Starting with the September 2025 security update, new Windows 11 devices in enterprise and education environments will no longer reach the desktop without first downloading and installing the latest cumulative quality update. Microsoft is embedding update checks directly into the Out-of-Box Experience (OOBE), a move designed to erase the familiar post-deployment patching scramble. The change, controlled through Microsoft Intune’s Enrollment Status Page (ESP), applies to Entra-joined or hybrid-joined devices running Windows 11 version 22H2 or later.
For over a decade, IT teams have endured the same ritual: unbox a fleet of fresh laptops, image them, hand them to users, and then watch as Windows Update delivers multiple rounds of security fixes and reliability improvements. That gap—between first boot and full compliance—has been a breeding ground for vulnerabilities and help desk tickets. Microsoft’s new approach forces quality updates onto the device during the final OOBE screen, ensuring every managed PC arrives at the login prompt fully patched.
The New OOBE Update Mechanism
At the last step of Windows 11 setup, before a user ever signs in, the OS will now check Windows Update. If a quality update—the monthly cumulative security and reliability rollup—is available, it will be downloaded and installed. The process is visible: a progress indicator shows download and installation status, and the device may reboot one or more times before reaching the desktop. Crucially, only quality updates are forced; feature updates and driver packages are excluded from this OOBE injection.
Microsoft is not launching this as an opt-in experiment. On new ESP profiles created after the change takes effect, the toggle labeled “Install Windows quality updates (might restart the device)” defaults to Yes. Existing profiles keep their previous setting—meaning they default to No until an admin flips the switch. The catch is that many organizations rely on the default ESP profile when no explicit profile is assigned, and that profile will now permit updates during OOBE unless deliberately turned off. Admins must audit their configs immediately.
Admin Control via Intune ESP
The sole gatekeeper for this behavior is the Enrollment Status Page policy in Intune. Inside any ESP profile, under Devices > Enrollment > Enrollment Status Page, the new toggle sits plainly. Flipping it to “No” restores the old behavior: OOBE skips update checks and hands off the device to the user, who will then need to install patches separately. The setting can be assigned per Autopilot device group, letting organizations turn it on for mainstream fleets and off for kiosks, shared devices, or imaging labs.
That granularity is critical because the OOBE update process adds measurable time. Microsoft and early testers report an average provisioning extension of 20 minutes, though the real delay depends on update size, hardware speed, and network throughput. For a branch office with 200 new laptops booting simultaneously, the bandwidth drag can be significant.
Device Eligibility and Requirements
This capability is tightly scoped to managed commercial SKUs:
- Windows 11 Pro, Enterprise, Education, or SE, version 22H2 or later.
- Devices must be Microsoft Entra-joined (formerly Azure AD) or Entra hybrid-joined, and enrolled in an MDM that supports Autopilot/ESP—Intune is the primary control plane.
- The system image must carry the OOBE update orchestration logic. That means OEMs must ship units with the June 2025 servicing package or a later vendor OOBE zero-day patch. Without it, the update UI won’t appear, and the device will fall back to legacy behavior.
Consumer devices and Windows 10 systems are untouched by this policy. With Windows 10 mainstream support ending in October 2025, the pressure to migrate to Windows 11 only intensifies.
Why Microsoft Is Forcing This Change
The justification is layered in security and operational pragmatism. Devices that hit the desktop already patched shrink the window of exposure for zero-day and recently disclosed vulnerabilities. Help desks field fewer “my new laptop is updating again” calls. Compliance auditors see a fleet that meets baseline requirements from minute one. Combined with Windows Update for Business deferral policies, an organization can ensure new arrivals land on an approved, known-good cumulative update.
For large seasonal rollouts, new-hire waves, or device refresh cycles, reducing post-deployment patching friction is a genuine win. Microsoft frames it as closing a long-standing gap that forced IT to choose between immediate security and streamlined provisioning.
Operational Headaches IT Must Address
No infrastructure change comes free. The immediate pain points are:
- Longer provisioning time: That extra 20 minutes—more on slow hardware or congested networks—delays user productivity and can disrupt tightly scheduled deployment windows.
- Temporary Access Pass (TAP) expiry: Organizations that rely on short-lived enrollment tokens face a real risk of the pass expiring while updates install. Microsoft recommends extending TAP validity during enrollment windows.
- Network saturation: Hundreds of devices simultaneously pulling cumulative updates from Windows Update can crush WAN links in branch offices. Delivery Optimization and peer caching become mandatory.
- Forced updates via default profiles: If no ESP profile is assigned, or the default ESP profile hasn’t been reviewed, devices will silently pull updates during OOBE. Audit your Intune environment now.
- Policy misalignment: The OOBE update check respects Update Rings and pause policies—but only if those policies are synced to the device before the final OOBE page. If the groups don’t match, deferrals may be ignored.
- Loss of control perception: Some admins see this as Microsoft tightening its grip on update delivery, chipping away at the flexibility needed for specialized workflows or offline deployment labs.
Mitigation Strategies and Best Practices
IT teams can turn this change into an advantage with deliberate preparation:
- Lab testing: Create representative ESP profiles with the toggle on and off, and measure OOBE duration across common device models. Include images with the June 2025 servicing package applied.
- Audit ESP assignments: Map every Autopilot device group to an ESP profile. Pay special attention to the Intune default ESP profile—it’s the silent enabler.
- Align update policy groups: Ensure Windows Update Rings and ESP profiles target the same device groups so policy syncs before the OOBE update check.
- Extend token lifetimes: If using TAP for enrollment, bump validity to accommodate the additional provisioning time.
- Network preparation: Configure Delivery Optimization, branch cache, or peer-to-peer caching, especially for branch offices or staging centers. Stage images with the servicing updates baked in to reduce first-boot download size.
- Exclusion groups: For devices that cannot tolerate extra OOBE time—kiosks, dedicated lab machines, field units—create a separate ESP profile with the toggle set to No and assign it to those Autopilot groups.
- Vendor coordination: Confirm with OEMs and system integrators that shipped images include the required OOBE patch. A missing patch means the feature doesn’t work, leading to inconsistent behavior across the fleet.
Step-by-Step Configuration Guide
To enable or disable the feature in Intune:
- Sign into the Microsoft Intune admin center.
- Go to Devices > Enrollment > Enrollment Status Page.
- Open an existing ESP profile or create a new one.
- In the Settings tab, locate “Install Windows quality updates (might restart the device).”
- Set to Yes to activate OOBE updates, or No to preserve the legacy flow.
- Assign the profile to the correct Autopilot device groups, respecting priority order when multiple profiles apply.
- Verify that Update Rings profiles are linked to those same groups.
This same toggle can be mirrored via Group Policy or other MDMs that support ESP configuration, but Intune remains the primary management surface.
Supply Chain and OEM Considerations
The hardware pipeline must adapt. Devices shipped from the factory or imaged by a reseller need the June 2025 servicing package or the later August OOBE zero-day package. Without it, the OOBE update UI won’t trigger, and the device behaves as if the feature doesn’t exist. Enterprises relying on third-party provisioning services should mandate this baseline in their purchase agreements. Staging centers that unbox and configure devices at scale must account for the extra time and bandwidth; resellers may need to pre-stage updates before shipping units to end users.
The Broader Enterprise Impact
Microsoft’s move is as much cultural as technical. It accelerates the shift toward cloud-managed, Intune-driven administration and forces a discussion about who controls the first moments of a device’s life. For many IT pros, the reduction in “first-day” tickets and improved security posture are worth the trade. For others running highly regulated or offline environments, the new default can feel like a breach of administrative autonomy. The reality is that Microsoft has provided the off switch, but it demands proactive governance. The most common mistake will be assuming old configs persist and ignoring the new toggle until a mass provisioning event goes sideways.
Final Recommendations
For the majority of corporate fleets—knowledge-worker laptops and desktops enrolling via Autopilot with Intune—enabling quality updates during OOBE is a net positive. It reduces the attack surface, cuts help desk noise, and aligns with compliance goals. The exceptions—branch offices on congested WANs, time-sensitive enrollment scenarios, or non-Intune MDM environments—should block the feature via ESP exclusion profiles until they can test and mitigate the side effects.
The September 2025 security update marks a turning point: Windows setup will no longer be a vulnerable waiting period. Administrators who treat this as a catalyst to audit their provisioning stack, align update policies, and educate their support teams will find the post-deployment patching marathon dramatically shortened. Those who don’t will discover it at scale, when 500 new devices all try to download the same 700 MB cumulative update on a Monday morning.