional recovery scenarios.Network and bandwidth considerations
Running Windows Update at OOBE puts extra load on provisioning networks, especially when many devices are imaged or Autopilot‑provisioned simultaneously. IT teams should ensure download throttling, delivery optimization (peer caching where appropriate), and staged provisioning to avoid saturating WAN links.User friction and expectations
Longer OOBE times can create confusion for end users expecting a quick setup. Clear messaging and IT‑driven communications — “this company device will install security updates now and may take longer” — help set expectations. Consider a branded provisioning checklist or a short communication included with device‑onboarding instructions.Potential for new regressions
As with any servicing change that touches the update stack or recovery subsystems, there is a risk of new issues surfacing after broad deployment. The August rollups themselves created a severe recovery regression that required an OOB fix, which is a reminder that even well‑tested packages can have wide operational impact. Monitor release health dashboards and vendor communications closely. (tomshardware.com)How to verify eligibility and prepare your environment (practical steps)
- Check the target device:
- Open Settings → System → About and record the OS build and Windows 11 version (22H2 or 23H2).
- Confirm the SKU is Pro, Enterprise, Education, or SE.
- Confirm management and join state:
- Verify the device is Microsoft Entra‑joined (Azure AD joined) or Entra hybrid‑joined and enrolled in Microsoft Intune (or a compatible MDM supporting ESP).
- Ensure servicing prerequisites:
- Confirm images include the June 2025 non‑security setup payload or that the device has received the August OOB/ZDP servicing update so the ESP setting will be present. Devices imaged from older media might not show the option until the servicing payload is applied.
- Check the ESP setting in Intune:
- Intune: Devices → Enrollment → Enrollment Status Page → open the ESP profile assigned to the Autopilot/target device.
- Look for the toggle labeled Install Windows quality updates (might restart the device). New ESP profiles default to Yes; existing ones default to No. Edit as required. (techcommunity.microsoft.com)
- Stage in pilot rings:
- Start with a small pilot group representing hardware diversity and network conditions. Validate OOBE time, restart behavior, and downstream management tooling such as RemoteWipe and co‑managed configurations.
- Deployment channels:
- For the recovery fix: use Windows Update Optional updates, Microsoft Update Catalog, WSUS/SCCM, or Windows Update for Business as appropriate. Match the OOB package to the device build.
Recommended rollout checklist for IT teams
- Validate imaging pipelines: ensure newer setup payloads are included in gold images to expose the ESP toggle.
- Update documentation and onboarding emails to set expectations about longer OOBE times.
- Configure delivery optimization and peer caching for large deployments to limit WAN impact.
- Script checks to detect whether the SSU+LCU OOB package is present on devices (for reporting).
- Run pilot deployments across three categories: light endpoints (e.g., SSD ultraportables), heavy endpoints (HDD or older hardware), and high‑latency sites.
- Keep a tested recovery runbook for devices that fail provisioning or require manual reimaging — the August rollup regression highlighted the operational harm when recovery paths break.
Security analysis: benefits vs. operational exposure
Applying quality updates during OOBE is a defensible security improvement. It shrinks the window in which a brand‑new, freshly imaged device is exposed to actively exploited vulnerabilities — a meaningful gain in high‑risk environments such as healthcare, finance, or government. Delivering a patched image at first sign‑in also reduces the probability of users postponing updates or leaving devices offline and unpatched after initial deployment. (techcommunity.microsoft.com)However, the operational exposure is non‑trivial. The combined SSU+LCU packages can complicate rollback and tie organizations to a servicing stack version. The August 2025 experience — where cumulative rollups introduced a recovery regression and required targeted OOB fixes — is a vivid case study: a widely distributed monthly update produced real recovery failures for admins and end users until Microsoft deployed emergency patches. That incident underscores three enduring lessons: test updates in representative environments, keep recovery options available and verified, and plan communication for expected provisioning delays. (tomshardware.com)
Known issues and troubleshooting guidance
- If an ESP profile does not show the quality‑update toggle, confirm the device’s image contains the June 2025 non‑security payload or has received the August ZDP. Older images will not surface the control.
- If Reset/Cloud Reinstall or RemoteWipe fails after installing August 2025 rollups, apply the corresponding OOB fix for your servicing branch (the combined SSU+LCU) rather than the original August rollup. Verify the update matches the device’s build number before installation.
- Watch for network starvation at provisioning hubs; use Delivery Optimization and staged provisioning windows to avoid saturating corporate links during mass out‑of‑box provisioning.
- If you rely on driver mass‑rollouts during provisioning, plan to apply them post‑OOBE because driver packages are excluded from the OOBE quality‑update step. This separation reduces risk but requires a follow‑up driver‑deployment run.
Cross‑checks and verification
Key technical claims in this article were cross‑checked against Microsoft’s official technical communications and independent reporting. The Windows IT Pro Blog and Enrollment Status Page documentation describe the Intune control and the intention to enable quality updates during OOBE for eligible Entra‑joined devices. Microsoft’s release‑health and known‑issues pages reflect servicing guidance for 23H2/22H2 branches and the phased nature of the rollout. Independent coverage and field reporting documented the August 2025 reset/recovery failures and the subsequent OOB SSU+LCU fixes that Microsoft published as out‑of‑band updates. Readers should treat any timing or default behavior change as contingent on servicing state and tenant configuration: verify OS builds, ESP profile defaults, and image payloads before assuming behavior in your environment. (techcommunity.microsoft.com, learn.microsoft.com)Where claims could not be deterministically proven from public documents (for example, precise OOBE time penalties on every hardware class or undisclosed OEM customizations that might alter behavior), those items are flagged as environment‑dependent and require local validation. Administrators are urged to pilot broadly and report telemetry during initial rollouts.
Final analysis and guidance
KB5065813 and the surrounding August/OOBE servicing work represent a thoughtful attempt to reduce the perennial “first‑day patch storm” while simultaneously addressing an urgent recovery regression. The move to permit quality updates during OOBE — when paired with Intune ESP controls and Windows Update for Business policy respect — gives administrators a usable lever to balance security and user experience during provisioning. The OOB SSU+LCU packages that repair Reset/RemoteWipe failures are necessary operational fixes after the August rollups created a regression that impacted real‑world recovery flows. (techcommunity.microsoft.com)Recommended posture for IT teams:
- Treat the ESP quality‑update behavior as a configurable tool, not an automatic universal change — test, pilot, and measure.
- Ensure your golden images include current servicing payloads so ESP controls appear consistently.
- Stage OOB SSU+LCU deployment carefully and prioritize devices that must retain working recovery flows (e.g., kiosk fleets or frontline devices).
- Communicate provisioning time expectations to end users and field teams.
- Maintain a robust recovery runbook and sanity‑check remote wipe/reset workflows after any servicing change.
Conclusion
KB5065813 combines a new OOBE quality‑update capability for eligible Windows 11 (22H2/23H2) managed devices with urgent repair tooling for reset and recovery regressions introduced by the August 2025 cumulative updates. The changes offer meaningful day‑one security improvements for managed fleets while introducing predictable operational tradeoffs — longer setup times, SSU permanence, and the need for careful pilot testing. Administrators should verify image servicing state, update ESP profiles deliberately, and stage deployments to reduce risk and ensure reliable recovery paths remain intact. (techcommunity.microsoft.com)
Source: Microsoft Support KB5065813: Out of Box Experience update for Windows 11, version 22H2 and 23H2: August 26, 2025 - Microsoft Support