Options
Thumbnail

The Hidden Features of the Windows OOBE

23:30 • March 1st, 20242 minutes to read

The Windows 11 OOBE is a mess...

The OOBE (Out-of-Box Experience) is the first thing a user sees when they boot up a new Windows device. It's the first impression of the operating system, and it's important to get it right. At first glance, it seems to be a thing Microsoft surprisingly has gotten right. However, once you take a look under the hood, you find a mess of legacy code, hidden features and undocumented APIs... and suddenly, you take it all back.

In this article, I aim to take a deep dive into that mess and explore some hidden features and customization options it offers.

Warning triangle

Unfinished article

This post is a work in progress, please check back later for more content!

The OOBE protocol

The OOBE is a web application, and the ms-cxh:// protocol is a custom handler that defines a couple of shortcuts to various pages, seemingly, for internal use.

The list of available protocol strings can be retrieved by scanning Windows binaries for the ms-cxh:// occurrences. Luckily, Hexacorn did all the heavy lifting for us and shared his findings in his blog post.

The protocol API is undocumented by Microsoft, so it's not guaranteed to work in the future. In fact, it has already been partially removed or deprecated in Windows 11 without any notice.

Microsoft used acronyms in protocol strings, and some of them are quite cryptic, but there's nothing we can't decode.

Out-of-Box Experience

FRX stands for «First Run eXperience»;
RDX stands for «Retail Demo eXperience».

  • ms-cxh://FRX/AAD
  • ms-cxh://FRX/INCLUSIVE
  • ms-cxh://FRX/INCLUSIVE?start=OobeProvisioningStatus
  • ms-cxh://FRX/TEAMEDITION
  • ms-cxh://FRXRDXINCLUSIVE

Microsoft Azure

The AAD acronym is commonly used and refers to «Azure Active Directory»;
SSPR stands for «Self-Service Password Reset».

  • ms-cxh://AADPINRESETAUTH
  • ms-cxh://AADSSPR
  • ms-cxh://AADWEBAUTH

Modern settings

The MOSET acronym most likely refers to «Modern settings»;
MAM stands for «Mobile Application Management». MSA stands for «Microsoft Account».

  • ms-cxh://MOSET/AADLOCAL
  • ms-cxh://MOSET/CONNECTTOWORK
  • ms-cxh://mosetmamconnecttowork?mode=mdm&username=%s&servername=%s
  • ms-cxh://mosetmdmconnecttowork
  • ms-cxh://MOSETMSA
  • ms-cxh://MOSETMSALOCAL

Microsoft account

CFL probably stands for «Change First Logon»?

  • ms-cxh://MSACFLPINRESET
  • ms-cxh://MSACFLPINRESETSIGNIN
  • ms-cxh://MSACXSIGNINAUTHONLY
  • ms-cxh://MSACXSIGNINPINADD
  • ms-cxh://MSACXSIGNINPINRESET
  • ms-cxh://MSAPINENROLL
  • ms-cxh://MSAPINRESET
  • ms-cxh://MSARDX
  • ms-cxh://MSASSPR

Windows Hello for Microsoft Intune

NTH stands for «iNTune Hello»;
NGC stands for «Next Generation Credential»;
ENT stands for «Enterprise»;
MDM stands for «Mobile Device Management».

  • ms-cxh://NTH
  • ms-cxh://NTH/AADRECOVERY
  • ms-cxh://NTHAADNGCFIXME
  • ms-cxh://NTHAADNGCONLY
  • ms-cxh://NTHAADNGCRESET
  • ms-cxh://NTHAADNGCRESETDESTRUCTIVE
  • ms-cxh://NTHAADNGCRESETNONDESTRUCTIVE
  • ms-cxh://NTHAADORMDM?ngc=enabled
  • ms-cxh://NTHENTNGCFIXME
  • ms-cxh://NTHENTNGCONLY
  • ms-cxh://NTHENTNGCRESET
  • ms-cxh://NTHENTNGCRESETDESTRUCTIVE
  • ms-cxh://NTHENTORMDM
  • ms-cxh://NTHENTORMDM?ngc=enabled
  • ms-cxh://NTHNGCUPSELL
  • ms-cxh://NTHPRIVACY
  • ms-cxh://RDXRACSKUINCLUSIVE

Second-chance OOBE

personalized-scoobe-test.png

  • ms-cxh://SCOOBE
  • ms-cxh://SCOOBE%ws
  • ms-cxh://SCOOBE/UPGRADE

Cloud settings

  • ms-cxh://SETADDLOCALONLY
  • ms-cxh://SETADDNEWUSER
  • ms-cxh://SETCHANGEPWD
  • ms-cxh://SETPHONEPAIRING
  • ms-cxh://SETPHONEPAIRING?scenarioId=SwiftKeyCloudClipboard
  • ms-cxh://setsqsalocalonly

Miscellaneous

  • ms-cxh://TSET/ADDFAMILY
  • ms-cxh://WLT
  • ms-cxh://WLTUC