Beginning with the September 2025 Windows security update, eligible Windows 11 devices will automatically check for and install quality updates during the Out of Box Experience (OOBE). This long-awaited capability ensures that new or reset devices arrive at the desktop fully patched and compliant, eliminating the post-deployment patching gap that has long plagued IT teams and frustrated end users.
Background
For years, one of the most tedious and risky aspects of Windows deployment was the lag between unboxing a new device and applying the latest security and quality updates. Vendors ship devices with months-old OS images, and by the time a user logs in, dozens of cumulative updates, security fixes, and drivers may be missing. This window of vulnerability exposes organizations to security risks, generates helpdesk tickets, and extends onboarding times. Microsoft has been working toward a managed OOBE update experience for over a year, seeking to close that gap and make zero-touch provisioning truly zero-touch from a patching perspective.
The concept first surfaced in early 2024 with a Microsoft 365 Message Center post (MC891223) that announced plans to enable quality updates during OOBE for all managed Windows 11 devices. That plan was postponed for refinement, and after community feedback, Microsoft solidified a new timeline: September 2025. In February 2025, the company signaled its intent to allow organizations to enable the feature via Autopilot and MDM/GPO controls. The September 2025 security update now marks the official delivery of the capability, with administrative controls centered on the Enrollment Status Page (ESP) in Microsoft Intune.
What Microsoft Is Delivering
The Essential Technical Change
During OOBE, after the user has selected region, keyboard, and network settings, Windows will now check for and install applicable quality updates on the final page before reaching the desktop. This applies to quality updates only—monthly cumulative security and reliability patches—not feature updates, driver packages, or other servicing types. The device will download and install the updates, potentially restart, and then proceed to the sign-in screen, now with the latest security fixes in place.
Eligible Devices and Management Scenarios
Devices must meet specific criteria to receive quality updates during OOBE:
- Running Windows 11, version 22H2 or later, with Pro, Enterprise, Education, or SE SKU.
- Microsoft Entra joined (formerly Azure AD) or Entra hybrid-joined and enrolled with an MDM solution that supports Autopilot ESP (typically Microsoft Intune).
- Must be imaged with the June 2025 Windows non-security update or later, or receive the August 2025 OOBE Zero Day Patch (ZDP) to include the necessary update orchestration logic. Devices lacking these images will still function but will download the ZDP during OOBE, slightly extending setup time.
These boundaries ensure the OOBE can display update progress and handle restarts gracefully. Microsoft also confirmed that the feature will not be limited to Autopilot-pre-registered devices; any Entra-joined device enrolled via a supported MDM can benefit, though the most seamless experience is with Autopilot and Intune.
Administrative Controls
The Enrollment Status Page Toggle
The primary control for IT is a new toggle in the Intune Enrollment Status Page profile: "Install Windows quality updates (might restart the device)." Administrators can:
- Turn the toggle on to allow updates during OOBE (the default for newly created ESP profiles after the feature becomes available).
- Turn it off to block updates during OOBE, retaining the traditional behavior.
- Assign ESP profiles to Autopilot device groups or "All devices" to enforce consistent behavior.
Existing ESP profiles will preserve their prior settings, meaning organizations that have not explicitly configured this toggle will not see a change unless they create new profiles or update existing ones. However, because the default is enabled for new profiles, IT teams who rely on programmatic or template-based profile creation must audit their setup to avoid unintended activation.
Group Policy and MDM Policy Alternatives
For organizations not using Autopilot/ESP, Microsoft provides a corresponding Group Policy and MDM policy to control the feature. However, some enrollment paths that skip the device ESP phase may not allow turning off OOBE updates, effectively forcing the default behavior. Non-Microsoft MDM vendors that implement Autopilot/ESP may expose a similar toggle, but feature parity and timing vary, so checking with your provider is essential.
Why This Matters
Day-One Security
The most immediate benefit is that devices handed to employees are in the organization’s approved patch state from the moment they log in. This shrinks the window of exposure between device handoff and the first completed update cycle, a critical improvement for vulnerability management and compliance audits. A new hire opening a freshly unboxed laptop now gets a device that already has the latest cumulative security fixes applied, reducing the attack surface from the first sign-in.
Fewer Helpdesk Calls and Smoother Onboarding
End users no longer need to run a lengthy Windows Update session on first sign-in. Fewer “my new laptop is installing updates” tickets reduce helpdesk strain, and new hires can get to work faster without interruption. This translates to measurable productivity gains and lower IT support costs.
Alignment with Windows Update for Business Policies
Microsoft designed the OOBE update path to respect existing quality update deferrals, pause policies, and Windows Update for Business (WUfB) settings. Only approved quality updates are installed during provisioning, ensuring consistent, policy-aligned behavior across the fleet. Administrators retain control over which updates are allowed, just as they do for post-login updates.
Risks and Caveats
Despite the clear advantages, several operational tradeoffs demand attention.
Longer Provisioning Time
Installing quality updates during OOBE adds an average of roughly 20 minutes to setup, though the actual time depends on update size, device hardware, and network speed. For bulk deployments or on-the-spot device activations, this extra time must be factored into rollout schedules. Microsoft itself warns in the original message center post that “device setup may require additional time due to quality update installation during OOBE.”
Temporary Access Pass Expiry
Because OOBE now takes longer, Temporary Access Passes (TAPs) used during enrollment can expire before the user reaches sign-in. IT teams must extend TAP validity during provisioning or adjust enrollment procedures accordingly. As one community member noted, a TAP that worked fine under the old flow may now run out before the device is ready, leaving users stranded.
Scope Limitations
The feature covers only quality updates. Feature updates, firmware, and driver packages remain outside its scope. Organizations still need separate processes to manage these. Don’t assume an OOBE-patched device is fully up to date in every respect—drivers and feature versions may still lag, and critical firmware updates will require post-deployment attention.
Default Behavior May Surprise
As noted, new ESP profiles default to enabled. Organizations that relied on manual first-boot updating may inadvertently apply updates during OOBE unless they explicitly disable the toggle. A proactive audit of all ESP profiles is essential before the September rollout. The WindowsForum.com discussion highlighted that even experienced admins could be caught off guard by this default.
Network Bandwidth and Vendor Logistics
If many devices are provisioned simultaneously—common in office refreshes—downloads can saturate WAN links. Use Delivery Optimization or local WSUS/Distribution points to manage bandwidth. Coordinating with OEMs to pre-image devices with the June 2025 non-security update reduces download volume and speeds OOBE. Failure to do so could lead to hours-long provisioning for a large batch.
Failed Update States During OOBE
An update failure during OOBE could leave a device in an unusable state, requiring recovery or reimaging before first login. Thorough testing of images and deployment scenarios is critical to catch such failures early. The shift moves the failure domain from a user-controlled update session to a headless provisioning phase, demanding robust error-handling and support documentation.
Pre-Deployment Checklist for IT Teams
To prepare for this change, IT administrators should follow a clear checklist:
1. Verify device eligibility: Target devices must run Windows 11 22H2 or later on Pro, Enterprise, Education, or SE, and be Entra-joined or hybrid-joined with Intune (or a compatible MDM).
2. Audit ESP profiles: Review existing and new ESP profiles to explicitly set the “Install Windows quality updates” toggle to your desired state. Remember, new profiles default to enabled.
3. Update imaging processes: Ensure device images include the June 2025 non-security update, or coordinate with vendors to apply the August 2025 ZDP. This reduces OOBE update download size and time.
4. Pilot thoroughly: Run test deployments on representative hardware, networks, and user locations. Measure OOBE duration and identify any failure modes.
5. Extend TAP lifetimes: Adjust Temporary Access Pass validity to cover the extended OOBE time. Consider alternative authentication flows during provisioning.
6. Configure monitoring: Enable ESP telemetry, Intune diagnostic logs, Windows Update for Business reporting, and Autopilot diagnostics. Set up alerts for OOBE update failures.
7. Train support staff: Ensure helpdesk teams know the new flow and can troubleshoot issues like update failures or TAP expiry.
Testing and Validation Guidance
A successful rollout hinges on rigorous validation:
- Diverse device matrix: Test on low-end CPUs, high storage load devices, and various network segments. OOBE update time can vary dramatically.
- Vendor alignment: Confirm that OEM images meet the June 2025 baseline. If not, expect each device to download the ZDP, adding time.
- Network stress-testing: For mass deployments, verify that Peer-to-Peer Delivery Optimization or local caching prevents internet link saturation.
- Failure simulations: Simulate interrupted downloads, expired TAPs, and ESP interruptions. Create clear runbooks for technicians.
Real-World Deployment Patterns
Zero-Touch Corporate Provisioning (Autopilot + Intune)
Organizations using Autopilot with ESP profiles assigned to device groups will see the most seamless experience. The feature automates what was a manual post-login task, giving users an immediately secure device. This aligns perfectly with zero-touch visions, where a new hire simply unboxes and signs in.
Vendor-Imaged Large Dispatch
When OEMs pre-image devices, ask them to include the June 2025 update. This reduces OOBE downloads and keeps provisioning within expected timeframes. Without this, deployments may exceed time budgets, especially for batches of hundreds of laptops.
Hybrid Operations with Manual Enrollment
Autopilot devices are governed by ESP; manually enrolled devices may fall back to Group Policy or require manual updates after login. Verify which enrollment paths your organization uses and whether they expose the policy as expected. This is crucial for mixed environments where some devices are not pre-registered.
Security and Compliance Analysis
From a security standpoint, applying quality updates during OOBE is a meaningful improvement. It shortens the window of known vulnerability exposure, helping organizations meet strict compliance requirements and vulnerability management SLAs. Regulators and auditors will appreciate that new endpoints are patched from the start, though documentation should clarify that OOBE updates cover only quality fixes, not all potential patches. Compliance programs should update their procedural language to note the scope and ensure evidence collection reflects the new provisioning flow.
However, risks remain: firmware vulnerabilities or critical driver updates will still need separate remediation. The OOBE update path must be viewed as one piece of a holistic patching strategy, not a complete solution. Security teams should continue to monitor for hardware-level vulnerabilities and plan firmware updates outside the OOBE workflow.
What IT Admins Are Saying
Community discussions echo cautious optimism. On forums like WindowsForum.com, IT professionals applaud the shift but warn peers not to assume the device is fully updated after OOBE. They emphasize that feature updates and drivers still require separate management, and they stress the importance of testing ESP defaults. One contributor noted, “This is a huge win for day-one security, but don’t let it lull you into thinking your driver and firmware update cycles are obsolete.”
Independent outlets such as The Register and Windows Latest have covered the change, noting its potential to reduce zero-day exposure while cautioning about longer setup times and the need for administrative vigilance. The consensus: the feature is a net positive, but only if IT does its homework.
Conclusion
Microsoft’s decision to bake quality updates into Windows 11 OOBE for Entra-joined devices is a significant step toward fully automated, secure device provisioning. It removes a manual burden from IT, strengthens day-one security, and aligns with modern zero-touch deployment practices. But it also introduces new operational considerations: longer setup times, TAP expiry, default settings surprises, and the ongoing need to manage updates outside the quality path. With careful planning, pilot testing, and configuration, IT teams can turn this change into a net positive—delivering devices that are ready to use and secure out of the box. As the September 2025 security update rolls out, the onus shifts to administrators to embrace the new default or consciously opt out, ensuring their provisioning workflows match their security goals.