Windows 11 OOBE Quality Updates for Entra-joined Devices (Sept 2025)

Microsoft is changing the Windows 11 out-of-box experience (OOBE) for managed devices so that, starting in September 2025, eligible Entra-joined and Entra hybrid machines can automatically download and install Microsoft quality updates during setup — a move that will make initial device provisioning noticeably longer but aims to deliver a more secure, up-to-date endpoint before the first user sign-in.

Background​

Microsoft has been iterating on the Windows 11 setup experience for several years, balancing security, manageability, and convenience for both consumers and IT organizations. One persistent request from enterprise customers has been the ability to bring new devices fully up to date during provisioning so users receive patched systems on day one rather than facing multiple restarts and updates after first sign-in.
In 2024 and 2025 Microsoft announced phased changes to the enrollment and OOBE experience, including the capability for certain managed devices to apply updates during OOBE and new management controls surfaced in Intune to let administrators opt devices in or out of that behavior. Those announcements, technical guidance, and the documentation describing the runtime behavior form the factual basis for the upcoming September 2025 behavior change. (techcommunity.microsoft.com, learn.microsoft.com)

---

What’s changing for OOBE and which devices are affected​

The core change, in plain terms​

The Windows setup flow (OOBE) on qualifying managed devices will display the new update stage near the end of OOBE. If a relevant quality update is available, the device will download, install, potentially restart, and then continue through the setup so that the first user to sign in receives a system that already has the latest approved security fixes. Microsoft frames this as applying quality updates only — not feature updates or driver mass-rollouts — and intends to honor existing organizational update policies to avoid overriding an IT team's update deferral strategy. (techcommunity.microsoft.com, learn.microsoft.com)

Eligibility: who will see this behavior​

Devices are eligible for the OOBE quality-update experience only when all of the following are true:

• The device runs Windows 11, version 22H2 or later and is one of these SKUs: Pro, Enterprise, Education, or Windows 11 SE.
• The device is managed via Microsoft Intune (or an MDM that supports Enrollment Status Page controls) and is Entra-joined or Entra hybrid-joined, including Autopilot scenarios where an Enrollment Status Page (ESP) profile is assigned. (techcommunity.microsoft.com, learn.microsoft.com)
• The tenant has the relevant Windows update-control setting enabled (see configuration section below). Devices receiving the August 2025 OOBE zero-day patch (ZDP) or imaged with the June 2025 non-security setup package will already include the capability.

It’s important to emphasize that consumer PCs not managed by Intune/MDM and not Entra-joined are outside this enterprise-centric change. Home devices still follow the consumer OOBE behavior and are not impacted by the Intune-controlled setting.

---

Why Microsoft is doing this — intended benefits​

Microsoft’s stated rationale is straightforward: reduce the “first-week update” problem where freshly delivered enterprise laptops require multiple security patches and restarts immediately after the user gets the device. By applying the latest quality update during provisioning, organizations can:

• Deliver devices that are secure and compliant from first sign-in.
• Reduce help-desk churn from users encountering immediate update prompts or unexpected restarts in their first days.
• Maintain consistent security baselines across a fleet by syncing an organization’s update approvals and deferrals into OOBE.

For IT operations, this means fewer surprise patch cycles and a cleaner handoff of new hardware to employees. The feature is also intended to respect existing Windows Update for Business (WUfB) deferral settings so that IT control is preserved rather than overwritten.

---

How administrators will control the behavior​

Intune / Autopilot Enrollment Status Page (ESP) setting​

Administrators will control whether quality updates install during OOBE by editing an Enrollment Status Page (ESP) profile in the Microsoft Intune admin center. The new setting appears under Devices > Enrollment > Enrollment Status Page. In the ESP profile Settings tab there’s a toggle labeled Install Windows quality updates (might restart the device) that administrators can set to Yes or No. Microsoft notes that existing ESP profiles will default to No, while newly created ESP profiles will default to Yes. (techcommunity.microsoft.com, learn.microsoft.com)
Steps (high level):

• Sign into Microsoft Intune admin center.
• Navigate to Devices > Enrollment > Enrollment Status Page.
• Select the ESP profile assigned to the target devices.
• Under Settings, set Install Windows quality updates (might restart the device) to Yes to enable updates during OOBE. (techcommunity.microsoft.com, learn.microsoft.com)

Other management scenarios​

• Microsoft has stated the setting is available as an MDM policy and will be mirrored with Group Policy counterparts for environments that don’t use Intune. The behavior should respect Windows Update for Business policies already configured for the device. (techcommunity.microsoft.com, learn.microsoft.com)
• Non-Intune MDM vendors that support Autopilot/ESP might be able to surface an equivalent control; administrators should confirm vendor support before depending on it.

---

Expected impact on setup time — and why estimates vary​

Microsoft documentation and guidance warn that applying updates during OOBE will add time to the provisioning flow. The Windows documentation states that updates applied during OOBE “may take 30 minutes or more” depending on package size, network bandwidth, and device performance; Microsoft’s Intune communications have used similar language (with some public commentary estimating an average around 20–30 minutes). This means admins should plan for extra provisioning time and factor it into deployment scheduling. (learn.microsoft.com, techcommunity.microsoft.com)
Caveats about timing:

• The OOBE download/install duration depends heavily on network speed, the size and type of the update being installed, the hardware (SSD vs HDD, CPU), and whether additional post-install tasks require a restart. Microsoft’s guidance errs on the conservative side with “30 minutes or more” for certain cases; some third‑party writeups and previews reported shorter averages, but these are environment-dependent and not guaranteed. (learn.microsoft.com, neowin.net)

Flag: A specific “average of 20 minutes” claim that appears in some coverage is not a Microsoft-provided guaranteed figure; published Microsoft docs explicitly allow for longer times and recommend planning for potentially longer provisioning windows. Treat optimistic averages as situational and verify with pilot testing in your environment.

---

Operational benefits and concrete scenarios​

Day-one security and compliance​

By applying the latest quality update during OOBE, organizations reduce exposure windows for vulnerabilities discovered between an image capture date and device deployment. The result is fewer forced restarts during an employee’s first day and a lower chance of help-desk tickets for immediate security prompts.

Cleaner imaging and deployment pipelines​

Imaging strategies that use older images can leave a backlog of updates to apply during provisioning. Using OOBE updates reduces the need to continuously maintain images that include the latest cumulative updates; instead, images can be prepared with baseline software and updates applied as the final OOBE step. This lowers image churn for ISVs and OEM provisioning teams. (techcommunity.microsoft.com, learn.microsoft.com)

Improved end-user experience​

New hires or field workers who receive a device will sign in to an endpoint that is, in theory, already patched and stable — minimizing the risk that their first experience is interrupted by multiple updates and restarts in the first week on the job.

---

Risks and potential downsides administrators must weigh​

While the idea of pre-patching during OOBE is compelling, it’s not risk‑free. IT teams should evaluate the following before enabling the setting broadly.

• Network bandwidth and metered connections: Provisioning many devices simultaneously in a staging area or corporate network can saturate WAN links and lead to failed downloads or long delays. Consider scheduling or staged deployments, plus content caching solutions (Windows Server Update Services, Delivery Optimization, or Microsoft Endpoint Configuration Manager).
• Temporary Access Pass (TAP) expiry: Microsoft warns that longer OOBE times can cause one-time or temporary credentials used for enrollment to expire before sign-in completes. Admins should extend TAP validity or choose alternative enrollment flows for high-latency environments.
• Unexpected restarts: The OOBE update stage may require device restarts. In scenarios where OEM-provided driver updates or pre-provisioning software are present, updates could create interactions that break the expected flow. Test for such interactions on representative hardware.
• Image-driver mismatches: If an image already includes drivers or OEM software that expects a different Windows build state, adding patches during OOBE could expose compatibility issues. Pilot widely across the hardware families you manage.
• Long provisioning windows in bulk deployments: In high-volume device staging scenarios (for example, large classroom rollouts or mass corporate refreshes), the cumulative added minutes per device can meaningfully increase total deployment time. Plan logistics accordingly.

---

Testing and rollout recommendations (practical playbook)​

• Pilot first: Choose representative device models, network segments, and Autopilot ESP profiles. Enable the ESP update toggle only on these test groups and measure real-world download/install times and failure modes.
• Extend TAP validity in your tenant prior to enabling the setting widely to avoid enrollment-time expiration. Confirm this change with HR/Identity teams so onboarding credentials remain valid long enough.
• Use Delivery Optimization and local content caching where possible to reduce bandwidth consumption and speed up update delivery. For on-premises staging labs, consider WSUS or Configuration Manager distribution points to seed updates.
• Confirm expected behavior for ESP profiles: update the ESP profile in Intune and verify whether existing profiles remain at default No while newly created profiles default to Yes — adjust any automation that creates ESP profiles to explicitly set the Install Windows quality updates toggle.
• Monitor logs: Collect Windows Setup, WindowsUpdate, and MDM logs from test devices to spot problems early. Document any imaging interactions or driver regressions and engage OEM partners where needed.

---

Where the public coverage and the vendor messaging align — and where they diverge​

Multiple outlets — including the XDA article summarized by the user and other tech news outlets — have covered the change and its practical implications for extended setup times and improved day-one security. The technical details in Microsoft’s docs match the coverage: the change is targeted at managed, Entra-joined devices and will be controllable via Intune and ESP settings.
Where third-party coverage sometimes diverges is in the specifics of timing. Some news writeups cited shorter “average” setup extensions (for example, roughly 20 minutes), while Microsoft’s own guidance explicitly warns that provisioning “may take 30 minutes or more” depending on update size and environment. Administrators should therefore treat optimistic timing claims as situational and validate with real‑world pilot data.

---

Security and compliance implications​

From a security standpoint, deploying quality updates before a user ever signs in reduces the window of exposure for new vulnerabilities in freshly imaged devices. This is especially relevant for high-security environments — government, finance, healthcare — where baseline patch levels are a compliance requirement before user data access is permitted.
However, security teams must also ensure that the updates delivered in OOBE match the organization’s approved patch level. Microsoft’s implementation claims to respect existing update approvals, deferrals, and pause policies and to synchronize these settings to the device during OOBE — but this synchronization is only as trustworthy as the organization’s update policies and test coverage. Confirm that your Windows Update for Business configuration produces the expected OOBE behavior. (techcommunity.microsoft.com, learn.microsoft.com)

---

Bottom line for IT decision-makers​

• Enabling quality updates during OOBE can materially improve security posture and reduce day‑one update churn for end users, provided you plan for the additional provisioning time and test for edge cases.
• This feature is not for unmanaged home PCs; it’s an enterprise/education/managed-device capability controlled through Intune/ESP and related policies.
• Don’t rely on optimistic “average” time claims — assume longer provisioning windows, pilot widely, and use bandwidth controls & caching to avoid staging bottlenecks. (learn.microsoft.com, techcommunity.microsoft.com)

---

Final assessment — strengths, weaknesses, and recommended next steps​

Strengths​

• Day‑one security: Applying the latest quality update before first sign-in meaningfully reduces exposure to known vulnerabilities and can prevent early disruptions.
• Admin control: The Intune ESP toggle gives IT organizations a central knob to enable/disable the behavior per profile, which reduces the risk of forced behavior changes in large environments.
• Policy alignment: Microsoft’s claim to respect existing update deferrals and WUfB policies reduces the chance that OOBE updates will undermine carefully staged update cadences.

Weaknesses and risks​

• Longer provisioning windows: The added time per device can become significant cost/time when provisioning at scale; network and logistics planning is essential.
• Dependency on reliable network: Sites with constrained internet or metered connectivity will see the worst impact — consider local caching strategies.
• Unverified timing claims in coverage: Third‑party averages (e.g., 20 minutes) vary widely; Microsoft’s documentation suggests planning for 30+ minutes in many cases. Treat optimistic numbers with caution and verify with pilots.

Recommended next steps for IT teams​

• Schedule a pilot that mirrors your fleet and network topology.
• Update ESP profiles in Intune for test groups, measure real-world times and failure modes.
• Implement Delivery Optimization/WSUS/ConfigMgr caching strategies where available.
• Extend temporary credential lifetimes used in onboarding to allow for longer provisioning.
• Communicate expected provisioning windows to procurement and onboarding teams so device handoffs factor in the extra minutes.

---

Microsoft’s OOBE quality-update capability brings a pragmatic tradeoff: a longer setup time in exchange for a more reliable, secure device on day one. For IT organizations managing large fleets, the feature can reduce post‑deployment headaches — but only if it’s adopted with planning, piloting, and the network and image-management safeguards required for large-scale provisioning success. (techcommunity.microsoft.com, learn.microsoft.com)

---

Source: xda-developers.com Windows 11 setup is about to get longer on some devices