From f64a1bdafb9366d8405ceacd0cab93c09fc873b7 Mon Sep 17 00:00:00 2001
From: Gerardo Camacho <53233367+gerardoc-ms@users.noreply.github.com>
Date: Wed, 8 Mar 2023 11:16:25 -0800
Subject: [PATCH] Add documentation for ScanBeforeInitialLogon

Adding documentation for a registry value introduced being introduced in Win11 22H2 to support scanning for and installing updates before a first user logon.  This is meant to be used only for devices (such as CloudPCs based on Azure VM) where there is a significant delay between the completion of the first user experience and the initial logon.  Included a warning that using this value may have a negative effect when used in retail devices.
---
 windows/deployment/update/waas-wu-settings.md | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md
index af807a712a..af78a7ba37 100644
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@@ -283,3 +283,17 @@ if (!(Test-Path $registryPath))
 
 New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null
 ```
+
+## <a name="bkmk_display-name"> </a> Allow Windows Updates to install before initial user logon
+
+This value is supported on devices running Windows 11, version 22H2 or newer.
+
+On new devices Windows Update does not begin to install background updates until a user has completed the Out of Box Experience and logs on for the first time.  The initial logon typically happens immediately after completing that first user experience.  Some VM-based solutions provision a device and automate the first user experience but are not immediately assigned to a user and don't see an initial logon until several days later.  
+
+In those scenarios, setting the following registry value allows those devices to begin background update work before a first user logon:
+
+- **Registry key**: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator
+- **DWORD value name**: ScanBeforeInitialLogonAllowed
+- **Value data**: 1
+
+> [!NOTE] This value is designed to be used only for scenarios with a deferred initial user logon.  Setting this value on normal consumer retail devices could have a detrimental effect on performance as it may allow update work to occur as the user is logging in for the first time.