Microsoft has begun rolling out a significant change to Windows 11 provisioning: eligible devices can now receive the latest quality and security updates during the out-of-box experience (OOBE), before the user ever signs in. This capability, delivered through Windows Autopilot and the Enrollment Status Page (ESP), ensures that new PCs are patched and compliant from the very first login. While it slashes the post-deployment patch gap, it also introduces new operational considerations for IT teams—longer setup times, network planning, and the risk of a bad update derailing an entire deployment. The shift moves routine patching directly into the initial setup flow, tightening security but demanding a disciplined rollout.
Background and Scope
Microsoft has been testing and progressively exposing the ability to apply quality updates during device setup for more than a year. The feature specifically targets monthly quality updates—those cumulative security and reliability releases—not feature updates or driver packs. It is scoped to managed, domain-joined scenarios where corporate enrollment and policy controls are in place before the device reaches the end user. The capability requires Windows 11 version 22H2 or later, with the device being Microsoft Entra joined (formerly Azure AD joined) or Entra hybrid joined, enrolled through Windows Autopilot, and managed by Microsoft Intune or a compatible MDM that supports ESP.
Administrators will find a new ESP setting labeled “Install Windows quality updates (might restart the device).” New ESP profiles created after the change default to enabling this behavior; existing profiles may need to be manually edited to opt in. This deliberate segmentation ensures that only organizations ready to absorb the operational impact will see the new flow.
How the OOBE Update Flow Works
When quality updates are enabled during OOBE, the process follows a precise sequence:
- The device completes initial provisioning—Autopilot registration, Entra join or hybrid join, and MDM enrollment.
- Before handing control to the user, the ESP triggers a Windows Update check.
- If applicable quality updates are found, the device downloads and installs them while still in OOBE.
- The device may reboot one or more times to finish installation.
- Once updates are installed, OOBE completes and the user is presented with a freshly patched OS at first sign-in.
Microsoft cautions that download and install time depends on update size, network conditions, and hardware. Typical quality updates add 20–30 minutes or more to the OOBE flow. Devices must remain plugged in and connected throughout.
Crucially, the OOBE update path is limited to quality updates. Feature updates and driver updates are excluded, as is the critical zero-day package (ZDP) flow—ZDP updates will still download automatically when needed, but the new capability does not replace that mechanism. This separation prevents larger, riskier changes from interfering with the first-login experience.
Benefits for Organizations and End Users
Integrating quality updates into OOBE reshapes the device provisioning lifecycle in several positive ways:
- Faster compliance: Devices leave the factory or distribution center and, once enrolled, receive the latest monthly patches before any user interaction. This cuts the window of vulnerability significantly.
- Reduced helpdesk load: Fewer immediate post-deployment update events mean fewer surprise reboots and support calls on day one.
- Cleaner deployment metrics: Inventory and compliance tools report accurate, up-to-date information right from the start.
- Aligned policies: When paired with Windows Update rings and ESP policy sync, pause and deferral policies apply before the device checks for updates, ensuring predictable behavior.
For security-conscious organizations, the benefit is clear: a device that has been sitting in a warehouse for months won’t wait until after first use to be patched against the latest vulnerabilities.
Risks and Operational Pitfalls
The new behavior also carries tradeoffs that IT teams must address:
- Longer OOBE times: Adding 20–30+ minutes can frustrate end users and slow high-volume deployment lines in retail, education, or seasonal refresh scenarios.
- Update reliability becomes part of the provisioning SLA: If a quality update fails, the device may become stuck in OOBE, requiring remediation before the user can sign in. This creates a new failure mode that support teams must be prepared for.
- Network capacity and bandwidth spikes: Pulling updates simultaneously on hundreds or thousands of devices can strain corporate internet links, demanding careful Delivery Optimization design.
- Risk of problematic updates: Monthly quality patches, while intended to be stable, can sometimes introduce severe regressions—storage driver issues, recovery failures, or boot problems. Applying such an update during OOBE could cripple a deployment at scale.
- Power resilience and physical constraints: A device that loses power or network mid-update may require recovery steps, potentially forcing a re-provision.
Recent high-profile incidents demonstrate that even routine patches can cause disruptions. IT teams must balance the immediate security payoff against the potential for a bad patch to grind provisioning to a halt.
Admin Controls: Managing the Experience
Microsoft provides several levers to control or opt out of the OOBE update behavior:
Intune / Enrollment Status Page (ESP)
The primary control lives in the Autopilot ESP profile:
- Microsoft Intune admin center > Devices > Enrollment > Enrollment Status Page > Choose ESP profile > Settings > “Install Windows quality updates (might restart the device)”
New ESP profiles default to Yes (enabled). Existing profiles default to No and must be edited. Admins can toggle per profile to suit different scenarios—kiosk devices versus corporate laptops.
Windows Update Rings and Policy Sync
To ensure pause and deferral policies are honored, link Windows Update rings to the same Autopilot/ESP device group. When properly assigned, the update ring settings synchronize before the final update check, so the OOBE update respects deferral periods or pauses.
Group Policy and MDM Controls
For environments not using Intune or Autopilot, Microsoft exposes the behavior via MDM policy (for supported third-party MDMs) and Group Policy. Third-party MDMs that implement ESP support may offer an equivalent toggle, but compatibility must be tested.
Pause and Deferral Strategy
Admins retain the ability to pause updates, defer them for a set number of days, and use Update Rings for phased piloting. Linking update rings to the same device groups as the ESP profile ensures consistent behavior.
IT Preparation Checklist
To adopt OOBE quality updates with minimal disruption, follow this discipline:
1. Audit current Autopilot and ESP profiles to determine which ones default to installing updates.
2. Create a pilot ESP profile and enable the setting for a small test group (IT devices or a lab).
3. Align Windows Update rings with the ESP assignment so deferral/pauses sync properly.
4. Validate network capacity and configure Delivery Optimization—peer caching, local caching servers, or CDN—to avoid saturating the internet link.
5. Extend temporary access token lifetimes (if using Temporary Access Passes) since multiple reboots may exceed default TOTP/TAP validity.
6. Test power and physical workflows: confirm devices stay plugged in and consider UPS protection in labs.
7. Prepare rollback and recovery instructions—document how to recover a stuck device, manually remove problematic updates, or re-provision.
8. Communicate expected OOBE times to end users and support staff, setting clear expectations.
9. Execute a phased rollout using pilot, canary, and broad rings, and monitor metrics closely.
Technical Considerations and Edge Cases
Delivery Optimization and Caching
When thousands of devices come online in a short burst—a school district refresh or enterprise branch deployment—Delivery Optimization is critical. Configure peer-to-peer caching, Microsoft Connected Cache, or a content distribution network to reduce external bandwidth consumption.
Intermittent Connectivity
If a device loses network mid-update, ESP behavior depends on the installation stage. Devices may need a provisioning re-run, manual recovery via Windows RE, or full redeployment. Instruct technicians to keep devices plugged in and consider pre-provisioning for sites with unreliable connectivity.
Diagnostics and Telemetry
Monitor update install success rates, ESP time-to-complete, failure codes (Shell-Core and Windows Update logs), and user-reported issues. These telemetry points enable rapid detection of broad failures caused by a specific update.
Non-Intune MDMs and Custom Environments
Third-party MDM vendors must support ESP integration and expose the OOBE update control. Without that support, the new behavior will not automatically apply. Always confirm in your management console.
Real-World Risks: Lessons from Problematic Updates
The strategy of patching during OOBE is not risk-free. Even monthly quality updates have caused storage driver regressions, recovery partition failures, and boot loops. Administrators must weigh the immediate security benefits against the possibility that a flawed patch could halt provisioning at scale. The key is not to shy away from the feature but to pilot rigorously and maintain the ability to pause or roll back problematic updates through Windows Update rings.
User Experience: What End Users Will See
When the new behavior is active, the final OOBE screen will display a message indicating that Windows is checking for and installing updates. Progress indicators and restart prompts appear without requiring user sign-in. Once all installs and reboots finish, the user encounters the standard first-sign-in experience on an updated OS. Clear internal communication prevents confusion when OOBE takes longer than the old normal.
Policy and Security Implications
Applying security updates during OOBE accelerates compliance, which is especially valuable for regulated industries. New devices become discoverable as compliant sooner by endpoint security tools, and Conditional Access policies based on device posture can be enforced from the first sign-in. However, since updates occur before user sign-in, any pre-sign-in network access, certificate provisioning, or driver policy must be compatible with the update process.
Troubleshooting and Remediation Playbook
If devices fail to update during OOBE or become stuck:
- Capture failure codes using Autopilot diagnostics and Windows Update logs.
- Reboot into Windows Recovery Environment for offline troubleshooting.
- Re-enroll via pre-provisioning if necessary.
- If a specific quality update is problematic across many devices, block or pause it via Windows Update rings and roll back using catalog-based methods.
- Maintain a documented runbook that includes steps for manual update installation and creating bootable recovery media.
Quick, documented remediation reduces mean time to resolution when provisioning pipelines hit snags.
Recommendations: Balancing Speed, Safety, and Control
- Start with a small pilot group and measure real OOBE times, failure rates, and user impact.
- Align Windows Update ring policies and ESP assignments before broad enablement.
- Configure Delivery Optimization and local caching to reduce network strain.
- Maintain central pause/deferral capabilities rather than forcing an “always-on” configuration across the entire estate on day one.
- Use telemetry to detect regressions early and have rollback plans ready.
- Educate frontline IT and helpdesk staff about the behavioral change so they can diagnose and assist efficiently.
What to Watch Next
This OOBE update capability is part of a broader evolution in Windows provisioning and device lifecycle management. Watch for:
- Management-console updates that expose finer-grained control.
- Changes to which update types are included in OOBE flows.
- Third-party MDM vendor support for ESP features.
- Tenant-specific guidance and Message Center notifications that may adjust timing or defaults.
Given the evolving nature of Microsoft’s rollout communications, treat announced default dates as guidance and confirm timing in your own tenant’s admin center.
Conclusion
Enabling quality updates during OOBE is a pragmatic evolution in Windows provisioning—it closes the post-deployment patch gap and accelerates time to compliance, delivering real security and operational gains. That upside, however, comes with added responsibility: longer setup times, network planning, rigorous piloting, and solid rollback procedures. For IT teams, this is not an automatic “flip the switch” benefit; it’s a powerful tool that must be integrated into change control, testing, and provisioning workflows. With careful preparation—aligned ESP profiles, linked Windows Update rings, Delivery Optimization planning, and phased rollouts—organizations can reap the security advantages while avoiding the deployment headaches that any update-driven process can bring.