Windows 11 OOBE Now Installs Quality Updates via Intune ESP

Microsoft is changing the first moments of life for many Windows 11 PCs: eligible devices can now check for and install the latest monthly quality updates during the final Out‑of‑Box Experience (OOBE) so users sign in to a patched, compliant system — and administrators control the behavior from the Enrollment Status Page (ESP) in Microsoft Intune.

Background​

For years IT teams have faced the same predictable problem: brand‑new or freshly imaged devices arrive to users with an OS image that is months out of date, triggering a scramble of downloads, reboots, and help‑desk tickets on day one. Microsoft’s response is to move the installation of quality updates — monthly cumulative security and reliability fixes — into the final OOBE screen so the device can automatically update itself before the first user sign‑in. That capability was delivered as OOBE servicing packages in the August 2025 servicing window and surfaced as a controllable option in Intune’s ESP.
This change is explicitly scoped to quality updates (LCU + SSU where applicable) and emergency zero‑day fixes; it does not install feature updates or broad driver rollouts during OOBE. Microsoft’s KB support pages for the shipped OOBE packages list this behavior and the files that implement the capability for various Windows 11 builds.

---

Overview — what’s new and why it matters​

• The final OOBE page can now perform a Windows Update check and install applicable quality updates before the first login.
• Administrators manage the behavior via the Enrollment Status Page (ESP) profile in Microsoft Intune — a toggle labeled Install Windows quality updates (might restart the device). New ESP profiles created after the servicing payload is present default this toggle to Yes; existing profiles retain their previous setting and default to No until changed.
• Devices that meet Microsoft’s eligibility rules (Windows 11, version 22H2 or later; Microsoft Entra‑joined or Entra hybrid‑joined; enrolled via Intune/Autopilot or assigned to All Devices) honor the ESP setting. Devices that do not meet those conditions may still apply monthly security updates during OOBE by default.

This is a pragmatic security move: reduce the “day‑one patch gap” and lower immediate post‑deployment remediation. However, it introduces operational trade‑offs — longer provisioning times, possible bandwidth spikes, and recovery considerations — that administrators must plan for. Community and trade press coverage following the August/September 2025 rollout reflects both optimism and caution from IT pros.

---

How the OOBE update flow works (technical details)​

Sequence during OOBE​

• The device completes enrollment and provisioning steps (Autopilot registration, Entra join or hybrid join, MDM enrollment).
• Before the final OOBE screen exits, Windows queries Windows Update for applicable quality updates.
• If applicable updates exist, the device downloads and installs them while still in OOBE. One or more automated restarts may occur before the first sign‑in.

What gets installed — and what does not​

• Installs during OOBE: Quality updates (monthly cumulative security/reliability releases, possible combined SSU+LCU).
• Not installed during OOBE: Feature updates (major OS releases) and mass driver packages. This scoping minimizes OOBE risk.

Visibility and user experience​

When updates run in OOBE the setup sequence displays progress and status to the end user. Administrators should still expect additional elapsed time — real‑world pilots commonly report an added 20–30+ minutes depending on update size, hardware performance, and network speed. Devices should remain plugged in and online for the duration.

---

Eligibility, prerequisites and activation​

Supported OS and SKUs​

• Target platform: Windows 11, version 22H2 or later (applies across supported SKUs including Pro, Enterprise, Education, and Windows 11 SE, depending on the KB). The OOBE packages for specific builds were released in late August 2025 (for example, KB5065813 for 22H2/23H2 and KB5065847 for 24H2).

Enrollment and management prerequisites​

To honor the ESP toggle and the controlled OOBE quality update behavior, devices must meet these conditions:

• Assigned to an ESP profile that has Install Windows quality updates (might restart the device) set to Yes.
• Using a Windows Autopilot deployment profile with ESP enabled, or assigned using the All Devices assignment when not registered to Autopilot.
• Running a currently supported Windows 11 release.
• Enrolled in Intune (or a compatible MDM that mirrors ESP behavior).

Important edge cases:

• Windows Autopilot device preparation: this flow does not use ESP, so monthly security update releases are always installed during OOBE for that path — the ESP toggle is not applicable.
• Technician Flow for pre‑provisioned deployment: monthly security updates aren’t installed during the Technician Flow, but the ESP setting is honored during the User Flow portion.

Servicing payload requirements​

Devices must either include the vendor OOBE zero‑day package (ZDP) delivered in August 2025 or be imaged with the June 2025 non‑security servicing update (or any later servicing package) so the OOBE orchestration logic is present. The KB articles list the OOBE servicing packages required for each Windows 11 build.

---

Enabling and verifying the feature in Intune — a practical admin guide​

Where to look in the Microsoft Intune admin center​

• Sign in to the Microsoft Intune admin center.
• Navigate to Devices > Enrollment > Enrollment Status Page (ESP).
• Open the ESP profile assigned to your target devices and find the toggle Install Windows quality updates (might restart the device).
• Set it to Yes to enable OOBE quality updates for devices that receive that ESP profile. Note that new ESP profiles created after the servicing payload appears will default to Yes; existing profiles remain set to No unless edited.

Important synchronization step​

The ESP OOBE update step honors Windows Update for Business deferrals and pause policies — but only if the device has already received those settings prior to the final Windows Update scan. To guarantee settings are synchronized, assign the Windows Update rings policy to the same device group as the ESP profile so ring settings apply before the OOBE scan occurs. The ESP screen will not exit until ring settings are synced.

Quick checklist before turning it on broadly​

• Confirm images include the required OOBE servicing package (June 2025 servicing or August 2025 ZDP).
• Verify devices are Microsoft Entra‑joined or hybrid‑joined and will be enrolled in Intune.
• Align ESP assignments and Windows Update Rings to the same group(s).
• Pilot with a representative cohort (network, hardware types, region).
• Ensure Delivery Optimization and peer caching are configured to reduce WAN load.
• Document rollback/recovery playbooks (bootable media, offline images) for potential OOBE failures.

---

Benefits — strong security and cleaner day‑one experiences​

• Day‑one security baseline: Devices can leave OOBE already patched to the latest monthly cumulative release, reducing exposure to known vulnerabilities between first boot and first login.
• Fewer immediate help‑desk tickets: By shifting patch/reboot cycles into OOBE, users are less likely to encounter multiple post‑login updates that disrupt productivity.
• Cleaner compliance reporting: Inventory and compliance solutions will report devices at a known baseline immediately after provisioning rather than reporting lagging patch levels.

These benefits are particularly valuable for large education and enterprise fleets where a significant fraction of devices historically required immediate servicing after enrollment.

---

Trade‑offs, risks and operational costs​

While the security case is solid, there are real operational trade‑offs IT teams must weigh.

Longer provisioning time​

Installing cumulative updates during OOBE can add tens of minutes to setup time. In high‑volume imaging scenarios or rapid staging environments, that time compounds into throughput bottlenecks and longer deployment cycles. Pilots typically report an added 20–30+ minutes depending on update size and network speed.

Network and bandwidth pressure​

Simultaneous OOBE updates across many devices can saturate WAN links. Mitigations include Delivery Optimization, peer caching, Windows Update for Business (WUfB) rings, and staged rollouts, but these require planning and testing.

Servicing stack permanence and rollback constraints​

Combined SSU+LCU packages applied during OOBE modify the servicing stack; some components are effectively permanent once installed, making rollback more challenging and increasing the need for pre‑deployment validation.

Assignment and policy mismatch pitfalls​

If ESP assignments and Update Rings are not aligned, devices might receive different instructions during OOBE than intended. For example, Windows Autopilot device preparation does not honor ESP; devices enrolled via that flow will always install monthly security updates during OOBE. Administrators must audit ESP and ring assignments across groups carefully.

Failure modes during OOBE​

Network outages, authentication timeouts, or incompatible image configurations can result in failed enrollments or extended OOBE timeouts. Recovery requires robust playbooks and possibly manual intervention — plan and practice these scenarios before broad rollout.

---

Common misstatements and a reality check​

Some coverage and headlines have overstated the change — for example, suggesting Microsoft is mandating automatic updates at startup for every Windows 11 device with no choice. That’s not accurate.

• The controllable behavior described above applies to managed environments where devices are Entra‑joined/hybrid and assigned ESP profiles or enrolled via Autopilot/Intune. The ESP toggle gives admins choice and new ESP profiles default to Yes only after the servicing payload is present; existing profiles remain unchanged. Devices outside those conditions may still run default OOBE updates, and certain Autopilot flows behave differently (e.g., device preparation). The Microsoft Intune documentation provides the authoritative supported configuration details and edge cases.

Any claim that this universally forces every Windows 11 PC — including unmanaged consumer machines — to install updates at startup without recourse is a mischaracterization and should be treated with caution. Community discussions have flagged similar clarifications following the August/September rollout.

---

Best practices for rollout and testing​

• Pilot with representative hardware and network segments to measure realistic provisioning time and failure modes.
• Align ESP profiles and Windows Update Rings to the same device groups; verify ring deferrals and pause settings are applied before OOBE's final update check.
• Enable Delivery Optimization and peer caching to limit WAN impact during mass enrollments.
• Stagger Autopilot rollouts across sites and times to minimize simultaneous update load.
• Prepare recovery media and offline images for quick rollback if an OOBE update introduces an unforeseen regression.
• Document communications for help‑desk and end users describing expected provisioning time and automated restarts.
• Monitor telemetry during pilot phases and maintain a tight feedback loop with imaging and networking teams.

---

What this means for consumers and smaller organizations​

The primary audience for the controlled ESP toggle is enterprises and educational institutions using Autopilot and Intune. For smaller organizations or home users, the OOBE servicing packages are present in Windows and some OOBE updates may run automatically if an internet connection is available; however, the Intune/ESP management surface is not in play unless the device is managed by an organization. The KB articles that shipped in August 2025 apply to the OOBE process itself for multiple Windows 11 builds; that broader availability explains why KB documentation lists many SKUs in the “Applies to” section even though the Intune control is targeted to managed deployments. Administrators and power users should therefore read the nuance carefully.

---

Final analysis — security versus control​

This change is a sensible, pragmatic step: move routine, predictable security work into the provisioning flow so devices reach users already patched. For organizations that value day‑one compliance and can absorb the provisioning time and network cost, the benefits are clear: fewer immediate reboots, lower help‑desk churn, and a better first impression for users.
At the same time, the feature imposes new responsibilities on IT: image baselines must be current, ESP and Update Ring assignments must be audited, Delivery Optimization must be configured, and recovery playbooks must be ready. Treat the OOBE quality‑update capability as a configuration change that requires governance: pilot, measure, document, and stage. When applied deliberately, the move improves security posture without removing administrative choice; when applied by default without planning, it risks operational friction.

---

Conclusion​

Microsoft’s OOBE quality‑update capability marks an important refinement in Windows lifecycle management: by surfacing a controlled update step at the end of OOBE, administrators can reduce the day‑one vulnerability window and cut down immediate post‑deployment work. The control lives in Intune’s Enrollment Status Page and depends on specific servicing packages and enrollment states. The change is powerful when integrated into deployment pipelines and tested thoroughly, but it is not a no‑brainer flip‑the‑switch setting for every environment. Careful piloting, ring alignment, Delivery Optimization configuration, and clear rollback plans are the prerequisites that make this improvement a net win for modern Windows fleets.

---

Source: myhostnews.com Windows 11 offers a new method for updates, and you're going to like it