Microsoft will begin installing Windows quality updates during the out‑of‑box experience (OOBE) by default for eligible Microsoft Entra‑joined and Entra‑hybrid‑joined devices running Windows 11, version 22H2 and later, and administrators can control the behavior through an Enrollment Status Page (ESP) setting in Microsoft Intune that ships with the August/September 2025 servicing timeline. (techcommunity.microsoft.com)
Microsoft has been iterating on the device provisioning and OOBE experience for months, driven by two related goals: reduce the “day‑one” patching burden and improve security posture at first sign‑in. The company first signaled the shift earlier in 2025 and followed with details that quality updates — not feature or driver updates — will be applied during the final OOBE page when a device checks Windows Update. This capability arrives as a policy‑controlled behavior surfaced in the Intune Enrollment Status Page (ESP). (techcommunity.microsoft.com)
Why this matters now
Caveat: some KB and servicing identifiers referenced by community threads are operationally useful but evolve rapidly. Validate the exact KB numbers and SSU/LCU prerequisites in your tenant prior to mass rollout. If there is any uncertainty about specific KB applicability or hotpatch eligibility for a particular SKU or architecture, treat that item as environment‑specific and validate in a lab before production.
However, the change also forces IT organizations to treat provisioning as part of their patching and network planning. Expect longer provisioning times, additional WAN demand during mass enrollments, and the need to verify image and policy prerequisites before enabling the new default. With careful piloting, local caching, and policy synchronization between ESP and Update rings, organizations can reap the security benefits while limiting the operational cost. (learn.microsoft.com)
With its August/September 2025 updates, Microsoft is moving provisioning toward a more secure, consistent, and modern operational model. IT teams that prepare images, align update policies with ESP profiles, and stage pilots carefully will get the benefits — fewer surprises for end users, fewer first‑day reboots, and a stronger day‑one security posture for every new Windows device. (techcommunity.microsoft.com, learn.microsoft.com)
Source: Microsoft - Message Center Get ready for Windows quality updates out of the box - Windows IT Pro Blog
Microsoft has been iterating on the device provisioning and OOBE experience for months, driven by two related goals: reduce the “day‑one” patching burden and improve security posture at first sign‑in. The company first signaled the shift earlier in 2025 and followed with details that quality updates — not feature or driver updates — will be applied during the final OOBE page when a device checks Windows Update. This capability arrives as a policy‑controlled behavior surfaced in the Intune Enrollment Status Page (ESP). (techcommunity.microsoft.com)Why this matters now
- Devices that arrive to end users or are imaged by IT typically require immediate post‑deployment updates; applying quality updates during OOBE trims the immediate restart/patch storm that traditionally greets first sign‑in. (techcommunity.microsoft.com)
- Microsoft plans to enable this by default with the September 2025 Windows security update, while Intune and Autopilot control surfaces are being updated in August 2025 to give admins manageable guardrails. (app.cloudscout.one, techcommunity.microsoft.com)
What Microsoft announced — the essentials
Which updates will be applied during OOBE?
- Quality updates (monthly security and reliability quality releases) only. Feature updates and driver updates are excluded from the OOBE install path. This is an important distinction: OOBE installs will aim to ensure the device has the latest security and quality fixes without attempting large feature upgrades or hardware driver changes that can add complexity. (techcommunity.microsoft.com, app.cloudscout.one)
Which devices are eligible?
- Devices must be on Windows 11, version 22H2 or later, and the supported SKUs include Pro, Enterprise, Education, and SE. Devices must be Microsoft Entra joined or Entra hybrid joined and managed by Intune (or a compatible MDM that leverages ESP). (techcommunity.microsoft.com, learn.microsoft.com)
When and how the default takes effect
- Starting with the September 2025 Windows security update, Microsoft will make the OOBE quality‑update behavior default for eligible devices. Intune’s ESP will include a new setting to allow admins to change or confirm this behavior; new ESP profiles will default to “Yes” (install quality updates during OOBE), while pre‑existing ESP profiles may default to “No” and require an edit to enable. (techcommunity.microsoft.com, app.cloudscout.one)
Intune Enrollment Status Page (ESP) control
- The new ESP option appears in the Microsoft Intune admin center at Devices > Enrollment > Enrollment Status Page under the ESP profile settings: Install Windows quality updates (might restart the device). Use this setting to confirm or control whether quality updates install during provisioning. Preexisting ESP profiles default to “No”; newly created profiles default to “Yes.” (techcommunity.microsoft.com, learn.microsoft.com)
How this behaves in real deployments
Typical workflow during OOBE
- Device boots into OOBE and connects to the internet.
- On the final OOBE page, the device checks Windows Update for applicable quality updates.
- If eligible quality updates are found, the device downloads and installs them and may restart before handing control to the user for first sign‑in. The OOBE progress screen will show the update in progress. (techcommunity.microsoft.com)
Requirements administrators must meet
- Devices must be managed by Microsoft Intune (or an MDM that supports ESP profile application).
- Devices must be Entra joined or Entra hybrid joined; workplace join scenarios are not supported for this OOBE behavior. (learn.microsoft.com)
- Devices must have the prerequisite servicing payloads that include the new ESP setting — this may be delivered via the August 2025 OOBE zero‑day patch (ZDP) or via imaging with the June 2025 non‑security update or later. If those platform updates are missing, the ESP setting will not be present.
Important current limitation
- If a device is enrolled using Autopilot device preparation policies rather than a device ESP, admins may not be able to turn off OOBE updates — those device flows will apply updates by default. Plan for that difference when designing enrollment paths.
Operational recommendations for IT teams
Control deferrals and pause windows during OOBE
To ensure that the organization’s Windows Update deferral and pause policies are respected during OOBE, assign the same Windows Update rings profile to the preregistered Autopilot device group (or All devices) as the ESP profile. During provisioning, ESP synchronizes update ring settings before the final OOBE check occurs so the device adheres to your organization’s deferrals. If you do not synchronize assignments, pause and deferral settings might be inconsistently applied. (techcommunity.microsoft.com)Pilot and validate — 6 practical steps
- Create a pilot ESP profile in Intune with the new setting toggled on, and restrict it to a small, representative group of devices (hardware mix, image types). (learn.microsoft.com)
- Assign Windows Update rings to the same group to validate deferral behavior during OOBE. (techcommunity.microsoft.com)
- Measure provisioning time and update download sizes; include these metrics in helpdesk triage and SLA planning. Expect longer provisioning for devices that must download cumulative packages over slower WAN links.
- Use local caching (Connected Cache, delivery optimization, or local WSUS/Windows Update for Business deployment service) for mass deployment events to limit WAN impact. (learn.microsoft.com)
- Verify required platform updates (June 2025 non‑security image or August 2025 OOBE ZDP) are applied to images used for provisioning so the ESP setting is present.
- Staged rollout — expand from pilot to broad deployment only after validating app compatibility, update success rates, and restart behavior. (app.cloudscout.one)
Bandwidth and provisioning-time implications
Applying updates during OOBE will increase per‑device provisioning time and network load when large batches are imaged or autoprovisioned. For large labs or school deployments, schedule staging windows, validate caching, or pre‑stage images refreshed after June 2025 to reduce per‑device downloads. For remote users or low‑bandwidth scenarios provide guidance (or alternate enrollment flows) that avoid blocking productivity.Security and compliance advantages
- Day‑one security: Devices arrive to users already patched to the latest approved quality update, reducing exposure from zero‑day vulnerabilities during the initial login period. This is particularly valuable for high‑risk environments or segmented networks. (techcommunity.microsoft.com, app.cloudscout.one)
- Consistent baselines: Organizations gain more predictable, repeatable baselines for audits and compliance checks when OOBE enforces the approved quality update state. This simplifies documentation and reduces remediation work in the days after an image is deployed. (techcommunity.microsoft.com, learn.microsoft.com)
Risks, edge cases, and things to watch
Increased provisioning time creates user friction
Applying quality updates during OOBE will often add minutes to the setup flow. For end users receiving new devices in retail or kiosk settings, this extra time must be communicated; for enterprise imaging workflows, schedule enrollment windows to account for longer provisioning windows.Offline or constrained networks
Devices that cannot access Microsoft Update endpoints — or are on highly metered connections — may fail to complete OOBE updates. Provide alternate enrollment paths for such deployments or ensure local caching infrastructures (Connected Cache, Delivery Optimization) are in place for large‑scale rollouts. (learn.microsoft.com)Hotpatches, feature parity, and scope limits
- Not every fix is delivered during OOBE. Microsoft explicitly excludes feature updates and many driver updates from the OOBE quality update path. For high‑availability choices like hotpatching, different eligibility and prerequisites apply (hotpatch requires specific SKUs and configuration), and those are managed separately via Intune quality update policies. Don’t conflate OOBE quality updates with hotpatch capabilities. (learn.microsoft.com)
Devices not using ESP or non‑compatible MDMs
If your MDM does not use the Enrollment Status Page or if devices are enrolled in a flow that bypasses ESP, administrators may not be able to disable OOBE updates; design your enrollment architecture accordingly. Some third‑party MDMs offer ESP‑compatible implementations — confirm with your provider and ensure the ESP profile is designated as a tracked policy so OOBE policies apply.How to prepare step‑by‑step (for Intune administrators)
- In the Microsoft Intune admin center, go to Devices > Enrollment > Enrollment Status Page. (learn.microsoft.com)
- Create or edit the ESP profile you deploy to Autopilot preregistered groups (or to All devices). New ESP profiles default to installing quality updates during OOBE; preexisting ones may default to “No.” Toggle Install Windows quality updates (might restart the device) to “Yes” or “No” according to your policy. (techcommunity.microsoft.com, learn.microsoft.com)
- If you want OOBE to respect deferrals and pause windows, assign your Windows Update rings policy to the same Autopilot preregistered device group (or All devices). ESP synchronizes update ring settings during provisioning. (techcommunity.microsoft.com)
- Validate that your provisioning images contain the June 2025 non‑security updates (or that devices receive the August 2025 OOBE ZDP) to ensure the ESP setting is present. If not, update your images or plan a pre‑enrollment remediation path.
- Pilot on a small scale, evaluate provisioning telemetry, and monitor update success/fallout before broad rollout. (app.cloudscout.one)
Practical scenarios and examples
Small IT shop (50–200 devices)
- Recommendation: enable ESP OOBE updates only for pre‑staged workstation groups where bandwidth is stable; leave retail or mixed‑user deliveries disabled until pilot results are confirmed. Use Delivery Optimization with peer caching to reduce WAN pull.
Enterprise imaging (1,000+ devices)
- Recommendation: refresh your golden image media monthly (Microsoft’s guidance encourages updated install media after June 2025) to reduce the number of updates required during OOBE. Pair ESP settings with a staged Autopilot rollout and robust local caching. Expect to adjust helpdesk SLAs for the initial days of rollout. (techcommunity.microsoft.com)
Education / labs
- Recommendation: use pre‑staged images refreshed after June 2025 where feasible; schedule device provisioning in overnight batches to avoid daytime network contention; pilot on a single lab before campus‑wide rollout.
Verification and sources checked
Key claims and configuration steps in this article are verified from Microsoft’s Windows IT Pro announcement about quality updates in OOBE and Intune documentation for enrollment and expedited quality updates, as well as recent change notices that place the default behavior in the September 2025 security update window. Administrative guidance and operational warnings were cross‑checked with Intune guidance on expedited quality updates and community/technical notes that document expected provisioning and network impacts. (techcommunity.microsoft.com, learn.microsoft.com, app.cloudscout.one)Caveat: some KB and servicing identifiers referenced by community threads are operationally useful but evolve rapidly. Validate the exact KB numbers and SSU/LCU prerequisites in your tenant prior to mass rollout. If there is any uncertainty about specific KB applicability or hotpatch eligibility for a particular SKU or architecture, treat that item as environment‑specific and validate in a lab before production.
Final analysis — what this means for Windows IT
Microsoft’s move to install quality updates during OOBE by default — controlled through Intune’s Enrollment Status Page — is a practical evolution that reflects modern enterprise expectations for secure, ready‑to‑use devices. The strengths are clear: improved security posture from first sign‑in, fewer post‑deployment reboots, and more predictable baselines that ease compliance and reduce immediate helpdesk toil. (techcommunity.microsoft.com)However, the change also forces IT organizations to treat provisioning as part of their patching and network planning. Expect longer provisioning times, additional WAN demand during mass enrollments, and the need to verify image and policy prerequisites before enabling the new default. With careful piloting, local caching, and policy synchronization between ESP and Update rings, organizations can reap the security benefits while limiting the operational cost. (learn.microsoft.com)
Quick checklist for rollout readiness
- Ensure devices are Windows 11 22H2+ and enrolled in Intune (Entra joined/hybrid joined). (learn.microsoft.com)
- Confirm images include the June 2025 non‑security update or apply the August 2025 OOBE ZDP to devices so the ESP setting exists.
- Edit or create ESP profiles in Intune and set Install Windows quality updates as required for pilot groups. (learn.microsoft.com)
- Assign Windows Update rings to the same groups to synchronize deferrals and pause windows. (techcommunity.microsoft.com)
- Pilot with a small cohort, validate application compatibility and provisioning telemetry, then expand. (app.cloudscout.one)
With its August/September 2025 updates, Microsoft is moving provisioning toward a more secure, consistent, and modern operational model. IT teams that prepare images, align update policies with ESP profiles, and stage pilots carefully will get the benefits — fewer surprises for end users, fewer first‑day reboots, and a stronger day‑one security posture for every new Windows device. (techcommunity.microsoft.com, learn.microsoft.com)
Source: Microsoft - Message Center Get ready for Windows quality updates out of the box - Windows IT Pro Blog