Guide: Preventing the Windows OOBE Update Loop Caused by ESP and Update Rings in Microsoft Intune

-

Guide: Preventing the Windows OOBE Update Loop Caused by ESP and Update Rings in Microsoft Intune

Overview

Microsoft recently enabled a new behavior in Windows Autopilot where devices may attempt to install Windows Updates during OOBE (Out-of-Box Experience). This is controlled by the ESP (Enrollment Status Page) setting:

Install Windows updates (might restart the device)

If this setting is enabled, and the device is also targeted by a Windows Update Ring, the two systems may conflict.
This often results in an OOBE update loop, where the device repeatedly restarts during setup and displays messages like the screen below:


Why was my PC restarted?


This loop continues indefinitely unless configuration is corrected.

Symptoms

Devices show the following behavior during Autopilot enrollment:

  • Windows attempts to install updates during OOBE (triggered by ESP).
  • The Update Ring simultaneously enforces updates.
  • The device restarts unexpectedly.
  • OOBE fails to continue because updates are pending.
  • The device becomes stuck in a restart → update → OOBE → restart cycle.

This creates a blocking condition that prevents successful device provisioning.

Cause

The issue is caused by overlapping update policies:

1. ESP setting "Install Windows updates" = Yes

This forces devices to check for and install Windows Updates during OOBE.


2. Update Rings assigned via dynamic device groups
If you have created dynamic Update Rings groups that automatically include devices, the Update Rings will be applied immediately during Autopilot enrollment unless they are explicitly delayed or excluded.

3. Device joins both policies too early

Because Autopilot assigns device group memberships before ESP completes, the Update Ring can take over and enforce updates at the same time ESP tries to do the same.

Solution Summary

To stop the update loop, you must:

1. Disable “Install Windows updates” in ESP

Set ESP → Install Windows updates = NO

2. Exclude Autopilot devices from Update Rings during OOBE

Exclude your Autopilot security group from all Update Rings.

3.  Create a dedicated "Post‑Enrollment Update Ring"

Assign it only after ESP is completed.

Step-by-Step Guide

Step 1: Disable Windows Update installation in ESP

  1. Go to Microsoft Intune admin center
    Devices → Windows → Enrollment → Enrollment Status Page (ESP)

  2. Edit your main ESP profile used for Autopilot.

  3. Locate the setting:
    Install Windows updates (might restart the device)

  4. Set it to:
    ❌ NO

  5. Save & assign the updated ESP.


Result:
Devices will no longer try to install updates during OOBE, preventing conflict with Update Rings.

Step 2: Exclude Autopilot Devices from Existing Update Rings

If your Update Rings target “All Devices” or similar broad scopes, you need to exclude your Autopilot device group.

  1. Go to:
    Devices → Windows → Update Rings

  2. Open the Update Ring profile(s) currently in use.

  3. Go to Assignments.

  4. Under Exclusions, add:
    Autopilot Devices
    (your dynamic group used for Autopilot provisioning)

This prevents Windows Update Rings from applying updates during OOBE.

Step 3 (Optional, Recommended): Create a Post‑Enrollment Update Ring

To ensure updates apply after ESP, you can create a new Update Ring that only targets completed devices.

Steps:

  1. Create a new Update Ring.
  2. Assign it to security grupp that you have created

This staged approach prevents OOBE interruptions while keeping devices fully updated afterward.

Best Practices

✔ Always exclude Autopilot devices from Update Rings

During OOBE, devices should only receive:

  • ESP
  • Required configuration profiles
  • Required apps

✔ Keep “Install Windows updates” disabled in ESP

This removes unnecessary reboots and significantly speeds Autopilot deployment.

✔ Use Dedicated Assignment Groups

Example setup:

  • Autopilot-Devices → ESP + baseline configuration only
  • Production-Devices → Update Rings, Feature Updates, Q\&A updates

✔ Monitor devices in the Autopilot Deployment Report

Check for devices stuck in:

  • Device Preparation: Updates
  • Device Setup: Updates

Keywords for Search & Documentation

  • Autopilot Update Loop
  • ESP Windows Updates setting
  • Intune OOBE forced update
  • Update Ring conflict Autopilot
  • Windows Autopilot restart loop
  • Enrollment Status Page configuration
  • OOBE update failure
  • Intune device provisioning troubleshooting
  • Disable updates during OOBE

Conclusion

This issue is caused by Microsoft enabling a new ESP update behavior that conflicts with Update Rings.
By disabling updates in ESP and excluding Autopilot devices from Update Rings, the OOBE loop is completely resolved.

If you want, I can also create:

✅ a PDF version of this guide
✅ a PowerPoint you can share with your team
✅ a shorter quick‑guide version for technicians

Would you like any of those?

Kommentarer

Skicka en kommentar

Populära inlägg i den här bloggen

🚀 Force Reinstallation of an Intune App

-
Bild
  – When Intune refuses to reinstall a program you’ve already removed Sometimes an application deployed through Microsoft Intune won’t reinstall even after you’ve manually uninstalled it. That’s because Intune tracks installation status using both registry entries and detection rules to decide whether an app is already present. Here’s how to fully reset that state and force a reinstallation — step by step. 💡 Why Intune won’t reinstall the app When a Win32 app is deployed via Intune, the Intune Management Extension stores app metadata in the Windows registry under: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IntuneManagementExtension\Win32Apps This registry data tells Intune which apps are installed, when, and by which user. On every policy sync, Intune checks the detection rule defined for the app. If the detection rule still reports the app as “installed” — even though you removed it — Intune will skip reinstallation . 🔧 Step-by-Step Guide 1️⃣ Uninstall the App F...
Read more »

🔵Troubleshooting Intune Device Enrollments: Understanding GUIDs, Registry Paths, and EnterpriseMgmt Tasks

-
Bild
This guide explains how to diagnose Intune MDM issues on a Windows device by using two key locations: Task Scheduler → EnterpriseMgmt Registry → HKLM\SOFTWARE\Microsoft\Enrollments These two locations always contain matching GUID folders , and together they show the full state of the device’s MDM enrollment. 📌 Introduction: Why do these GUID folders exist? When a Windows device enrolls into Intune (MDM) , Windows generates a unique GUID folder for that enrollment. That GUID is used in two places: 🔹 1. Task Scheduler Task Scheduler → Microsoft → Windows → EnterpriseMgmt → {GUID} This folder contains scheduled jobs that handle: MDM sync certificate renewal policy retrieval push notification handling 🔹 2. Registry HKLM\SOFTWARE\Microsoft\Enrollments\{GUID} This folder contains detailed information: tenant ID enrollment type certificate thumbprints renewal status MDM server URLs device identity 👉 Both folders describe the same en...
Read more »

🚀 Windows Autopilot Self-Deploying Mode — Zero-Touch Setup That Feels Like Magic

-
Bild
Just imagine this: You unwrap a brand-new PC or reinstall Windows 11 from scratch… and before you even touch the keyboard, the device automatically: ✅ Joins Microsoft Entra ID (Azure AD) ✅ Syncs all Intune apps, settings, and policies ✅ Lands straight on the sign-in screen — ready for the user No technician. No clicks. No wasted time. That’s Windows Autopilot Self-Deploying Mode — effortless, hands-free provisioning that just works. The only prerequisite? Register the device’s Hardware Hash (HWID) in Intune first. Here’s the cleanest 10-minute setup guide to make it happen — perfect for brand-new or freshly reinstalled devices. ⚡ Step-by-Step: Configure Windows Autopilot Self-Deploying Mode in Under 10 Minutes 1️⃣ Start Fresh Use a new PC or perform a clean Windows 11 installation (OOBE stage). 2️⃣ Insert a USB Drive 3️⃣ Identify the Drive Letter Press Shift + F10 , open PowerShell, and run: Get-Volume Find your USB drive letter (e.g., E:). 4️⃣ Run the Script Execute: .\auto...
Read more »