Microsoft is rolling the ability to install Windows quality updates during the Out‑Of‑Box Experience (OOBE) into enterprise provisioning flows, making it possible for eligible Entra‑joined and Entra hybrid‑joined Windows 11 devices to arrive at first sign‑in already patched — but only when administrators meet specific prerequisites and accept some operational trade‑offs. (techcommunity.microsoft.com)
Microsoft has been evolving the Windows setup experience for years, trying to close the “day‑one patching” gap that forces new devices into a post‑provisioning scramble for security fixes and reboots. The company’s plan — announced in stages across 2024 and 2025 — is to give administrators a policy control that tells an Entra‑joined device to check Windows Update at the last page of OOBE and apply any applicable quality updates before handing the device to the first user. That behavior is being surfaced through Windows Autopilot’s Enrollment Status Page (ESP) and related MDM/Group Policy controls. (techcommunity.microsoft.com)
This change is explicitly scoped: Microsoft intends to apply monthly cumulative quality updates (security and reliability fixes) and critical zero‑day patches where necessary. Microsoft is not applying feature upgrades or broad driver mass‑rollouts during the OOBE step. That design keeps the OOBE patch window focused on reducing exposure without introducing the larger risk that comes with feature or driver changes. (techcommunity.microsoft.com)
But the practical reality is nuanced. The feature transfers some risk from the post‑provisioning phase into the provisioning phase: administrators must now manage extra provisioning time, network load, TAP lifetimes, and the potential for applying an update that later proves unstable. The August 2025 update cycle — which produced known issues and emergency fixes — is a concrete demonstration that being first to apply a cumulative update is not always the safest operational stance. For many organizations the right strategy will be measured adoption: pilot, stage images with required servicing patches, and enable the ESP toggle where the benefits outweigh operational costs. (bleepingcomputer.com)
Source: theregister.com Microsoft adds updates to the Windows OOBE for enterprises
Background
Microsoft has been evolving the Windows setup experience for years, trying to close the “day‑one patching” gap that forces new devices into a post‑provisioning scramble for security fixes and reboots. The company’s plan — announced in stages across 2024 and 2025 — is to give administrators a policy control that tells an Entra‑joined device to check Windows Update at the last page of OOBE and apply any applicable quality updates before handing the device to the first user. That behavior is being surfaced through Windows Autopilot’s Enrollment Status Page (ESP) and related MDM/Group Policy controls. (techcommunity.microsoft.com)This change is explicitly scoped: Microsoft intends to apply monthly cumulative quality updates (security and reliability fixes) and critical zero‑day patches where necessary. Microsoft is not applying feature upgrades or broad driver mass‑rollouts during the OOBE step. That design keeps the OOBE patch window focused on reducing exposure without introducing the larger risk that comes with feature or driver changes. (techcommunity.microsoft.com)
What Microsoft announced (the essentials)
- The capability to install Windows quality updates during OOBE is coming to eligible enterprise devices and will be available starting with the September 2025 Windows security update. Administrators can control the behavior via an ESP setting in Microsoft Intune. (techcommunity.microsoft.com)
- Eligible devices: Windows 11, version 22H2 or later, on SKUs Pro, Enterprise, Education, or SE, that are Microsoft Entra‑joined or Entra hybrid‑joined and managed by Microsoft Intune (or an MDM that supports Enrollment Status Page controls). (techcommunity.microsoft.com)
- Administrative control: the new ESP profile toggle reads Install Windows quality updates (might restart the device) and appears under Devices > Enrollment > Enrollment Status Page in the Intune admin center. New ESP profiles will default to Yes, while preexisting profiles default to No (so admins must edit existing profiles if they want the behavior). (techcommunity.microsoft.com)
- Prerequisites: devices must include specific servicing payloads — for example, machines imaged with the June 2025 Windows non‑security update will already carry the new setting, and devices receiving the August 2025 OOBE zero‑day patch (ZDP) will also expose the capability. If those platform updates aren’t present the ESP option will not appear. (techcommunity.microsoft.com)
- Policy behavior: the OOBE update flow honors Windows Update for Business deferrals and pause settings configured for the tenant, so existing update‑ring decisions are respected during provisioning. (techcommunity.microsoft.com)
How the OOBE update flow works — a step‑by‑step
- Device boots and progresses through OOBE until the final screen where the new update check runs.
- The device connects to Windows Update (using the network established during OOBE), queries for applicable quality updates, and downloads any approved packages. (techcommunity.microsoft.com)
- If updates are found, the device installs them while still in OOBE and may restart one or more times to finish installation.
- When installation completes, the setup resumes and the first user signs in to a device that, in theory, is current with the tenant’s approved quality updates.
- Feature updates and broad driver updates are excluded from this step.
- The process can be controlled (enabled/disabled) via ESP profiles in Intune, or via MDM/Group Policy equivalents where available. (techcommunity.microsoft.com)
Why IT teams should care: benefits
- Day‑one security — New endpoints enter the environment with the latest security fixes applied, reducing exposure windows and improving initial compliance posture.
- Fewer first‑day helpdesk incidents — By reducing the post‑provisioning patch and reboot cycle, there are fewer surprise restarts and fewer immediate support tickets from employees.
- Policy alignment from the start — The ESP behavior syncs Windows Update for Business deferral/pause configurations so devices behave consistently with organizational update rings during provisioning. (techcommunity.microsoft.com)
What administrators must verify before enabling the behavior
- Confirm devices run Windows 11 22H2 or later and are in one of the supported SKUs (Pro, Enterprise, Education, SE). (techcommunity.microsoft.com)
- Ensure devices are Microsoft Entra‑joined (or hybrid‑joined) and enrolled in Intune (or an MDM that supports ESP). If your environment uses Autopilot device preparation flows instead of device ESP, you may not be able to disable OOBE updates. (techcommunity.microsoft.com)
- Confirm imaging and servicing: images must include the June 2025 non‑security update or the device must receive the August 2025 OOBE ZDP so the ESP setting is present. (techcommunity.microsoft.com)
- Plan network and power: devices need reliable internet access during OOBE and should remain plugged into power to avoid disruptions during downloads and restarts.
Operational trade‑offs and risks
This capability is powerful but not free of trade‑offs. Administrators need to weigh the security benefits against the operational impacts.- Longer provisioning time
Microsoft explicitly warns that applying updates during OOBE may take 30 minutes or more in some cases, with estimates varying by update size, network bandwidth, and hardware performance. In practice, many environments will see averages of 20–30 minutes for routine cumulative updates, but plan on worst‑case scenarios when scheduling mass deployments. Pilot testing in your environment is essential. (mc.merill.net) - Temporary password expiry (TAP) issues
Organizations using Temporary Access Passes or other time‑limited credentials should extend validity windows during provisioning to avoid expired credentials mid‑provisioning. Microsoft and customer advisories have already highlighted TAP expiration as a practical gotcha. (techcommunity.microsoft.com) - Network and bandwidth constraints
In high‑volume scenarios (classrooms, retail desks, large deployments at procurement hubs) mass downloads during OOBE can saturate networks. Consider pre‑staging images with the June 2025 non‑security update or using local distribution strategies to avoid throttling. - Update instability and the danger of “day‑one breakage”
Applying updates immediately during OOBE does not remove the risk that a given cumulative update is buggy. The August 2025 cumulative updates demonstrated real‑world issues — Microsoft acknowledged problems that affected streaming app performance, Reset/recovery functionality, and in some reports interactions with certain SSDs — and subsequently issued mitigations and out‑of‑band fixes. That history shows the danger of automatically applying every security update at OOBE without protective guardrails or a staged rollout policy. (bleepingcomputer.com, support.microsoft.com) - Limited opt‑out scenarios
If your enrollment path relies on Autopilot device preparation without device ESP, devices may apply updates by default and admins may lack an easy way to opt them out. This can be unwelcome when an organization’s change control demands stricter update sequencing. (techcommunity.microsoft.com)
Technical and compliance caveats
- The OOBE update mechanism respects existing Windows Update for Business deferral and pause policies, but only if those policies are enforced before the OOBE update window begins. If app installations or other provisioning tasks significantly delay ESP, timing mismatches can allow unexpected updates to apply. Admins should verify timing sequences in Autopilot flows. (techcommunity.microsoft.com)
- The ESP setting appears as an MDM policy and Microsoft provides Group Policy counterparts; however, third‑party MDM vendors vary in support. Verify your MDM vendor’s ESP support before relying on non‑Intune tooling. (techcommunity.microsoft.com)
- Not all monthly quality updates will necessarily be offered during OOBE: Microsoft retains discretion to determine which updates make sense for an OOBE context. Critical ZDPs may be treated differently and can still apply outside ESP controls when required for device operability. (techcommunity.microsoft.com)
Recommendations — a practical admin checklist
- Pilot first, then scale
- Select a small, representative device set (different OEMs, SSD types, chipsets).
- Create a dedicated ESP profile in Intune and test the ESP toggle both enabled and disabled.
- Measure OOBE time, TAP behavior, and post‑provisioning compliance reporting. (techcommunity.microsoft.com)
- Image wisely
- If feasible, deliver devices imaged with the June 2025 non‑security update (or a later servicing image) so the ESP setting is present without forcing a fresh download during OOBE. This reduces network load and time-in‑OOBE variability. (techcommunity.microsoft.com)
- Extend temporary credential windows
- Increase Temporary Access Pass or TAP validity during enrollment when ESP installs are enabled to avoid premature expiry during lengthy update installs. (mc.merill.net)
- Staged or targeted rollout plan
- Start with IT and pilot groups, then expand by business unit. Consider setting new ESP profiles to No for large, sensitive rollouts until confidence is built. Remember: new ESP profiles default to Yes, so don’t assume safe defaults. (techcommunity.microsoft.com)
- Monitor update health and known issues closely
- August 2025 demonstrated that even security updates can introduce regressions. Maintain telemetry and a rapid rollback plan (or KIR/known issue rollbacks where Microsoft provides them) and coordinate with Windows release health notices. (bleepingcomputer.com, support.microsoft.com)
- Validate non‑Intune MDM support
- If you use a third‑party MDM, confirm it supports ESP profile behavior parity; otherwise you may lack the ability to toggle OOBE updates or honor tenant policies correctly. (techcommunity.microsoft.com)
Tactical scenarios and examples
- Education labs and kiosks
These environments typically require rapid provisioning en masse. Enabling OOBE updates could dramatically increase setup time per device, so a better approach is pre‑imaging with the June 2025 payload or using an internal distribution point to throttle bandwidth and reduce OOBE time. - Retail or frontline device deployment (high volume, low tolerance for downtime)
Avoid enabling OOBE updates by default for large retail pushes until images include the required servicing payloads. When OOBE updates are unavoidable, schedule provisioning windows outside business hours and ensure robust local caching or Delivery Optimization is configured. - Highly regulated environments (finance, healthcare)
The security case for applying the latest quality updates at OOBE is strong, but these orgs also require deterministic change control. Pilot, approve the specific update set for OOBE, and use test channels aligned with compliance processes before enabling ESP installs for production groups. (techcommunity.microsoft.com)
Cross‑checking the claims (what we verified)
- Microsoft’s own Windows IT Pro blog announces the capability, the Intune ESP setting, eligibility, and the September 2025 availability window. (techcommunity.microsoft.com)
- Message center / admin notifications and Intune community posts explain the admin controls, deployment timeline, and the need to plan for extended OOBE durations. (mc.merill.net, techcommunity.microsoft.com)
- Independent reporting and community commentary (Neowin, Windows community forums, news outlets) corroborate that the new ESP setting exists, that prerequisite servicing updates are needed, and that the feature is being rolled out in late summer/early fall 2025. (neowin.net)
- Recent August 2025 update incidents (reset failure, streaming regressions, WSUS/SCCM install errors, SSD reports) illustrate why admins should be cautious about forced day‑one installs and should maintain rollback and mitigation strategies. These incidents were acknowledged by Microsoft and covered across mainstream tech press. (bleepingcomputer.com, windowslatest.com)
Final analysis — is this a net win?
The OOBE quality‑update capability is a meaningful step toward reducing the long‑standing problem of unpatched, newly delivered endpoints. For security teams and compliance owners, the value proposition is clear: narrower exposure windows, fewer surprise updates, and cleaner enrollment baselines.But the practical reality is nuanced. The feature transfers some risk from the post‑provisioning phase into the provisioning phase: administrators must now manage extra provisioning time, network load, TAP lifetimes, and the potential for applying an update that later proves unstable. The August 2025 update cycle — which produced known issues and emergency fixes — is a concrete demonstration that being first to apply a cumulative update is not always the safest operational stance. For many organizations the right strategy will be measured adoption: pilot, stage images with required servicing patches, and enable the ESP toggle where the benefits outweigh operational costs. (bleepingcomputer.com)
Conclusion
Microsoft’s decision to add quality update installs into OOBE under Intune/ESP control is a long‑requested improvement for enterprise provisioning: devices can now, in eligible scenarios, arrive at first sign‑in with the latest security fixes applied. That reduces the post‑deployment patch churn and raises the baseline security posture for new endpoints. Administrators, however, must treat the capability as a tool that requires careful planning — validate prerequisites, test images, adjust temporary credential lifetimes, and stage rollouts — because immediate update application increases provisioning duration and inherits all the risks of any newly released cumulative update. Use pilot projects to measure real OOBE timings and build rollback plans before enabling wide production rollouts. (techcommunity.microsoft.com, support.microsoft.com)Source: theregister.com Microsoft adds updates to the Windows OOBE for enterprises
