Starting in September 2025, Windows 11’s out-of-box experience (OOBE) will gain a new step for managed devices: automatically downloading and installing the latest quality updates before the first user ever signs in. The change targets Entra-joined and Entra hybrid-joined machines managed through Microsoft Intune or compatible MDM platforms. While designed to deliver a fully patched endpoint on day one, the update stage will extend provisioning times by 30 minutes or more, forcing IT teams to rethink deployment workflows.
Microsoft has been layering security and manageability enhancements into the Windows setup experience for years. The new OOBE quality-update capability represents a direct response to enterprise requests for devices that are up-to-date the moment they reach an employee’s hands. At the same time, it introduces a practical trade-off: longer staging windows in exchange for eliminating the notorious “first-week patch storm.”
What’s Changing in OOBE
Near the end of the Windows 11 OOBE flow, qualifying devices will now encounter a new update stage. If a relevant quality update is available, the system will download, install, and potentially restart before proceeding to the final setup screens. Microsoft has explicitly stated that only quality updates—not feature updates or driver rollouts—will be applied. The mechanism is designed to honor existing Windows Update for Business (WUfB) deferral policies, ensuring that IT organizations don’t have their update cadences overridden.
This is distinct from the critical zero-day patch (ZDP) updates that Windows already forces during OOBE for all editions. Since mid-2024, any device reaching the network stage of OOBE could be required to install emergency security fixes, with no opt-out. The September 2025 enhancement extends that concept to routine quality updates but only for managed devices and with a clear administrative control toggle.
Which Devices Are Affected
Only a specific subset of Windows 11 devices will see the new behavior. To be eligible, a machine must:
- Run Windows 11 version 22H2 or later on a Pro, Enterprise, Education, or SE SKU.
- Be managed via Microsoft Intune (or another MDM that supports Enrollment Status Page controls) and be either Entra-joined or Entra hybrid-joined. Autopilot scenarios with an assigned Enrollment Status Page (ESP) profile qualify.
- Belong to a tenant where the admin has enabled the relevant control (see below).
Consumer PCs not managed by Intune or an equivalent MDM, and not Entra-joined, are excluded from this change. Home, Professional (consumer), and other unmanaged editions will continue to follow the standard OOBE flow, interrupted only by mandatory ZDP patches.
Administrator Controls: The ESP Toggle
Control over whether quality updates install during OOBE lives inside the Enrollment Status Page profile in Microsoft Intune. In the Intune admin center, under Devices > Enrollment > Enrollment Status Page, each ESP profile now includes a setting labeled Install Windows quality updates (might restart the device). Administrators can set this to Yes or No.
Microsoft has confirmed that existing ESP profiles will default to No, leaving current provisioning behavior unchanged. Newly created ESP profiles will default to Yes, encouraging organizations that already enable ESP to adopt the feature proactively. The setting can also be delivered via MDM policy, and Group Policy counterparts are planned for environments that don’t use Intune. Third-party MDM vendors supporting Autopilot and ESP may surface an equivalent control, but IT teams should verify vendor support before relying on it.
Simple steps to enable or disable the feature:
- Sign into the Microsoft Intune admin center.
- Navigate to Devices > Enrollment > Enrollment Status Page.
- Select the ESP profile assigned to target devices.
- Under Settings, toggle Install Windows quality updates (might restart the device).
This gives organizations a clean on/off switch, allowing gradual rollout through profile targeting.
The Setup Time Trade-Off
Microsoft’s documentation warns that applying updates during OOBE “may take 30 minutes or more,” depending on update size, network conditions, and hardware capabilities. Some early third-party reports suggested an average of 20–30 minutes, but these figures are environment-specific and should not be taken as guarantees. Real-world duration will vary widely: a small cumulative update on a high-speed wired connection and a fast NVMe SSD might complete in 15 minutes, while a large security rollup over a congested VPN or Wi-Fi link on an older machine could easily exceed 45 minutes.
The added time comes with a forced restart, which means device provisioning scripts that assume a linear OOBE timeline may break. For high-volume deployment scenarios—such as seasonal refreshes or school lab imaging—the cumulative extra minutes per device can significantly extend overall staging windows. IT teams must plan logistics accordingly, factoring in network capacity and possible queuing.
Why the Change Benefits IT and End Users
Microsoft’s primary stated goal is to eliminate the “first-week update problem.” Newly deployed laptops often require multiple security patches immediately after a user signs in, leading to unplanned restarts, help-desk calls, and a poor first impression. By installing the latest approved quality update during OOBE, organizations can:
- Deliver devices that are compliant with corporate patch baselines from the moment of first sign-in.
- Reduce the number of forced post-login updates and restarts during an employee’s first days.
- Simplify imaging strategies: images can be maintained with baseline software only, while the final update step applies the current cumulative patch, reducing image churn.
- Improve the end-user experience for new hires and field workers, who face fewer disruptions.
For IT operations, this means a cleaner handoff of new hardware and fewer surprise patch cycles. The feature respects organizational update approvals and deferrals, so a carefully staged update ring is not circumvented.
Potential Pitfalls and Mitigations
Despite its clear upsides, the OOBE update capability introduces several risks that demand careful planning.
- Network bandwidth and staging bottlenecks: Provisioning dozens or hundreds of devices simultaneously over a single corporate link can saturate WAN capacity, causing downloads to fail or slow to a crawl. Consider content caching via Delivery Optimization, Windows Server Update Services (WSUS), or Microsoft Endpoint Configuration Manager distribution points. Schedule deployments to avoid peak network traffic.
- Temporary Access Pass (TAP) expiry: Many organizations use time-limited credentials for Autopilot enrollment. The extended OOBE duration may cause TAPs to expire before sign-in completes, blocking enrollment. Extend TAP validity in Microsoft Entra ID before enabling the feature broadly, and coordinate with identity teams.
- Unexpected restarts and driver interactions: The update stage may trigger a restart that conflicts with OEM-provided drivers or pre-installed software. Test across your hardware fleet, particularly with models that have complex driver stacks or third-party security software.
- Image-driver mismatches: If a base image includes drivers expecting a specific Windows build state, applying a newer cumulative update could expose compatibility issues. Pilot on representative hardware before full rollout.
- Long provisioning in bulk deployments: In large-scale refreshes, the cumulative added time per device can be significant. Logistical planning should account for the extra minutes and possibly stagger imaging sessions.
Steps for a Smooth Rollout
A methodical rollout strategy will help avoid disruption:
- Pilot first: Choose a test group of representative device models, network segments, and Autopilot ESP profiles. Enable the update toggle only for these devices and measure actual download/install times, failure rates, and restart behavior.
- Extend TAP validity: In Microsoft Entra ID, increase the lifespan of temporary credentials used during provisioning to at least 60 minutes, or longer depending on your network latency.
- Implement caching: Configure Delivery Optimization for peer-to-peer sharing or use WSUS/Configuration Manager to seed updates locally. For on-premises staging labs, a local distribution point can dramatically reduce WAN traffic.
- Update ESP profiles carefully: Review all existing ESP profiles to decide which should receive the new toggle. For automation that creates new ESP profiles, explicitly set the toggle to the desired state to avoid surprises from the new default.
- Monitor and log: Collect Windows Setup, Windows Update, and MDM logs from pilot devices. Look for patterns such as update download failures, driver regressions, or prolonged restart loops. Engage OEM partners if hardware-specific issues surface.
- Communicate with stakeholders: Alert procurement, onboarding, and help-desk teams about the expected provisioning time increase so that device handoff schedules are adjusted.
The Bottom Line for IT Decision-Makers
Microsoft’s OOBE quality-update capability is a pragmatic response to the pain of deploying unpacthed devices. For managed, Entra-joined Windows 11 PCs, the ability to arrive at the user fully patched can significantly reduce post-deployment support tickets and improve security posture. Yet the extended setup time is not trivial. IT organizations that simply flip the switch without testing and network planning risk creating new bottlenecks.
The feature is not a forced, universal change—it’s a controlled, enterprise-oriented tool. By leveraging the Intune ESP toggle, conducting pilots, and putting the right caching infrastructure in place, teams can reap the day-one security benefits while keeping deployment timelines predictable. For environments running Windows 11 22H2 or later on Pro, Enterprise, Education, or SE SKUs with Intune management and Entra join, this update represents a clear net positive if adopted with care.