.jpg)
Ensuring that devices are secure from the very first moment a user logs in is a critical challenge in modern endpoint management. For IT administrators leveraging Microsoft Intune and Windows Autopilot, the Enrollment Status Page (ESP) serves as the gatekeeper, ensuring policies and applications are applied before the user reaches the desktop. A significant development in this process involves the handling of monthly security updates during the Windows out-of-box experience (OOBE).
Managing Windows Quality Updates During OOBE
The Windows out-of-box experience is designed to be streamlined, yet security cannot be compromised for speed. By default, Windows OOBE attempts to download and install the latest monthly security update releases, known in the Intune ecosystem as quality updates. This ensures that a device is patched against vulnerabilities immediately, rather than waiting for a maintenance window after deployment. This much-awaited improvement is coming to eligible Microsoft Entra joined or Microsoft Entra hybrid joined devices running Windows 11, version 22H2 and later.
To give administrators better control over this behavior, Microsoft has introduced a new setting within the Intune Enrollment Status Page. This setting, labeled Install Windows quality updates (might restart the device), allows organizations to explicitly allow or block these automatic installations during the provisioning phase. This functionality aims to make sure that Windows devices are secure and up-to-date at the moment the user starts using the device, addressing the challenge that preinstalled Windows versions often don't include the latest security updates according to Peter van der Woude.
Current Status and Availability
While the interface for this configuration has been rolled out, it is important to note a temporary delay in functionality as of September 2025. Although you can currently configure the setting on both new and existing ESP profiles, the underlying engine that triggers the automatic installation and displays the new user interface is currently paused to ensure the best possible user experience. Microsoft has stated this capability was delayed by a couple of months for this reason as of August 25, 2025. The policy is expected to be available starting with the January 2026 security update and will no longer be enabled by default.
At FlowDevs, we monitor these updates closely to ensure our clients' digital strategies remain aligned with the latest technical capabilities. We recommend configuring your profiles now in anticipation of the feature going live, ensuring your environment is ready the moment the capability is fully restored.
Configuration Defaults and Strategy
Understanding how this setting applies to your environment is crucial for maintaining a consistent deployment workflow. The defaults differ based on the age of your ESP profile:
New ESP Profiles: By default, this setting is now configured to No as of the December 9, 2025, editor's note. This means any new profiles created will not attempt to install the most recent monthly security updates during OOBE unless explicitly enabled, once the feature is fully active.
Existing ESP Profiles: For profiles created prior to this update, the setting defaults to No. This prevents unexpected changes to your current stable deployment flows.
There are strategic reasons to toggle this setting to No. While installing updates during OOBE can add 20-40 minutes to the provisioning process as noted by Peter van der Woude, it's important to balance security with user experience. If your internal teams require time to validate monthly security updates against your core business applications, delaying installation until after the device is provisioned gives you that necessary buffer. However, the ability to control updates during OOBE is seen as a significant improvement for IT administrators as discussed in sysadmin communities.
Streamlining Your Device Lifecycle
Effective device management is just one piece of the puzzle in building an integrated digital system. Whether you are managing complex Autopilot scenarios, implementing Enterprise App Catalog solutions, or looking to automate your entire IT service management workflow using the Power Platform, precision is key. With Windows Autopilot and Microsoft Intune, you can maintain seamless control over quality update behavior during provisioning, while ensuring alignment with organizational security and compliance requirements according to Microsoft.
At FlowDevs, we specialize in unlocking efficiency through intelligent automation and custom infrastructure. If you are navigating the complexities of Intune transitions, such as the move to the low-privileged Intune Connector for Active Directory or implementing self-deploying modes, our team is ready to assist.
We partner with you to turn technical updates into operational advantages. To discuss how we can streamline your complex workflows or to get help optimizing your Intune and Autopilot configurations, please visit our bookings page at https://bookings.flowdevs.io.
Ensuring that devices are secure from the very first moment a user logs in is a critical challenge in modern endpoint management. For IT administrators leveraging Microsoft Intune and Windows Autopilot, the Enrollment Status Page (ESP) serves as the gatekeeper, ensuring policies and applications are applied before the user reaches the desktop. A significant development in this process involves the handling of monthly security updates during the Windows out-of-box experience (OOBE).
Managing Windows Quality Updates During OOBE
The Windows out-of-box experience is designed to be streamlined, yet security cannot be compromised for speed. By default, Windows OOBE attempts to download and install the latest monthly security update releases, known in the Intune ecosystem as quality updates. This ensures that a device is patched against vulnerabilities immediately, rather than waiting for a maintenance window after deployment. This much-awaited improvement is coming to eligible Microsoft Entra joined or Microsoft Entra hybrid joined devices running Windows 11, version 22H2 and later.
To give administrators better control over this behavior, Microsoft has introduced a new setting within the Intune Enrollment Status Page. This setting, labeled Install Windows quality updates (might restart the device), allows organizations to explicitly allow or block these automatic installations during the provisioning phase. This functionality aims to make sure that Windows devices are secure and up-to-date at the moment the user starts using the device, addressing the challenge that preinstalled Windows versions often don't include the latest security updates according to Peter van der Woude.
Current Status and Availability
While the interface for this configuration has been rolled out, it is important to note a temporary delay in functionality as of September 2025. Although you can currently configure the setting on both new and existing ESP profiles, the underlying engine that triggers the automatic installation and displays the new user interface is currently paused to ensure the best possible user experience. Microsoft has stated this capability was delayed by a couple of months for this reason as of August 25, 2025. The policy is expected to be available starting with the January 2026 security update and will no longer be enabled by default.
At FlowDevs, we monitor these updates closely to ensure our clients' digital strategies remain aligned with the latest technical capabilities. We recommend configuring your profiles now in anticipation of the feature going live, ensuring your environment is ready the moment the capability is fully restored.
Configuration Defaults and Strategy
Understanding how this setting applies to your environment is crucial for maintaining a consistent deployment workflow. The defaults differ based on the age of your ESP profile:
New ESP Profiles: By default, this setting is now configured to No as of the December 9, 2025, editor's note. This means any new profiles created will not attempt to install the most recent monthly security updates during OOBE unless explicitly enabled, once the feature is fully active.
Existing ESP Profiles: For profiles created prior to this update, the setting defaults to No. This prevents unexpected changes to your current stable deployment flows.
There are strategic reasons to toggle this setting to No. While installing updates during OOBE can add 20-40 minutes to the provisioning process as noted by Peter van der Woude, it's important to balance security with user experience. If your internal teams require time to validate monthly security updates against your core business applications, delaying installation until after the device is provisioned gives you that necessary buffer. However, the ability to control updates during OOBE is seen as a significant improvement for IT administrators as discussed in sysadmin communities.
Streamlining Your Device Lifecycle
Effective device management is just one piece of the puzzle in building an integrated digital system. Whether you are managing complex Autopilot scenarios, implementing Enterprise App Catalog solutions, or looking to automate your entire IT service management workflow using the Power Platform, precision is key. With Windows Autopilot and Microsoft Intune, you can maintain seamless control over quality update behavior during provisioning, while ensuring alignment with organizational security and compliance requirements according to Microsoft.
At FlowDevs, we specialize in unlocking efficiency through intelligent automation and custom infrastructure. If you are navigating the complexities of Intune transitions, such as the move to the low-privileged Intune Connector for Active Directory or implementing self-deploying modes, our team is ready to assist.
We partner with you to turn technical updates into operational advantages. To discuss how we can streamline your complex workflows or to get help optimizing your Intune and Autopilot configurations, please visit our bookings page at https://bookings.flowdevs.io.