From next month, Windows administrators will be able to inflict Microsoft's quality updates on users via the Out of Box Experience (OOBE) by default.

Users without managed devices have long faced an interminable wait during the first setup of Windows while updates are downloaded and installed. Microsoft's "much awaited improvement" means that the ability to get the latest Windows quality updates during OOBE is coming to eligible Microsoft Entra-joined or Entra hybrid-joined devices running Windows 11 22H2 or later.

The [1]change means that on the last page of OOBE, the device will check Windows Update and install any applicable updates. This means that when a user first signs in, the device will (in theory) be up to date.

[2]

The action is controlled by administrators via a policy setting, and the updates during OOBE respect pause and deferral settings if so configured. Microsoft said, "You can maintain seamless control over quality update behavior during provisioning, while ensuring alignment with organizational security and compliance requirements."

[3]

[4]

Administrators need to exercise some caution. The new setting in the Windows Autopilot Enrollment Status Page (ESP) to install quality updates is enabled by default for new ESP profiles, if available, and it's not possible to turn off Windows updates during OOBE if you're not using device ESP.

[5]Microsoft keeps adding stuff into Windows we don't want – here's what we actually need

[6]Make Redmond angry by setting up Windows 11 with a local account

[7]Windows 11 is a minefield of micro-aggressions in the shipping lane of progress

[8]Tested: Microsoft Recall can still capture credit cards and passwords, a treasure trove for crooks

It was already possible for administrators to get updates installed during OOBE before the first user sign-in, but this required [9]familiarity with PowerShell. Although, to be fair, familiarity with PowerShell and the internals of Windows is almost a prerequisite for managing a fleet of Windows devices.

To get the new setting, a device needs to have been imaged with the June 2025 Windows non-security update (or later) or received the August 2025 update. A Windows Autopilot ESP is also needed and, unsurprisingly, Microsoft is very keen that administrators should use Intune (although noted that "some non-Microsoft mobile device management (MDM) solutions are also capable of using the ESP functionality.)

Administrators who want to use this new functionality do not have long to wait. Microsoft said, "It will be available starting with the September 2025 Windows security update."

[10]

Which, we fervently hope, will be a good deal more stable than [11]what happened in August . ®

Get our [12]Tech Resources



[1] https://techcommunity.microsoft.com/blog/windows-itpro-blog/get-ready-for-windows-quality-updates-out-of-the-box/4434498

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offprem/paasiaas&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aK4ufTSDfC_4SyVw9YSOrAAAAEA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offprem/paasiaas&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aK4ufTSDfC_4SyVw9YSOrAAAAEA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offprem/paasiaas&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aK4ufTSDfC_4SyVw9YSOrAAAAEA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://www.theregister.com/2025/08/16/microsoft_windows_features_help_productivity/

[6] https://www.theregister.com/2025/08/05/set_up_windows11_local_account/

[7] https://www.theregister.com/2025/07/28/windows_11_is_a_minefield/

[8] https://www.theregister.com/2025/08/01/microsoft_recall_captures_credit_card_info/

[9] https://www.reddit.com/r/Intune/comments/1ktefud/is_it_safe_to_perform_windows_updates_during_oobe/

[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offprem/paasiaas&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aK4ufTSDfC_4SyVw9YSOrAAAAEA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[11] https://www.theregister.com/2025/08/20/microsoft_oob_reset_patch/

[12] https://whitepapers.theregister.com/