KB5065848: Windows 11 24H2 OOBE Enrollment & ESP Update

Microsoft released KB5065848 on August 29, 2025 — a targeted Out‑of‑Box Experience (OOBE) update for Windows 11, version 24H2 and Windows Server 2025 — that changes how device provisioning and enrollment behave during first‑time setup and supplies updated management/enrollment components used during OOBE. The KB is installed only during the OOBE process (when a network connection exists), updates a set of device‑management and enrollment binaries, and is the 24H2 branch counterpart to the broader OOBE servicing work Microsoft has been rolling out across 2025. (support.microsoft.com)

---

Background / Overview​

Microsoft has been actively reworking the Windows setup flow in 2024–2025 to close the “day‑one patch gap” and to make Autopilot/Intune provisioning less error‑prone. That broader initiative includes two related threads:

• A new administrative capability to install Windows quality updates during the final OOBE page for eligible, managed devices, surfaced as a toggle in the Autopilot Enrollment Status Page (ESP). This capability intends to deliver devices to users already patched to the tenant’s approved quality update level. (techcommunity.microsoft.com)
• A set of targeted Out‑of‑Band (OOB) SSU+LCU packages that repair regressions introduced by the August 2025 cumulative rollups (notably failures in Reset / Cloud Reinstall / RemoteWipe flows). Those OOB packages and the OOBE servicing payloads are the platform plumbing that enables the ESP behavior and fixes recovery regressions experienced earlier in August. (windowsforum.com, bleepingcomputer.com)

KB5065848 is the service package for the 24H2 branch that updates OOBE components (MDM/enrollment binaries, the enrollment diagnostics tool, policy manager, and related files) so the OOBE state machine and enrollment flows behave correctly for the newest 24H2 images. The KB’s file manifest shows updated device‑management components (for example, DeviceEnroller.exe, MdmDiagnosticsTool.exe, and related DLLs), confirming its enrollment/OOBE focus. (support.microsoft.com)

---

What KB5065848 actually does​

One‑line summary​

KB5065848 updates the Windows OOBE payload for Windows 11 24H2 and Windows Server 2025 so that enrollment and management‑related behaviors during initial setup are corrected and ready for the newer OOBE quality‑update orchestration Microsoft is enabling for managed fleets. (support.microsoft.com, techcommunity.microsoft.com)

Key technical points​

• The update is applied only during OOBE and requires an internet connection at setup time. It is not a normal cumulative update and will not appear in the regular Windows Update history once applied during OOBE. (support.microsoft.com)
• The package updates a long list of management and enrollment files (DeviceEnroller.exe, MdmDiagnosticsTool.exe, policymanager.dll, and multiple MDM/diagnostic DLLs) — clear evidence the patch targets the enrollment stack and OOBE orchestration. Specific file versions in the KB manifest show a 10.0.26100.5058 build for many enrollment components dated August 8, 2025. (support.microsoft.com)
• This KB is the 24H2 OOBE counterpart to earlier OOB packages that Microsoft published for 22H2/23H2; together they enable Intune/ESP‑controlled installation of quality updates during OOBE and repair known recovery regressions for affected servicing branches. (windowsforum.com)

What it does not do​

• It does not install feature updates or bulk driver packages during OOBE. Microsoft has explicitly scoped the OOBE update step to quality updates only (monthly cumulative security/reliability fixes and, when required, emergency zero‑day patches). This design reduces the risk of introducing large behavioral changes while the device is still being provisioned. (techcommunity.microsoft.com, petri.com)

---

Why this matters to enterprise IT​

The OOBE update story for 2025 is fundamentally about reducing operational friction and improving security posture at first sign‑in. The key benefits and impacts are:

• Day‑one patched devices. Devices that meet eligibility and have an ESP profile assigned can be delivered to users already at the tenant’s approved patch level, reducing immediate reboots and help‑desk tickets after handoff. (techcommunity.microsoft.com, petri.com)
• Reduced first‑week update churn. For large fleets, reducing post‑provisioning patch cycles reduces lost productivity and lowers the risk window for newly delivered hardware.
• Longer provisioning times. Expect OOBE to take longer: the final OOBE page may download and apply quality updates and possibly reboot one or more times before the first sign‑in. Microsoft’s blog warned of an average of ~20 minutes in many cases, with times varying by update size, network speed, and hardware. Plan for extended provisioning windows in deployment run books. (techcommunity.microsoft.com)
• Policy alignment and controls. The behavior is controllable through Autopilot Enrollment Status Page (ESP) profiles in Microsoft Intune (and equivalent MDM/GPO counterparts). New ESP profiles created once the capability is available default to enabling the OOBE quality update step; existing ESP profiles preserve their prior state and default to off until edited. Administrators must verify ESP defaults before broad rollout. (techcommunity.microsoft.com)
• Authentication timing issues. When OOBE extends, Temporary Access Pass (TAP) codes or other short‑lived enrollment credentials may expire before the user reaches the desktop. Administrators should extend TAP validity or adjust enrollment timing to avoid stranded users. This is an explicitly noted operational risk and Microsoft and community guidance both call it out. (techcommunity.microsoft.com)

---

Cross‑checked verification: What the official docs say (and independent confirmation)​

• Microsoft’s KB article for KB5065848 states the package “improves the Windows 11, version 24H2 and Windows Server 2025 out‑of‑box experience (OOBE)” and lists detailed file manifests for x64 and Arm64 builds (numerous updated MDM/enrollment artifacts). This is the authoritative source for the KB’s scope and file contents. (support.microsoft.com)
• Microsoft’s Windows IT Pro Blog and the August 25, 2025 update confirm the broader plan: quality updates will be available during OOBE for eligible Entra‑joined / Entra hybrid‑joined devices and can be controlled from Intune’s ESP. That official blog post also documents the eligibility and default behavior changes. (techcommunity.microsoft.com)
• Independent reporting from outlets that track enterprise Windows servicing (Petri, BleepingComputer, The Register) corroborates the timing, the intent (install quality updates during OOBE), and the operational caveats (longer OOBE times, TAP expiry, the need to include OOBE payloads in images). These independent sources provide on‑the‑ground commentary and post‑release reporting confirming Microsoft’s published guidance. (petri.com, bleepingcomputer.com)

These multiple confirmations meet the requirement to cross‑reference key claims with at least two independent sources: Microsoft’s KB and IT Pro blog are primary sources; authoritative coverage from BleepingComputer and Petri serves as independent corroboration. (support.microsoft.com, techcommunity.microsoft.com, bleepingcomputer.com)

---

Operational guidance — how to prepare and roll this out safely​

The change shifts risk from post‑handoff patching into pre‑handoff provisioning. Follow a staged, conservative approach:

• Validate prerequisites
• Confirm devices run Windows 11, version 22H2 or later (this KB targets 24H2 specifically). Verify device SKU (Pro, Enterprise, Education, SE) and that devices will be Entra‑joined / Entra hybrid‑joined and managed by Intune (or an MDM that supports ESP). (techcommunity.microsoft.com)
• Ensure images include required payloads
• Devices should be imaged with the June 2025 non‑security setup payload or have received the August OOBE zero‑day package; otherwise, the ESP quality‑update toggle may not appear. Update golden images used for Autopilot or device preparation so the OOBE payloads are present. (techcommunity.microsoft.com)
• Pilot with a narrow hardware matrix
• Run a pilot across representative hardware models (light ultrabooks, heavier older machines, network‑constrained sites). Monitor update time, failures during OOBE, and whether authentication methods (TAP, Web Sign‑In) work end‑to‑end.
• Tune Enrollment Status Page (ESP) profiles
• Edit new/existing ESP profiles in Intune: the setting is under Devices → Enrollment → Enrollment Status Page and is labeled Install Windows quality updates (might restart the device). New ESPs default to enabled; existing profiles default off. Check assignments and defaults before scaling. (techcommunity.microsoft.com)
• Adjust authentication windows
• If you rely on Temporary Access Pass (TAP) for first sign‑in, extend the TAP lifetime to accommodate longer OOBE times, or change workflow to ensure the user sign‑in happens after updates complete. Test Web Sign‑In behavior across builds before mass rollout. (techcommunity.microsoft.com, patchmypc.com)
• Monitor telemetry and recovery paths
• Collect DeviceManagement and ESP logs (DeviceManagement‑Enterprise‑Diagnostics Provider, mdmdiagnosticstool outputs). Maintain tested recovery runbooks for devices that fail provisioning; ensure you can reimage quickly or trigger an out‑of‑band fix if a quality update causes hardware‑specific issues. Remember August 2025 taught the industry that recovery regressions can be operationally severe. (windowsforum.com, bleepingcomputer.com)
• Plan bandwidth and scheduling
• Use Delivery Optimization, peer caching, and scheduled provisioning windows to avoid WAN saturation when large numbers of devices simultaneously download updates. Consider local caching or staging to reduce peak load.

---

Risks and caveats — what can go wrong​

• Longer OOBE times increase chance of failure. Any quality update that contains a regression could cause many devices to fail during setup, magnifying the blast radius because the failure happens before the device reaches the desktop. Microsoft and independent outlets warn that this front‑loaded failure surface means pilot testing and staged rollouts are crucial. (techcommunity.microsoft.com, windowsforum.com)
• Authentication/TAP expiry and Web Sign‑In fragility. Short TAP lifetimes or Web Sign‑In mismatches can leave users unable to complete enrollment if OOBE lasts longer than expected; extend TAP windows or adapt enrollment workflows. Community reports show this is a common friction point when cumulative updates are applied during provisioning. (techcommunity.microsoft.com, patchmypc.com)
• MDM/restore CSP mismatch risk. For older images, Microsoft introduced an ApplicationVersion +1 signal so MDMs can detect whether a device is “restore‑capable” after receiving the OOBE package. If MDMs push restore CSPs blindly to devices that lack the code, enrollment can fail and devices can become stuck in OOBE. Administrators must implement detection logic in their MDM servers before pushing restore flows. This nuance is important for Intune/third‑party MDM vendors.
• Rollback complexity with SSU+LCU OOB packages. Servicing Stack Updates (SSUs) combined with LCUs complicate uninstallation; you cannot simply uninstall an SSU. If an OOB package includes an SSU to fix a recovery regression, planned rollback strategies must rely on imaging or snapshots, not simple uninstall commands. (windowsforum.com)
• Image drift and missing payloads. Devices imaged from older gold images without OOBE payload updates may not expose the ESP toggle and will not participate in the quality‑update‑during‑OOBE flow — leading to inconsistent provisioning behavior across a fleet unless images are standardized. (techcommunity.microsoft.com)

Where Microsoft has not published deep technical postmortems about root causes (for example, the precise servicing metadata mismatch that led to the August recovery regression), treat community forensic analyses as plausible but not definitive. Administrators should rely on Microsoft guidance for remediation and consider community writeups as investigative input, not authoritative cause statements. (windowsforum.com, bleepingcomputer.com)

---

Practical checklist for IT teams (copyable)​

• Confirm Windows build and SKU eligibility (24H2 for KB5065848; 22H2+ for other OOBE updates). (support.microsoft.com, techcommunity.microsoft.com)
• Update golden images to include June 2025 non‑security payload or apply the August OOBE ZDP so the ESP toggle appears. (techcommunity.microsoft.com)
• Create a pilot group with 10–50 devices across major hardware models.
• Edit or create ESP profiles in Intune and confirm default states (new profiles default to enable the OOBE quality update when capability is present). (techcommunity.microsoft.com)
• Extend TAP validity windows or change enrollment workflows to avoid TAP expiry mid‑provisioning. (techcommunity.microsoft.com)
• Stage updates with Delivery Optimization and confirm local caching where possible.
• Monitor DeviceManagement logs and collect mdmdiagnosticstool outputs for failed enrollments. (support.microsoft.com)

---

Final analysis — strengths, practical payoff, and residual risk​

KB5065848 is a focused, necessary piece of a larger change: equipping Windows 11 24H2 and Windows Server 2025 images with the enrollment and OOBE plumbing required for a safer, more predictable provisioning experience. The strength of this approach is clear — aligning the moment a device first boots with an enterprise’s patch baseline materially reduces exposure and help‑desk churn.
However, the operational trade‑offs are real. The move pushes complexity and potential failure points earlier in provisioning. The August 2025 patching episodes — which required expedited OOB fixes because recovery flows were impacted — are a cautionary example of what can go wrong when large servicing changes are in play. In practice, the benefit of day‑one patched devices is best realized by organizations that:

• Treat this as a policy‑governed capability (disable/enable via ESP in Intune),
• Rigorously pilot across representative hardware and connectivity scenarios, and
• Update imaging pipelines so the OOBE payloads are present before broad deployment.

If those steps are followed, the security and compliance gains are substantial; if skipped, the blast radius of a problematic quality update could be far larger because it occurs before user sign‑in and before many common troubleshooting tools are readily available.

---

Conclusion​

KB5065848 is the 24H2 OOBE update that formalizes and stabilizes the enrollment and management surface Microsoft needs to deliver its long‑anticipated capability to install Windows quality updates during OOBE for managed devices. Administrators should treat this KB — and the broader OOBE change — as an operational turning point: it enables day‑one security posture improvements but also requires careful image management, ESP profile governance, TAP/time‑out planning, and staged testing to avoid provisioning disruptions. The authoritative KB and Microsoft IT Pro guidance outline the mechanics and controls; independent reporting and community telemetry confirm the approach and underscore the importance of measured rollouts. (support.microsoft.com, techcommunity.microsoft.com, bleepingcomputer.com)

---

---

Source: Microsoft Support KB5065848: Out of Box Experience update for Windows 11, version 24H2 and Windows Server 2025: August 29, 2025 - Microsoft Support