Microsoft will begin installing Windows quality updates during the out-of-box experience (OOBE) by default for eligible Microsoft Entra-joined and Entra-hybrid-joined devices running Windows 11, version 22H2 and later, starting with the September 2025 security update. The change, signaled earlier this year and formalized in recent communications, aims to close the security gap that exists between the moment a device lands on a desk and the first user sign-in, while giving IT administrators a new toggle in Microsoft Intune’s Enrollment Status Page (ESP) to control the behavior.

Why OOBE patching matters now

For years, IT pros have wrestled with the “day-one patch storm” — the flurry of security and reliability updates that hit a freshly imaged or unboxed Windows device immediately after setup. Each reboot saps productivity and erodes the out-of-box experience for employees. By moving critical quality updates into the provisioning flow itself, Microsoft eliminates many of those post-enrollment reboots and ensures that devices are in a known-secure state before any user credentials are ever entered.

The COVID-era shift to remote work and the rising cost of zero-day exploits have only sharpened the need for a device that arrives patched and compliant from the first tap on the keyboard. This policy-controlled OOBE update capability delivers that, while keeping admins firmly in the driver’s seat through Intune policies.

What exactly changes, and when

The new behavior hinges on a simple rule: on devices that are eligible and managed by Intune (or a compatible MDM), the final page of OOBE will check Windows Update for applicable quality updates — monthly security and reliability packages — and install them automatically. Feature updates, driver updates, and optional content are excluded, keeping the footprint small and the risk of mid-provisioning failures low.

Timeline
- August 2025: The new ESP setting appears in the Intune admin center. New Enrollment Status Page profiles default to “Yes” (install updates during OOBE); existing profiles default to “No” unless changed.
- September 2025: The September Windows security update makes the OOBE update behavior the default for all eligible devices, regardless of ESP profile state. Devices that do not have the prerequisite platform updates (June 2025 non-security release or the August 2025 OOBE zero-day patch) may not display the setting, but they will still attempt to install quality updates during OOBE if the underlying components are present.

Eligibility
- Windows 11, version 22H2 or later (Pro, Enterprise, Education, SE)
- Microsoft Entra joined or Entra hybrid joined
- Managed by Microsoft Intune (or a third-party MDM that supports ESP)
- Workplace join scenarios are not supported for this feature.

Inside the Enrollment Status Page toggle

In the Intune admin center, under Devices > Enrollment > Enrollment Status Page, administrators will find a new checkbox: Install Windows quality updates (might restart the device). This single toggle governs whether OOBE pauses to download and apply the latest cumulative update before handing control to the user. New ESP profiles created after the August update have the box checked by default; profiles created earlier will have it unchecked until an admin edits them.

Critically, if a device is enrolled using Autopilot device preparation policies — which bypass the traditional device ESP — admins currently have no way to disable OOBE updates. Those devices will always apply quality updates during provisioning. Organizations mixing enrollment paths must account for this asymmetry in their rollout plans.

Prerequisites and platform dependencies

The ESP setting itself requires that the device’s provisioning image includes the necessary servicing stack updates. Microsoft points to two deliverables:

  • The June 2025 non-security preview update (or later cumulative update) injected into custom images, or
  • The August 2025 out-of-box zero-day patch (ZDP), which gets delivered automatically to devices that boot to OOBE after that date.

If a device lacks these platform updates, the ESP setting won’t appear in an applied profile, but the device may still attempt to pull quality updates during OOBE if the underlying servicing components are present. The only surefire way to gain full policy control is to refresh golden images with at least the June 2025 cumulative update or to allow the device to receive the ZDP during the very first OOBE boot.

How the workflow plays out

  1. Device boots to OOBE and connects to a network.
  2. During the final OOBE screen, Windows Update is queried for quality updates.
  3. If applicable updates are found, they are downloaded and installed. A restart may occur.
  4. The OOBE progress indicator shows “Installing updates” so the user knows the device is still provisioning.
  5. After the update completes (and any reboot finishes), the sign-in screen appears.

Admins who have assigned a Windows Update rings policy to the same Autopilot device group or to “All devices” can also enforce deferral and pause windows during OOBE. ESP synchronizes those policies before the final update check, so the device respects organizational patch timing — critical for teams that perform validation cycles before broad deployment.

Operational impact: longer provisionings, higher bandwidth

Applying a cumulative update during OOBE adds anywhere from a few minutes to over half an hour, depending on update size, network speed, and device hardware. For a single remote employee, the delay is an acceptable trade‑off for immediate security. For a school imaging 300 laptops in a single afternoon or an enterprise staging thousands of devices for a merger, the bandwidth and time implications demand planning.

Microsoft’s own guidance, echoed in community experience, recommends several mitigations:

  • Use Delivery Optimization or Microsoft Connected Cache to reduce WAN egress during mass enrollments.
  • Keep golden images current — refreshing master images after the June 2025 update dramatically reduces the size of the OOBE-captured delta.
  • Stage deployments to avoid saturating low-bandwidth links, especially in retail or remote-office scenarios.
  • Align helpdesk SLAs with the new, longer provisioning windows so that first-call resolution metrics don’t tank unexpectedly.

For networks that cannot reach Windows Update endpoints (air-gapped environments or restricted firewalls), OOBE updates will fail, and provisioning may stall. In those cases, local update caching apparatus becomes essential, or admins must revert to legacy offline imaging workflows that pre‑inject the latest cumulative update.

Real‑world deployment scenarios

Small IT shop (50–200 devices)
The simplest path is to pilot on a handful of workstations where the network is fast and stable. Enable the ESP toggle for those devices, monitor provisioning telemetry for two weeks, then expand to the rest of the fleet. If bandwidth is limited, leave the toggle off for retail or remote‑worker machines until Delivery Optimization or Connected Cache can be configured.

Enterprise imaging (1,000+ devices)
Refresh golden images monthly, starting with the June 2025 non‑security update. Pair the ESP setting with a staged Autopilot rollout: first a ring of ten devices, then one hundred, then all new enrollments. Measure not just update success rates but also the real‑world time added per device, and adjust helpdesk staffing for the initial flood of “why is my new laptop taking so long?” tickets.

Education labs
Pre‑stage images refreshed after June 2025; schedule OOBE provisioning during off‑hours (overnight or over a weekend) to avoid saturating the building’s internet link during class time. Pilot in a single computer lab before campus‑wide rollout.

Staying in control: policy synchronization checklist

To keep the default behavior from overrunning your patching cadence, follow these steps:

  1. In the Intune admin center, go to Devices > Enrollment > Enrollment Status Page.
  2. Create or edit your ESP profile. For pilot groups, set Install Windows quality updates to “Yes”; for groups you want to exempt during initial testing, leave it “No.”
  3. Assign a Windows Update rings profile to the same Autopilot device group (or to “All devices”) so that deferral and pause settings are synced before the OOBE update check.
  4. Verify that your provisioning images contain the June 2025 non‑security update or that devices will receive the August 2025 ZDP. If not, update your imaging pipeline immediately.
  5. Pilot with a representative mix of hardware and monitor the Enrollment Status Page for failures or unexpected restarts.
  6. Expand gradually, using phased Autopilot groups, until all new devices are receiving OOBE updates under your policy umbrella.

Caveats, edge cases, and what admins are already saying

Community discussions highlight a few friction points. The biggest is the sheer variability of update size: a device that sits in a warehouse for three months may need a bulky cumulative update, while a freshly rebuilt image may need nothing at all. That unpredictability makes it tough to give end users an accurate time estimate.

Another pain point: third‑party MDM platforms that mimic ESP behavior but don’t fully align with Microsoft’s policy synchronization model. If your MDM doesn’t submit the ESP profile as a “tracked policy,” OOBE may bypass your intended settings. Confirm with your vendor and test extensively in a lab.

Finally, Microsoft is not bringing hotpatch capabilities into OOBE at this stage. Hotpatch remains a separate, SKU‑restricted feature for post‑enrollment maintenance, managed through Intune quality update policies. Don’t expect OOBE to deliver hotpatch-enhanced binaries.

What this signals for Windows management

The default-on OOBE quality update is part of a broader shift toward a “trust but verify” posture for device provisioning. Enterprises have been asking for years to reduce the window of vulnerability between imaging and user sign‑in. By making the change default and providing a simple off‑switch in ESP, Microsoft is nudging the entire ecosystem toward a more secure baseline while respecting the reality that some environments can’t tolerate longer setup times.

For IT, the message is clear: provisioning must now be treated as an extension of your patch management strategy. The days of handing a user a pristine-but-vulnerable device and telling them to “run Windows Update” are numbered. With careful piloting, policy alignment, and network planning, organizations stand to gain a dramatic improvement in day‑one security posture without sacrificing user experience.

If your images are stale and your ESP profiles untouched, now is the time to act. The September 2025 security update will turn on OOBE quality updates whether you’ve planned for them or not — and the only way to guarantee a smooth rollout is to test, tweak, and scale before the switch flips.