Blog Post

Windows IT Pro Blog
4 MIN READ

Get ready for Windows quality updates out of the box

VictoriaWang's avatar
VictoriaWang
Icon for Microsoft rankMicrosoft
Aug 25, 2025

Editor's note 12.9.2025: This policy will be available starting with the January 2026 security update and will no longer be enabled by default. We have reflected this change in the post below and added clarification about device targeting.

Editor's note 9.8.2025: This capability has been delayed by a couple of months to help ensure delivery of the best possible experience. You can start configuring the new setting on the Enrollment Status Page (ESP), but you won't see the new user interface yet. We'll update this post with a revised timeline as soon as it's available.

Get the latest Windows quality updates during the out-of-box experience (OOBE). This much awaited improvement is coming to your eligible Microsoft Entra joined or Microsoft Entra hybrid joined devices running Windows 11, version 22H2 and later. It will be available starting with the January 2026 Windows security update.

You can enable this new capability with a policy setting. With Windows Autopilot and Microsoft Intune (or alternative management solutions), you can maintain seamless control over quality update behavior during provisioning, while ensuring alignment with organizational security and compliance requirements.

Manage your OOBE update experience in Microsoft Intune

When Windows quality update support is available in the Windows Autopilot Enrollment Status Page (ESP) at the end of August 2025, you'll see the new quality update setting. This setting is now disabled by default.

You'll be able to control whether updates are installed during OOBE if you meet these criteria:

  • Your devices are on Windows 11, version 22H2 or later and on any of the following SKUs: Pro, Enterprise, Education, or SE.
  • You use Microsoft Intune to manage Windows quality updates.
  • You've assigned a Windows Autopilot Enrollment Status Page (ESP) profile to devices using either Windows Autopilot preregistered device group or using the "All devices" assignment. We call this device targeting.
  • Your devices are imaged with the November 2025 Windows non-security update or later or are automatically updated with the November 2025 OOBE zero-day patch (ZDP) update. Learn more about these updates for Windows 11, versions 24H2 and 25H2, also available for Windows 11, versions 22H2 and 23H2.

Note: At this time, if you're not using device-targeting ESP, you won't be able to enable Windows quality updates during OOBE. For more information about Intune prerequisites, as well as supported and unsupported scenarios, visit Set up the Enrollment Status Page in the admin center.

The new setting

To confirm or control this experience on the devices you manage:

  1. Go to the Microsoft Intune admin center.
  2. Navigate to Devices > Enrollment > Enrollment Status Page.
  3. Select the ESP profile you wish to check or create a new one and go to its Settings tab. Note the ESP profile must use device targeting.
  4. Locate the new setting called Install Windows quality updates (might restart the device). If its value is set to "Yes," you're set to install quality updates during provisioning!

Note: Preexisting ESP profiles will have Install Windows quality updates set to "No." You can edit this setting to enable the updates. New ESP profiles will default to "Yes."

As we've preannounced, the device will check Windows Update at the last page of OOBE and install any applicable quality updates. That way, the user will start out with the latest security and quality updates at first sign-in.

Recommendation for pause and deferral settings

Want to ensure that quality updates during OOBE respect pause and deferral settings? Assign your Windows Update rings profile to the same Windows Autopilot preregistered device group as your ESP profile or using the "All devices" assignment.

During the device phase of provisioning, the ESP will ensure that the settings from the Windows Update rings policy are synchronized prior to exiting the page. That way, settings are in place before the final Windows Update page checks for updates. Note: If these requirements aren't met, the pause and deferral settings might be inconsistently applied during OOBE.

Note: Devices will receive feature updates separately after OOBE as per their configured feature update policies.

Alternative management solutions for OOBE updates

Some non-Microsoft mobile device management (MDM) solutions are also capable of using the ESP functionality. How can you determine if that's the case for you? Check if your MDM provider has developed its own functionality to track configuration using features or protocols offered by Microsoft to reliably deliver certain policies during OOBE. If they have selected the ESP profile as eligible to be applied, designate the ESP profile as a tracked policy when creating it. You must use an ESP profile with device targeting to ensure that the latest Windows quality updates indeed get installed during OOBE.

Ready for an improved OOBE?

With this new default experience, you can:

  • Complete the devices' OOBE with the latest approved quality updates already applied.
  • Enhance security from day one.
  • Reduce post-deployment update overhead.

Thank you again for your feedback and helping us make Windows better!

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Updated Dec 09, 2025
Version 4.0
device management
security
servicing and updates
windows 11
windows autopilot

35 Comments

Show More
    • David_Guyer's avatar
      David_Guyer
      Icon for Microsoft rankMicrosoft
      Sep 03, 2025

      We have begun the release process and you should see it by Thursday or Friday, depending on your timezone.  You'll need to refresh the browser.

      As a reminder, existing ESP policies will be set to "No", do not install updates, and Newly created ESP policies after your tenant gets the release will default to "Yes".

    • David_Guyer's avatar
      David_Guyer
      Icon for Microsoft rankMicrosoft
      Aug 28, 2025

      Our engineers are putting the final touches on the new setting and I'll provide an update here when we start the rollout in Intune.  Should be soon, we want it to be right.
      -David Guyer
      Intune Product Manager

  • NickE's avatar
    NickE
    Copper Contributor
    Aug 26, 2025

    VictoriaWang​ What does the flow look like for preprovsioned devices. Does this then happen in the tech phase, the user phase or both?

    • David_Guyer's avatar
      David_Guyer
      Icon for Microsoft rankMicrosoft
      Aug 28, 2025

      For pre-provisioned devices the updates are available during the user phase in the device ESP.   We are looking into adding support for the technician phase so that you can update the device before giving it to the end user.

      -David

      • LABleoel's avatar
        LABleoel
        Copper Contributor
        Jan 12, 2026

        Hello David,
        Do you know if this has changed ? Can we install Updates if we have skipped the 'user' phase in ESP ?

        Thanks,

        L

  • Marc_Laf's avatar
    Marc_Laf
    Iron Contributor
    Aug 25, 2025

    This is pretty awesome news, thanks.

    Question regarding the requirements - will the downloadable ISO for Windows 11 be updated to include the required patches? Or will we need to use an older one, then patch, then reset it to bring the device to the appropriate patch level?