Source: www.techrepublic.com – Author: Aminu Abdullahi
Published
We may earn from vendors via affiliate links or sponsorships. This might affect product placement on our site, but not the content of our reviews. See our Terms of Use for details.
Microsoft says these Windows 11 out-of-box experience quality updates should help improve security and stability. This new system does come with a trade-off.
Microsoft is changing how businesses set up new Windows 11 devices. Starting in September 2025, eligible enterprise and education customers will get the latest quality updates during the Windows out-of-box experience (OOBE) before the first login.
The company says the move is meant to improve security and stability from the very beginning, cutting down on the number of updates required after deployment.
How it will work
On the final page of OOBE, the device will now check Windows Update and install any available quality updates. That means the system should already be patched with the latest bug fixes and improvements when the user signs in for the first time.
“You can maintain seamless control over quality update behavior during provisioning, while ensuring alignment with organizational security and compliance requirements,” Microsoft wIf rote in its official announcement.
This new default will not affect unmanaged consumer devices. It applies only to Microsoft Entra-joined or hybrid-joined PCs running Windows 11 version 22H2 or later and managed through Intune or supported mobile device management (MDM) solutions with an Autopilot Enrollment Status Page (ESP) profile.
IT administrators can manage the process from the Intune admin center by going to Devices | Enrollment | Enrollment Status Page and then adjusting the new setting Install Windows Quality Updates (Might Restart The Device).”
New ESP profiles will have the option turned on by default, while existing profiles will remain set to No until changed.
A trade-off: Longer setup for better security
Although the new system gives administrators more flexibility, it comes with conditions. If a device is not assigned an ESP profile, the updates will install automatically and cannot be disabled. This means organizations relying on Autopilot device preparation policies may find the updates enforced by default.
The updates also respect pause and deferral rules if those settings are properly configured in Update Rings and assigned to the same group as the ESP profile. Without this alignment, Microsoft warns that settings may not always apply consistently.
For IT teams, the change reduces the burden of patching devices immediately after rollout, ensuring that systems are compliant and secure from day one. Users may notice a longer setup time, with some reports suggesting OOBE could now take up to 20 minutes before reaching the desktop.
Industry observers point out that, while the feature strengthens security, it also tightens Microsoft’s control over how updates are delivered, which has been a long-standing concern among enterprise administrators.
At Black Hat 2025, Microsoft revealed how its security teams work in real time to outpace hackers and stop attacks before they escalate.
Aminu Abdullahi
Aminu Abdullahi is an experienced B2B technology and finance writer. He has written for various publications, including TechRepublic, eWEEK, Enterprise Networking Planet, eSecurity Planet, CIO Insight, Enterprise Storage Forum, IT Business Edge, Webopedia, Software Pundit, Geekflare and more.
Original Post URL: https://www.techrepublic.com/article/news-windows-quality-updates-out-of-the-box/
Category & Tags: Microsoft,News,Security,Software – Microsoft,News,Security,Software
Views: 6
