Starting September 2025, Microsoft will implement a change in how Windows 11 devices are set up for enterprise and education customers. Eligible users will receive the latest Windows quality updates during the out-of-box experience (OOBE), streamlining the initial setup process.
The primary objective of this adjustment is to enhance security and stability from the outset. The installation of quality updates during OOBE aims to reduce the number of updates needed post-deployment, ensuring devices are promptly secured with the latest bug fixes and improvements.
The process will unfold on the final page of the OOBE. The device will initiate a check for available Windows Updates and proceed to install any quality updates it finds. This ensures the system is patched before the user’s initial login. Microsoft stated that this allows for “seamless control over quality update behavior during provisioning, while ensuring alignment with organizational security and compliance requirements.”
This modification will not extend to unmanaged consumer devices. It will specifically affect Microsoft Entra-joined or hybrid-joined PCs operating on Windows 11 version 22H2 or later. These PCs must also be managed through Intune or other supported mobile device management (MDM) solutions with an Autopilot Enrollment Status Page (ESP) profile for the new update process to take effect.
IT administrators retain control over the update process through the Intune admin center. They can navigate to Devices | Enrollment | Enrollment Status Page and adjust the “Install Windows Quality Updates (Might Restart The Device)” setting to manage the installation of these updates during OOBE.
By default, new ESP profiles will have this option enabled. Conversely, existing profiles will retain their current setting of “No” until administrators manually adjust the configuration. This allows IT departments to control the rollout of the new feature and assess its impact on their existing workflows.
Devices lacking an assigned ESP profile will automatically install the updates, a process that cannot be disabled. This could affect organizations reliant on Autopilot device preparation policies, as the updates will be enforced by default in these scenarios.
The update process will also respect any configured pause and deferral rules, provided these settings are properly configured in Update Rings and assigned to the same group as the ESP profile. Microsoft has indicated that inconsistent application of settings may occur without this alignment.
For IT teams, this shift reduces the workload associated with patching devices immediately after deployment and helps ensure systems are compliant from the start. However, users may experience a longer setup time. Reports suggest the OOBE process could extend by up to 20 minutes.
At Black Hat 2025, Microsoft also discussed its security teams’ efforts to proactively address cyber threats and preempt attacks.
