Last week, Microsoft released its usual monthly Dynamic updates, although this time, only those for Windows 10 were published under KB5065918, KB5065307, and KB5065845. The company released the most recent Windows 11 dynamic updates as well as OOBE updates last month. The latter, under KB5065848 and KB5065847, were the OOBE (out of box experience) updates that Microsoft releases from time to time.
Alongside the OOBE updates, Microsoft also published a separate support article regarding an MDM-related issue on older devices. When the company says "older devices", it is trying to imply PCs that are running older versions of Windows 11. Neowin noticed this new document while browsing and it happens to be the second such piece Microsoft posted on that day.
The company has explained in the guidance article how the application version for the enrollment request is affected after the aforementioned OOBE updates. As a consequence of enrollment of older devices via a mobile device management (MDM) provider Microsoft notes that the application version in the enrollment request is increased by 1.
"If the device is running Windows version 26100.4770, the build version sent during enrollment will be 26100.4770, but after the out-of-box experience (OOBE) update is installed, the application version will become 26100.4771," Microsoft says.
Additionally Microsoft has also provided more details on why that is and how a known issue related to KB5065848 and KB5065813 OOBE updates led to the creation of this workaround.
The company says that on failure to install the OOBE updates, the necessary CSP (configuration service provider) policies - that are included in the OOBE - are also not installed, and this creates a mismatch with potentially breaking consequences including policy applications and enrollment failures, leading to users getting stuck at OOBE or the initial setup screen.
It explains:
Currently, MDM controllers, such as third-party MDM providers, do not have a way to determine if a device is capable (has the restore policy code present) of showing the restore experience during OOBE. Devices that can have restore enabled through OOBE packages are not supported to show the restore experience.
To enable the restore experience for older devices during device enrollment, the enrollment request now increments the application version by 1. This indicates that the older device is restore-capable, and the MDM providers should use this as a detection mechanism to send the restore CSP.
You can find more details in the support article here under KB5065083 on Microsoft"s official website.