Windows 11 will now—in certain scenarios—automatically download and install critical zero-day patches (ZDPs) while a device is still in the Out-of-Box Experience. A revised Microsoft Learn document confirms that users cannot opt out of these updates: they are applied after the first network connection, and the PC will reboot to complete installation. The change, which had been previewed and delayed since late 2024, is now rolling out to devices running Windows 11 version 22H2 and later. For enterprise-managed machines enrolled in Microsoft Intune and joined to Microsoft Entra (Azure AD), the Enrollment Status Page (ESP) will eventually surface a toggle that lets administrators decide whether monthly quality updates also install during OOBE. The default for new ESP profiles will be to apply all eligible updates.
Microsoft’s goal is to close the “day-one patching gap”—the risky window when a freshly unboxed device sits unprotected against known exploits until the user or IT staff manually runs Windows Update. By baking the patching process into OOBE, the company hopes to remove a long-standing friction point that generated help desk calls and vulnerable endpoints. But the move also reshapes provisioning workflows, forcing IT teams to re-plan imaging cadences, network capacity, and enrollment timelines.
What the Change Actually Entails
According to the official documentation, critical ZDP updates are now treated as mandatory for correct device operation. Once a user connects to a network during OOBE, Windows will check for and install any ZDPs, displaying a progress screen that warns the device may restart. Depending on OS build and device eligibility, Windows may also offer the latest quality updates—monthly cumulative security and reliability fixes. The process, Microsoft warns, can take 30 minutes or longer, driven by update size, network speed, and hardware performance.
Feature updates and most driver packages are excluded from automatic OOBE installation, reducing the risk of provisioning-time incompatibilities. For managed scenarios, the intended behavior is tied to Intune’s Enrollment Status Page. A new setting, “Install Windows quality updates,” will appear in ESP profiles once devices have the prerequisite servicing stack updates. When enabled, the device will respect the same update ring deferrals and pause policies assigned to its Autopilot group, ensuring consistency between enrollment-time and post-enrollment update enforcement.
Microsoft’s phased rollout means the change will not hit all tenants simultaneously. Message Center notices and Intune admin center updates will signal when the ESP toggle becomes available. The company had initially planned a broader rollout in September 2024 but paused after IT community feedback, revising the plan to add stronger admin controls before proceeding. Public guidance now points to a staged deployment through mid-2025 and into late 2025 servicing updates.
How the OOBE Update Flow Works
The technical sequence is straightforward:
- The device boots into OOBE, and the user connects to a network (or the device gains connectivity automatically via Ethernet).
- On the final OOBE pages, Windows Update performs a scan for applicable ZDPs and, if permitted, recent quality updates.
- If updates are found, they download and install in the background while a progress UI is shown. The PC may restart once or multiple times to complete installation.
- Only after all mandatory updates are applied does the user reach the first sign-in screen.
This flow is distinct from the legacy feature that simply checked for updates after OOBE; the updates now integrate deeply into the enrollment path, particularly for Autopilot devices where the ESP already blocks access to the desktop until certain stages succeed.
Enterprise vs. Consumer: Who Feels the Impact
Enterprise (Intune / Autopilot / Entra-joined)
For organizations using Windows 11 Pro, Enterprise, Education, or SE with Intune MDM and Entra join, the OOBE update behavior will be the most configurable. The ESP toggle gives administrators a binary choice: allow quality updates during OOBE or keep the previous behavior (critical ZDPs only). Without the toggle, default behavior will lean toward installing updates. IT teams must ensure their golden images include the June 2025 or later servicing payloads; otherwise, the ESP setting won’t appear, and behavior could be inconsistent.
Key requirements for managed devices include Windows 11 version 22H2 or later, images with the prerequisite updates, and Intune assignment aligned with Windows Update for Business rings. During Autopilot provisioning, the Enrollment Status Page will track the update installation as a distinct phase, so if an update fails, the enrollment can halt—this demands robust testing.
Consumers and Retail Devices
Retail Windows 11 devices have already been receiving some updates during OOBE. Microsoft’s documentation and community reports confirm that consumer SKUs may download and install quality updates and ZDPs if an internet connection is present. The end-user has no kill switch; they can only watch the progress bar. This has prompted frustration among users accustomed to bypassing online requirements via the classic OOBE\bypassnro command or similar registry edits. Microsoft has been steadily restricting these workarounds in Insider builds, making offline local account setup harder without internet connectivity.
For consumers with bandwidth concerns or privacy preferences, the only robust alternatives are enterprise-style offline imaging—which is impractical for most—or relying on increasingly fragile unofficial bypasses that may vanish in future updates.
The Tradeoffs: Security Wins, Operational Headaches
The security case is airtight. Devices leave factories with build images that can be months old. A zero-day that emerged two weeks after the image was locked could be used to compromise a machine on first boot, before the user even opens a browser. Applying ZDPs during OOBE eliminates that window entirely. Managed fleets also gain fewer post-enrollment reboot storms, because the largest cumulative updates are already in place by the time the user signs in.
But those wins come with measurable costs:
- Longer provisioning times: The 20–30-minute estimate is optimistic for large updates or slow links. An organization provisioning 500 laptops in a single day must now budget significant extra technician time or adjust enrollment SLAs.
- Bandwidth saturation: Without careful planning, dozens or hundreds of devices simultaneously pulling multi-gigabyte update packages can cripple WAN links. Microsoft explicitly recommends Delivery Optimization, Connected Cache, or a local WSUS/Windows Update for Business cache for mass rollouts.
- Inconsistent behavior between enrollment paths: Autopilot device preparation, Autopilot provisioning, and direct ESP flows may handle updates differently, particularly during the transitional period when the ESP toggle hasn’t arrived yet or images aren’t fully updated. IT admins must validate their specific path.
- User frustration and support calls: Retail users may believe the PC is broken if it sits at an “Installing updates” screen for half an hour. OEMs and retailers need to update packaging and on-screen messaging to set expectations. In enterprise settings, help desk staff must be briefed to handle calls from users stuck at the ESP.
Administrative Controls and Rollout Timeline
Microsoft has committed to delivering policy controls in the Intune admin center. The ESP setting will be available for new profiles; existing profiles may retain their current defaults until an admin edits them. The rollout is tied to specific servicing updates expected around mid-2025 and the September 2025 security update window. However, exact KB numbers and dates will vary by tenant, and administrators should watch their Message Center for final notices.
The Intune Customer Success team also underscored that critical ZDPs remain mandatory and cannot be bypassed. The administrative control covers only quality updates. This means that even if an admin disables the ESP toggle, a device will still download and apply any ZDP classified as critical during OOBE.
Consumer Workarounds: A Shrinking Window
Advanced users have long relied on OOBE\bypassnro to skip the Microsoft account requirement and stay offline during setup. In recent Insider builds, that script has been removed or neutered. Other methods—registry hacks, pre-staged unattend.xml files—may persist but are not guaranteed to survive future updates. Tom’s Hardware and The Verge have documented Microsoft’s hardening efforts, noting that the company is actively closing these loopholes to push users toward Microsoft Account sign-in and automated update compliance.
For IT professionals, this is a non-issue: they use Autopilot or offline provisioning tools. For the hobbyist who wants a local account and no online updates, the path is narrowing. The advice from community experts is blunt: if offline setup is critical, create a USB installation media with a custom answer file or pre-provision the image in audit mode before OOBE. These methods require more technical skill and are not officially endorsed for mainstream consumers.
Practical IT Guidance: Seven Steps to Prepare
Organizations that act now can turn the change into a security and productivity win:
1. Inventory and validate prerequisites: Confirm all devices are on Windows 11 22H2 or later and that golden images include the latest servicing stack updates. Without these, the ESP toggle may not appear.
2. Pilot with a small cohort: Create an Intune ESP profile with the update setting enabled and assign it to a representative test group covering different hardware models and enrollment types. Measure full provisioning time, update size, and reboot count.
3. Synchronize update rings: Ensure the Autopilot device group has a matching Windows Update for Business profile so that deferral and pause policies apply consistently during OOBE. An unassigned device might install updates without any deferral, defying the organization’s update rhythm.
4. Plan network capacity and caching: Deploy Delivery Optimization peer-to-peer or Microsoft Connected Cache on distribution points. For large rollouts, consider staging devices in batches or pre-caching update packages on a WSUS server.
5. Adjust help desk and temporary access passwords: Factor in longer enrollment windows. Extend the lifetime of Temporary Access Passwords used during Autopilot to avoid mid-provisioning expirations.
6. Test application compatibility: Even though OOBE installs are limited to quality updates, some cumulative packages can conflict with OEM drivers or third-party security software. Run a compatibility check in the pilot before expanding.
7. Communicate clearly: Inform all stakeholders—IT staff, procurement, help desk, and end users—that the initial setup will take longer and that the progress screen is normal. This reduces panic and unnecessary support tickets.
Risks and Failure Modes
The most common pitfalls stem from incomplete image preparation. If a device lacks the prerequisite servicing update, the Intune ESP setting won’t appear, and the device may either skip updates entirely or install them without respecting the tenant’s configured policy, leading to inconsistent behavior. Other risks include network congestion causing enrollment timeouts, ESP failures if an update installation hangs, and confusion when a legacy Autopilot profile without the new toggle behaves differently from a newly created one.
For consumers, the biggest risk is assuming old bypass tricks will keep working. A setup attempt that previously took 10 minutes could now take 45 minutes, and attempting to force-offline the device might leave the OS in an incomplete state.
A Balanced Verdict
Microsoft’s OOBE update initiative is a logical, security-first evolution of Windows provisioning. It solves a real problem: the “day-one vulnerability gap” that has plagued unpatched new PCs for years. By hardening the device before the first human interaction, the change meaningfully raises the security bar for millions of endpoints.
For enterprises, the inclusion of Intune controls and the transparent documentation turn a potentially disruptive change into a manageable shift. IT teams can choose to delay quality updates if they’re willing to accept a larger post-enrollment patching window, or they can embrace the new default and invest in the caching and imaging work necessary to support it.
For consumers, the tradeoffs are less forgiving. The lack of opt-out and the closure of popular bypasses will frustrate users who value offline setup or whose internet connections are slow or metered. Microsoft’s stance prioritizes platform security over setup flexibility, a direction consistent with Windows 11’s broader hardening but one that could alienate a vocal minority of power users.
The net outcome depends on preparation. Organizations that update images, pilot the ESP, and deploy local caching will likely see lower support costs and stronger security postures. Those that ignore the change will face longer provisioning times, erratic behavior, and help desk escalations. The window to prepare is now, while the rollout is still staged, and before the default behavior becomes universal.