Blog Post

Windows IT Pro Blog

4 MIN READ

Get ready for Windows quality updates out of the box

Microsoft

Aug 25, 2025

Editor’s note 9.8.2025: This capability has been delayed by a couple of months to help ensure delivery of the best possible experience. You can start configuring the new setting on the Enrollment Status Page (ESP), but you won’t see the new user interface yet. We’ll update this post with a revised timeline as soon as it’s available.

Get the latest Windows quality updates during the out-of-box experience (OOBE) by default. This much awaited improvement is coming to your eligible Microsoft Entra joined or Microsoft Entra hybrid joined devices running Windows 11, version 22H2 and later. It will be available starting with the September 2025 Windows security update.

You can manage this new capability with a policy setting. With Windows Autopilot and Microsoft Intune (or alternative management solutions), you can maintain seamless control over quality update behavior during provisioning, while ensuring alignment with organizational security and compliance requirements.

Manage your OOBE update experience in Microsoft Intune

When Windows quality update support is available in the Windows Autopilot Enrollment Status Page (ESP) at the end of August 2025, you’ll see the new quality update setting enabled by default.

You’ll be able to control whether updates are installed during OOBE if you meet these criteria:

Your devices are on Windows 11, version 22H2 or later and on any of the following SKUs: Pro, Enterprise, Education, or SE.
You use Microsoft Intune to manage Windows quality updates.
You’ve assigned a Windows Autopilot Enrollment Status Page (ESP) profile to devices using either Windows Autopilot preregistered device group or using the “All devices” assignment.
Your devices have one of the following required updates that include the new setting:

o Devices that get the August 2025 OOBE zero-day patch (ZDP) update will have this capability.

o Devices imaged with the June 2025 Windows non-security update or later already include the new setting.

Note: At this time, if you’re not using device ESP, you won’t be able to turn off Windows updates during OOBE. This might be the case if you enroll devices using Windows Autopilot device preparation policies. These devices will have updates applied by default.

The new setting

The new setting is available to you to confirm or control this experience:

Go to the Microsoft Intune admin center.
Navigate to Devices > Enrollment > Enrollment Status Page.
Select the ESP profile you wish to check or create a new one and go to its Settings tab.
Locate the new setting called Install Windows quality updates (might restart the device). If its value is set to “Yes,” you’re set to install quality updates during provisioning!

Note: Preexisting ESP profiles will have Install Windows quality updates set to “No.” You can edit this setting to enable the updates. New ESP profiles will default to “Yes.”

The Enrollment Status Page (ESP) profile settings in the Microsoft Intune admin center, with a new setting to Install Windows quality updates set to “Yes.”

As we’ve preannounced, the device will check Windows Update at the last page of OOBE and install any applicable quality updates. That way, the user will start out with the latest security and quality updates at first sign in.

The final OOBE screen shows the message for an in-progress Windows update.

Recommendation for pause and deferral settings

Want to ensure that quality updates during OOBE respect pause and deferral settings? Assign your Windows Update rings profile to the same Windows Autopilot preregistered device group as your ESP profile or using the “All devices” assignment.

During the device phase of provisioning, the ESP will ensure that the settings from the Windows Update rings policy are synchronized prior to exiting the page. That way, settings are in place before the final Windows Update page checks for updates. Note: If these requirements aren’t met, the pause and deferral settings might be inconsistently applied during OOBE.

Alternative management solutions for OOBE updates

Some non-Microsoft mobile device management (MDM) solutions are also capable of using the ESP functionality. How can you determine if that’s the case for you? Check if your MDM provider has developed its own ESP functionality using features or protocols offered by Microsoft to reliably deliver certain policies during OOBE. If they have selected the ESP profile as eligible to be applied, designate the ESP profile as a tracked policy when creating it. You must enable ESP to ensure that the latest Windows quality updates indeed get installed during OOBE.

Ready for an improved OOBE?

With this new default experience, you can:

Complete the devices’ OOBE with the latest approved quality updates already applied.
Enhance security from day 1.
Reduce post-deployment update overhead.

Thank you again for your feedback and helping us make Windows better!

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Updated Sep 09, 2025

Version 3.0

device management

security

servicing and updates

windows 11

windows autopilot

VictoriaWang

Microsoft

Joined March 20, 2023

View Profile

Windows IT Pro Blog

Follow this blog board to get notified when there's new activity

19 Comments

aterani
Copper Contributor
Sep 10, 2025
Looks like this was pulled back, again!
https://call4cloud.nl/windows-autopilot-windows-quality-updates-oobe/#h-pulled-back
jbr9
Copper Contributor
Sep 08, 2025
Only for user-driven enrollment? What is even the point of this feature? Please implement it for pre-provisioning, what large enterprises are actually using, or do you really think we get our users to wait for an hour or 2 when onboarding them by using the user-driven enrollment? Of course not.
- David_Guyer
  Microsoft
  Sep 10, 2025
  This option provides a few benefits. While the end user may need to wait 20-40 minutes (based on our private preview testing, and dependent on many variables) extra, they are much less likely to have the device download and install an update after first login, and a reboot on the first day or two... so less background processing unless they go through OOBE on the Monday before patch Tuesday, of course. This also means admins can count on the devices being up to a minimum level when first accessing the devices, potentially tightening up grace periods and compliance rules, protecting corporate resources.
  
  You are right, there are some advantages to applying the updates during pre-provisioning and we are hoping to add that capability as well.
  
  -David
  - aterani
    Copper Contributor
    Sep 10, 2025
    Hi David, as I mentioned in another post, pre-provisioned devices have a key limitation: the user only gets one chance to complete their flow when the computer powers on for the first time after being resealed. Microsoft warns about this behavior https://learn.microsoft.com/en-us/autopilot/tutorial/pre-provisioning/azure-ad-join-technician-flow:
    The enforced OOBE update and its reboot during the user flow can break the process and leave the device stuck at the DefaultUser0 login screen. Ideally, OOBE CU updates would either be applied before pre-provisioning begins. It could also automatically reset the autologin count for DefaultUser0 so the user can continue after the update, or simply be skipped when a device has been pre-provisioned.
    
    Unfortunately, none of these safeguards were in place when this was enabled in our tenant, before Intune’s ESP settings UI added controls for managing it.
PhillipHiggins
Copper Contributor
Sep 05, 2025
Pointless: Not sure how this improves the situation. Like others have said the whole point of the white glove build is to make the process when a user gets the device fast. They don't want to wait 20 minutes for all the updates to install. Then have to wait whilst Onedrive syncs, user specific apps install and then if using Outlook classic the time it takes to sync your outlook.
MScommTime
Brass Contributor
Sep 03, 2025
I'll upvote the idea of this being completed during the technician phase. Someone below mentioned the limited time for onboarding. I'll also add that we pre-provision to address the possibility that a remote worker's home internet isn't as fast as our office internet. If one of the goals is to "Reduce post-deployment update overhead," then doing this in the technician phase of device ESP is important. Thanks for considering.
MScommTime
Brass Contributor
Sep 03, 2025
I'll upvote the idea of this being completed during the technician phase. Someone below mentioned the limited time for onboarding. I'll also add that we pre-provision to address the possibility that a remote worker's home internet isn't as fast as our office internet. If one of the goals is to "Reduce post-deployment update overhead," then doing this in the technician phase of device ESP is important. Thanks for considering.
wroot
Silver Contributor
Aug 29, 2025
Had almost a year to rework it. Still cannot disable it without ESP, doesn't work for pre-provisioning, will not work if third-party is the source for patches.
formolim89
Copper Contributor
Aug 28, 2025
I have got nothin - based in Australia.
- David_Guyer
  Microsoft
  Sep 03, 2025
  We have begun the release process and you should see it by Thursday or Friday, depending on your timezone. You'll need to refresh the browser.
  
  As a reminder, existing ESP policies will be set to "No", do not install updates, and Newly created ESP policies after your tenant gets the release will default to "Yes".
- David_Guyer
  Microsoft
  Aug 28, 2025
  Our engineers are putting the final touches on the new setting and I'll provide an update here when we start the rollout in Intune. Should be soon, we want it to be right.
  -David Guyer
  Intune Product Manager
  - formolim
    Copper Contributor
    Aug 28, 2025
    Cheers David.
NickE
Copper Contributor
Aug 26, 2025
VictoriaWang What does the flow look like for preprovsioned devices. Does this then happen in the tech phase, the user phase or both?
- David_Guyer
  Microsoft
  Aug 28, 2025
  For pre-provisioned devices the updates are available during the user phase in the device ESP. We are looking into adding support for the technician phase so that you can update the device before giving it to the end user.
  
  -David
  - NickE
    Copper Contributor
    Sep 03, 2025
    What if the user ESP is skipped using the OMA-URI: ./Vendor/MSFT/DMClient/Provider/MS DM Server/FirstSyncStatus/SkipUserStatusPage, does it still run? You said user phase in the device esp so I assume it will.
    We have groups of users that are scheduled 20-30 in a class at a time with multiple classes mondays of the week and they all onboard and enroll together so the trainer can assist less skilled users with computer setup and day 1 tasks so I don't envision this being enabled for those groups as it could cause some users to get behind by 20 or more minutes if their device happen to come from a stock with an older build, but the tech phase would be nice to have. We will be able to make configurations that could support 1 or the other?
Marc_Laf
Iron Contributor
Aug 25, 2025
This is pretty awesome news, thanks.
Question regarding the requirements - will the downloadable ISO for Windows 11 be updated to include the required patches? Or will we need to use an older one, then patch, then reset it to bring the device to the appropriate patch level?