W11 deployment - Anyway to skip the "checking for update"?

Posted by nodiaque@reddit | sysadmin | View on Reddit | 34 comments

Hello everyone,

There is a step we can't find how to disable. When we image a computer and it finished, on the first boot before getting to the logging screen, there's a screen on a white background (and a wallpaper) saying "checking for update" and then various other quotes. Is there a way to skip that screen so it goes straight to logging screen like in Window 10?

I've tried various thing in OOBE and can't find. The only place I found something about this was someone created script that disable the network during sysprep which would skip this. But since I'm using SCCM to deploy, this is not an option.

Thank you

[-]

Ill-Detective-7454@reddit

With powershell, create a firewall rule to block outgoing packets before oobe then delete the rule after oobe. No internet = no checking for updates during oobe.

[-]

loosebolts@reddit

You’re using SCCM to deploy? Check your task sequence, that’s what controls your auto login.

Also, this screen only comes up as far as I’m aware if you’re a major version behind - is your OS install image up to date or are you using an older base image that’s being updated to 25H2 on first boot?

[-]

nodiaque@reddit (OP)

No it always appear. I'm using latest 25h2 iso available on MS website.

No the auto login isn't part of sccm nor unattended, it's built in. The checking for update screen is ran part of oobe process with defaultuser0 account. It is set as admin before logging and removed + disable at logout.

[-]

Bogart30@reddit

How are yall imaging the computers?

Using MDT, I never get this problem. We need to upgrade to Intune but…….ya know.

[-]

nodiaque@reddit (OP)

SCCM. MDT isn't supported for W11 and I'm probably sure you just don't see the screen. Depending on the computer, it can go really fast (like blink) and other take 1-2 minutes.

[-]

Bogart30@reddit

Hey I got windows 11 to work haha.

I’ve been wanting to convert us to SCCM but we’ll see.

[-]

nodiaque@reddit (OP)

Watch out, vbs is deprecated so unless you converted to the custom PowerShell MDT, you will ran in a wall sooner or later where script won't run.

[-]

Unable-Entrance3110@reddit

Check to see what sites it using using sysmon or DNS query capture and block those sites.

That would be my approach anyway.

[-]

nodiaque@reddit (OP)

it'S already blocked, but it's still going into that process. The problem is when this page happen, the computer is actually logging with user defaultuser0 (or something like that, my memory is not good right now). This user is temporary added as an admin user. If you are using any gpo that remove everyone from admin user and then add other user/group, there's a change you break that step and the computer run into a boot look.

Another thing is if you setup embededshelllauncher during OSD, it will break this step and render the computer broke.

[-]

BlackV@reddit

Er... defaultuser0 is only during OOBE (same for the update checks) so you are not even on the domain you are for the domain to "break that user"

it also wont lose its admin right till it logs out (or reboot or what ever)

what is your logic behind disabling the update during oobe ?

[-]

nodiaque@reddit (OP)

The checking for updates screen is ran with that user. GPO are already applied because it's first boot. Since admin GPO are computer, they do touch this user. I know this because I've had more then once that step crash to desktop! Was logged as defaultuser0 and was part of the admin group. Also if you connect to the computer remotely to see member of the admin group, you can see that defaultuser0 is admin until it logout and send you to logging screen.

I've had trouble with computer having random boot loop or crash to desktop after osd. Found out that the GPO that remove all user from admin grouo was affecting this step.

Also if you configure embededshelllauncher during osd, this will also affect that user and prevent that step from running properly, either making it crash and/or bootloop.

My logic is skipping this step that is not required since I already manage update during osd and afterward. This will prevent all the problem that are happening right now.

The fix we applied now is even not 100%. What we do is for the admin GPO, we check if a specific reg key is set to a specific value. That value is perform in the postaction task which is a task that run 5 min after first boot. Normally, the check update is done after 5 minutes but it's not always the case. Even so, since the GPO step was already done, admin aren't cleared yet.

As for the embedded shell, we changed the script so now, it doesn't set it during osd but it's a script triggered at computer startup that check for the same custom var. If that var is present, it enable the shell.

All workaround for stuff that work perfectly in all other Windows os, but that oobe checking for update ran after osd in full os and full session where GPO get activated, even sccm get enabled (check event log and you'll see) just break everything.

It's also a security risk since you have an auto login as an admin account on the device and I did ran on time where the account wasn't remove from the admin profile (without the GPO) nor wasn't disable.

[-]

littleneutrino@reddit

if you do Shift F10 and in the CMD type "oobe\bypassnro" then reboot (unplug the network cable) then click I dont have internet, you can setup the PC without doing any internet connected Microsoft nonsense including the forced update.

[-]

BlackV@reddit

bypassnro, that is going away (or has already in 25h2?)

and was ALWAYS 100% unessecary in the first place

[-]

nodiaque@reddit (OP)

it'S a corporate device deployed in mass, I won't do that manually to each computer

[-]

sryan2k1@reddit

Please don't? You want it to be as updated as possible.

[-]

nodiaque@reddit (OP)

It's corporate computer. I don't need the computer to ping MS for update, it'S already managed during OSD.

[-]

sryan2k1@reddit

Just ignore it. It's doing the right thing. It's trying to update the OOBE experience.

[-]

nodiaque@reddit (OP)

No it's breaking stuff. It's also a security risk in a sens. Why?

When that update screen shows, you are actually logged as defaultuser0 as admin. Yes, as admin. You can run a explorer.exe and have a shell (it actually happened once or twice that the process crash and I was sent to the desktop).

Because this process add defaultuser0 as admin before logging and then remove it, and that GPO do get applied, you run into issue if you have gpo removing every admin from the computer. Sometime, defaultuser0 will log after the gpo and not be admin, which break the process (even if nothing is getting applied) which create a boot loop.

Another thing is since it's running a user session, if you're using embededshelllauncher to modify the default shell, it will again break this account shell and create a bootloop.

[-]

OtterCodeWorkAcct@reddit

Can you join it to a different OU until the image is complete then move the system out of the "New Computer" OU to the one it needs to be in?

[-]

Stonewalled9999@reddit

it adds 1-3 hours to the setup getting all the cumu updates. Those can trickle in when it is sitting a desk not in my deployment room

[-]

nodiaque@reddit (OP)

1-3 hours? This is nonsense unless you have very bad internet. But the step itself for me does nothing since update are managed by SCCM, so it's not that I don't want to update, is this step is breaking stuff

[-]

sryan2k1@reddit

Update your base then? It adds 1-5 minutes on our machines.

[-]

LaDev@reddit

While in WinPE, after applying the image, load the offline hive and enable "DoNotConnectToWindowsUpdateInternetLocations". Clear this value at the end of provisioning.

reg.exe load HKLM\OFFLINE C:\Windows\System32\Config\Software
reg.exe add HKLM\OFFLINE\Policies\Microsoft\Windows\WindowsUpdate /v DoNotConnectToWindowsUpdateInternetLocations /t REG_DWORD /d 1 /f
reg.exe unload HKLM\OFFLINE

[-]

nodiaque@reddit (OP)

Does it really skip the whole process? Cause I'm reading online it didn't change for most people. For me, I want to skip the whole autologin as defaultuser0 and running that update process since it's broken when you manage admin account or using embededshelllauncher

[-]

Onoitsu2@reddit

I did almost what they did in a WinPE, but also added another reg key for

"NoAutoUpdate"=dword:00000001

Then I have a script loaded on first login that turns both back to defaults.

So much faster to get to a desktop, apps provisioned, then update the OS. Takes a process from 40-minutes to reach a desktop to 20, perform OS updates and walk away.

[-]

nodiaque@reddit (OP)

your autologin also speed up any other logging after. The first ever true logging on a freshly image computer is the slowest.

For me what I need is to skip the step totally. No defaultuser0 account logging as admin that launch the process. This is what's breaking

[-]

Onoitsu2@reddit

My imaging process from a WinPE, as booted via any PXE capable hosting platform (WDS even) https://onoitsu2.com/Windows_Install_Video.mp4

[-]

LaDev@reddit

Depends what you mean by "whole process".

Does it skip updates? Yes.

Does it skip OOBE? No, needs to be done through attend file.

[-]

nodiaque@reddit (OP)

What I mean is does it still log as defaultuser0 and try to run stuff? IF it does, it's not fixing the problem this cause

[-]

sublimeinator@reddit

Are you using Autopilot? If so, your ESP maybe inserting an update check.

[-]

nodiaque@reddit (OP)

Nope, SCCM hybrid-join at best (which occur after imaging)

[-]

foreverinane@reddit

Are you talking about the Autopilot Enrollment Status Page?

[-]

nodiaque@reddit (OP)

No, it's a page that says "checking for updates" and then send me to logging screen. Unless it's the same, we aren't using autopilot. But it's a new page in W11 that didn't existed in W10

[-]

Due_Programmer_1258@reddit

I know MS are planning on enabling this feature (to skip initial update checks) via Intune, perhaps SCCM will have a way after this is in?