Microsoft released KB5065813 on August 26, 2025, a two-pronged out-of-band update that reshapes how Windows 11 provisions itself in the enterprise. The patch does two things: it lets managed devices download and install monthly quality updates before a user ever signs in—closing a glaring security gap during initial setup—and it repairs a damaging regression from the August 2025 cumulative rollups that broke Reset this PC, cloud reinstall, and RemoteWipe across versions 22H2 and 23H2.
For IT teams still scrambling from the August recovery meltdown, this is both a relief and a call to action. The same update that restores those rescue paths also introduces a new, configurable step in the Out-of-Box Experience (OOBE) that can add 20 to 30 minutes to provisioning but promises devices that are patched and compliant from the moment they hit the desktop.
The Dual Mandate: OOBE Updates and Recovery Repair
KB5065813 is not a ordinary cumulative update. It ships as a combined Servicing Stack Update (SSU) and Latest Cumulative Update (LCU), a packaging choice that makes the servicing stack component permanent once applied. Microsoft designed this OOB (out-of-band) package for two tightly linked outcomes.
First, it introduces the plumbing that allows applicable Windows 11 devices to fetch and apply quality updates during the final phase of OOBE. This behavior is gated to Pro, Enterprise, Education, and SE SKUs that are Microsoft Entra-joined or Entra hybrid-joined and managed by Microsoft Intune (or another MDM supporting Enrollment Status Page). Feature updates and broad driver rollouts remain excluded; only monthly security and reliability fixes are candidates. The capability surfaces as a toggle in Intune’s Enrollment Status Page (ESP) profile, labeled “Install Windows quality updates (might restart the device).”
Second, it delivers an emergency fix for the recovery regressions that appeared after installing the August 2025 cumulative updates. Those rollups caused “Reset this PC,” “Fix problems using Windows Update” (the cloud reinstall feature), and RemoteWipe to fail on affected 22H2 and 23H2 builds. KB5065813’s SSU+LCU payload supersedes the problematic August rollup for those branches, restoring critical recovery workflows.
How OOBE Quality Updates Work
The OOBE update mechanism is straightforward in concept but nuanced in execution. During the final setup screen, after the user has configured region, keyboard, and network, Windows Update checks for applicable quality updates if the device meets the eligibility criteria. If updates are found and the ESP policy allows it, they are downloaded and installed. The device may reboot once or twice before reaching the login screen.
Eligibility hinges on several factors:
- Windows 11 version: 22H2 or 23H2.
- SKU: Pro, Enterprise, Education, or SE.
- Join type: Microsoft Entra-joined or Entra hybrid-joined.
- Management: Intune or a compatible MDM with ESP support.
- Servicing prerequisites: The device must have the June 2025 non-security setup payload or the August OOB/ZDP update applied, otherwise the ESP toggle will not appear.
The process respects Windows Update for Business deferral and pause policies, so organizations can still control when updates are received. Quality updates that are deferred or paused by policy simply won’t be offered during OOBE. Critical zero-day patches, however, remain a separate flow and can still arrive out-of-band.
The ESP Toggle and Administrator Control
The Enrollment Status Page toggle gives IT admins fine-grained control. New ESP profiles created after the update default to “Yes,” meaning they will attempt to install quality updates during OOBE. Existing profiles default to “No”—an important detail that prevents sudden, unexpected lengthening of provisioning times for established workflows.
Admins must deliberately edit existing profiles to opt in. This design decision puts the onus on IT to evaluate and pilot the feature before rolling it broadly. Those who manage large fleets can create separate ESP profiles for different device groups, enabling the OOBE update behavior only where the security benefit outweighs the time penalty.
The August 2025 Recovery Regression and Its Fix
The recovery failures caused by the August 2025 cumulative updates were severe. “Reset this PC” would fail outright, leaving a device stuck in an inoperable state. The cloud reinstall option for repairing Windows broke, and RemoteWipe—critical for managed device retirement—stopped working. For organizations that rely on these paths to recover kiosks, frontline devices, or improperly configured laptops, the impact was immediate.
KB5065813’s fix arrives as a combined SSU+LCU that replaces the problematic rollup. Because SSUs are permanent once installed, administrators should stage this deployment carefully. Microsoft made the package available through Windows Update as an optional update, the Microsoft Update Catalog, WSUS, and Windows Update for Business, enabling IT to choose the distribution channel that fits their environment.
Operational Tradeoffs and Real-World Impact
Enabling quality updates during OOBE is a security win, but it comes with predictable costs. The most immediate is provisioning time. Field reports and Microsoft’s own guidance suggest the update process during OOBE can add 20–30 minutes or more, depending on update size, hardware performance, and network speed. For a single device this may be acceptable, but for a batch of 500 laptops being unboxed in a conference room, the cumulative delay can derail a rollout schedule.
Network strain is another factor. Having multiple devices simultaneously pull cumulative updates can saturate WAN links if delivery optimization and peer caching aren’t configured. IT teams should layer in quality-of-service policies or stage provisioning windows to avoid congestion.
There’s also the permanence of the SSU. Because the servicing stack update can’t be uninstalled once applied, there’s less rollback flexibility. If a future issue emerges that requires a different SSU version, an in-place upgrade or full reimage might be the only path back.
Finally, user communication matters. Employees receiving a new device may be confused by a longer-than-expected setup screen. A simple “this device is installing essential security updates and may take up to 30 minutes” message can head off help desk calls.
How to Prepare and Deploy KB5065813
A structured rollout plan limits risk. Start with these steps:
- Verify device readiness: Confirm OS build, SKU, and join state. Devices must be on Pro or higher and already Entra-joined or hybrid-joined with Intune enrollment.
- Check image servicing: Ensure your golden image includes the June 2025 non-security payload or has received the August ZDP. If the ESP toggle isn’t visible, the device likely doesn’t have the required prerequisites.
- Review ESP profiles: In Intune, navigate to Devices > Enrollment > Enrollment Status Page. Open the relevant profile and note the new toggle. For existing profiles, it will be set to No; for new profiles, Yes. Decide which groups should get the OOBE update behavior.
- Pilot, pilot, pilot: Begin with a small, diverse set of hardware. Measure provisioning time, monitor for restart loops, and validate that RemoteWipe and reset functions work post-update. Include co-managed and hybrid scenarios if applicable.
- Distribute the recovery fix: For machines already affected by the August regression, deploy KB5065813 via your chosen update channel. Match the OOB package to the exact OS build (e.g., 22621.xxxx for 22H2, 22631.xxxx for 23H2).
- Monitor and report: Use telemetry from Intune or update compliance tools to confirm successful installation and to flag devices that remain unpatched.
Known Issues and Troubleshooting
A few pitfalls have already surfaced in deployments:
- Missing ESP toggle: Usually indicates an older image without the June 2025 servicing payload. Apply the prerequisite update or reimage with a current media.
- Reset/RemoteWipe still failing: If a device hasn’t received KB5065813, the August regression persists. Push the OOB package immediately to affected assets.
- Prolonged provisioning at scale: Use Delivery Optimization peer-to-peer caching and throttle downloads via group policy or Intune policy to avoid network saturation.
- Driver deployment gap: Drivers are not included in the OOBE quality update stage. Plan a follow-up driver installation cycle through Intune or your management tool.
The Bigger Picture: A Day-One Security Baseline
The tension between security and user experience has plagued Windows provisioning for years. A brand-new laptop, straight from the factory, may ship with months of unpatched vulnerabilities. When the user first signs in, Windows Update immediately queues a reboot to install those patches—often during a critical first meeting or onboarding session. KB5065813 directly attacks that problem.
By moving the update step inside OOBE, Windows can lock down the device before any user data is loaded or any credentials are entered. For industries like healthcare, finance, and government, where compliance demands patching before first use, this is a significant operational improvement.
At the same time, the August 2025 debacle was a stark reminder of the fragility of recovery tooling. The same monthly update mechanism that delivers security can also break the escape hatches IT relies on when things go wrong. The fact that Microsoft released an OOB fix within weeks suggests a recognition of the severity, but it also underscores why comprehensive testing and staged rollouts remain non-negotiable.
Final Analysis
KB5065813 is more than a routine patch. It introduces a fundamental shift in Windows provisioning while simultaneously acting as an emergency hotfix. For organizations ready to embrace the new OOBE update capability, the payoff is a fleet of machines that are secure from the very first login. But that benefit demands deliberate planning: updated images, thoughtful ESP profile configuration, and honest communication about provisioning delays.
The recovery fix is a mandatory inclusion for any enterprise still running 22H2 or 23H2. Leaving devices without a working reset or wipe path is an unacceptable operational risk. IT teams should prioritize deploying KB5065813 to all managed endpoints and validate recovery scenarios immediately afterward.
In the end, this update encapsulates the modern Windows servicing reality: agility and risk go hand in hand. Test everything. Control the rollout. And never assume that this month’s cumulative update won’t break the tools you need to fix last month’s problem.