Starting with the September 2025 security update, Microsoft is flipping a switch that will automatically download and install Windows quality updates during the Out-of-Box Experience (OOBE) on eligible Windows 11 devices managed through Microsoft Intune. The change, delivered through Autopilot Enrollment Status Page (ESP) profiles, means that new devices can walk users straight into a freshly patched desktop—but it also raises fresh questions about deployment timing, update stability, and the careful balance between security and administrative control.

This is not a sudden, unannounced shift. Microsoft first teased the capability earlier in 2025, allowing organizations to opt in. Now, the behavior is being turned on by default for newly created ESP profiles in Intune, a move that promises to reduce post-deployment patching work and shrink the attack surface of new endpoints. Yet for admins who rely on meticulously tested, image-based provisioning or who operate in bandwidth-constrained environments, the change demands immediate attention and, in many cases, a deliberate opt-out.

What’s Changing Under the Hood

The new mechanism targets only quality updates—those monthly cumulative packages that bundle security and reliability fixes. Feature updates (major OS version jumps) and driver updates are explicitly excluded and continue to follow existing organizational policies. When an eligible device enters the Autopilot-driven OOBE, the final phase now includes a step where Windows Update fetches and installs the latest applicable cumulative update, reboots if necessary, and then presents the user with an up-to-date system at first sign-in.

This capability requires devices running Windows 11 version 22H2 or later, across Pro, Enterprise, Education, and SE SKUs. The device must be Microsoft Entra-joined or Entra hybrid-joined and enrolled through a mobile device management (MDM) service that supports the Autopilot ESP model—practically, this means Intune for most organizations. Underneath, the behavior lights up on machines that either received the vendor OOBE zero-day package (ZDP) from August 2025, or were imaged with the June 2025 non-security update or any later servicing release.

Where Administrators Find the Controls

The toggle that manages this feature lives inside the Autopilot Enrollment Status Page profile within the Microsoft Intune admin center. Navigate to Devices > Enrollment > Enrollment Status Page (ESP), and under Settings you will see “Install Windows quality updates (might restart the device)”. For all ESP profiles created after this change, that box is checked by default. Profiles that existed before this rollout remain untouched—their setting stays off unless manually edited. That means long-standing, mature profiles won’t suddenly spring a surprise; only new profiles or those an admin decides to alter will adopt the automatic update behavior.

Critically, administrators can still flip the switch off. The path is straightforward: edit the profile, uncheck the option, and save. The profile assignment then dictates which devices skip OOBE updates. For teams that push profiles programmatically or rely on templates, the default-on nature demands that they explicitly set the toggle to off if they wish to preserve prior behavior. Microsoft also notes that Windows Update deferral and pause policies are still honored during the OOBE update check—if those policies have already synced to the device before the update scan, the device will defer accordingly.

The Security Rationale Behind Microsoft’s Push

Microsoft is framing this as a straightforward security win. Devices that ship from OEMs or are re-imaged sit on months-old cumulative updates. Between the moment a user signs in and the time IT pushes the latest patches, the endpoint is exposed to known vulnerabilities. By shifting some of that patching into the provisioning pipeline, the attack window shrinks. For large fleets—think thousands of education devices or a financial services roll-out—the cumulative effect can be substantial.

There are other operational benefits: IT teams often burn cycles running one-off update tasks on freshly deployed machines. Letting OOBE handle the latest cumulative means fewer post-deployment chores. End users, in theory, also get a better first-day experience—no immediate reboot prompts or “updates pending” notifications. And because the device can sync an organization’s deferral policies before the OOBE update check, administrators can ensure that new devices land on the exact same update revision as the rest of the fleet, maintaining consistency.

Why Many Admins Are Wary

Despite the security upside, the change has triggered a predictable wave of caution among IT professionals—and the timing couldn’t be more delicate. The summer of 2025 was a bruising period for Windows updates, marred by problematic cumulative patches that caused crashes, interrupted recovery flows, and forced Microsoft to issue emergency out-of-band fixes. In that context, baking updates into the provisioning sequence feels like handing a flamethrower to a process that already has enough variables.

Provisioning time blow-up is the most immediate pain point. Monthly updates can be hundreds of megabytes or more. On a fast corporate network, the download and install might add only five to ten minutes. On a home Wi-Fi connection used by a remote hire, or in a satellite office with limited bandwidth, provisioning can balloon by thirty minutes or more. For scheduled mass deployments, those delays ripple through onboarding windows and can cause temporary passcode expiries that break enrollments altogether.

Update stability is a second concern. A quality update that causes a blue screen on a production desktop is bad enough; injecting that same update into OOBE means a device might never complete enrollment, leaving IT scrambling to recover it. Even without catastrophic failure, a regression introduced during setup can poison the first-run experience, turning the “fresher, more secure” promise into a help-desk nightmare.

Loss of control stings for organizations that build and validate golden images with specific, tested KB combinations. An automatic OOBE update can bump the build to a newer CU that hasn’t passed internal validation, potentially breaking line-of-business apps or custom configurations. The fact that new ESP profiles default to enabled means that an admin who quickly creates a profile without reviewing every toggle might accidentally push uncontrolled updates to a whole device group.

Intune/Autopilot dependency narrows the path for organizations that use third-party MDM solutions. While some vendors support ESP integration, feature parity and default behaviors vary. Shops that rely on on-premises management or alternative provisioning tools may not even see the toggle, or may find that updates apply by default in some flows without a clear opt-out.

Community Reaction and Early Feedback

The policy lands against a backdrop of simmering frustration over mandatory update behavior. Earlier in 2025, Microsoft made App Store updates mandatory, a move that drew sharp criticism from enthusiast and consumer communities. The OOBE update change, while enterprise-focused, touches the same nerve: a sense that Microsoft is incrementally removing choice in favor of a one-size-fits-all security posture.

IT forums and social channels lit up with a mix of cautious acceptance and loud complaints. Many administrators acknowledged the security rationale but demanded that Microsoft keep the default off, or at least provide a clear, unmissable prompt during profile creation. The fact that existing profiles are untouched suggests Microsoft listened to some of that feedback. Still, the broader sentiment is clear: test thoroughly before enabling, and be ready to flip the switch off if update instability rears its head again.

Practical Steps to Prepare Your Environment

No two organizations have the same risk tolerance or deployment pipeline. Here is how to navigate the change without getting burned:

  • Audit your ESP profiles immediately. Export a list from Intune. Note which were created after this change and which are long-standing. Understand which device groups they cover.
  • Set defaults deliberately. For any new profile that shouldn’t trigger OOBE updates, edit the toggle to off before saving. Where you do want updates, create a pilot profile and target only a test group.
  • Extend temporary passcode validity. If provisioning times lengthen, users may fail enrollment because their temporary password expires. Increase the validity window to head off this failure mode.
  • Optimize network paths. Ensure provisioning networks have enough headroom and that Windows Update endpoints are reachable. For large-scale rollouts, consider local update caching or offline media to trim OOBE update time.
  • Measure and document. Run side-by-side pilot enrollments with updates on and off. Record the time delta for different hardware classes and network conditions. That data will inform your rollout decisions and help set user expectations.
  • Have a rollback plan. If a problematic update breaks OOBE, you need a fast way to recover devices—whether that means a USB recovery drive, a network-based re-image, or a support script that bypasses the ESP step.
  • Update onboarding documentation. If users will see extra time during setup, tell them. Add a note to welcome materials: “Setup may take up to 30 minutes longer and will restart; keep the device plugged in.”

For regulated industries, the default-on nature of new profiles is a compliance trigger. Strict change-control environments must explicitly disable the toggle and document that decision. Internal SLAs between procurement, imaging teams, and IT operations may need revision to account for the altered provisioning timeline. While the updates themselves don’t raise privacy concerns, any behavioral change that affects the initial user experience should be reflected in acceptable-use policies and IT communication.

Zoom out, and this change is a microcosm of Microsoft’s broader trajectory. Cloud-based management (Entra + Intune) is the gravitational center for Windows fleet hygiene. The Autopilot/ESP pipeline is now the canonical provisioning path, and updates are just one more lever being pulled to enforce consistency. Expect more of these trade-offs as Microsoft chases a uniform, always-updated baseline. Community pressure will likely force the company to add more granular staging controls—perhaps server-side rollout flags or the ability to delay specific KB numbers—but for now, the burden sits squarely on IT administrators.

The Bottom Line for Windows IT Pros

The OOBE quality update feature is a sensible security improvement when deployed with eyes wide open. It genuinely cuts post-deployment work and can lock down devices faster. But the default-on setting for new ESP profiles makes it a booby trap for the unwary. Treat this as a configuration change that demands governance. Inventory your profiles, decide where the security gain outweighs the time and stability risks, and opt out where necessary. Pilot, measure, then roll out with policy guardrails that match your operational reality. As one veteran admin put it: “Great feature, terrible default.”