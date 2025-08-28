Image: Unsplash/Windows

Microsoft is changing how businesses set up new Windows 11 devices. Starting in September 2025, eligible enterprise and education customers will get the latest quality updates during the Windows out-of-box experience (OOBE) before the first login.

The company says the move is meant to improve security and stability from the very beginning, cutting down on the number of updates required after deployment.

How it will work

On the final page of OOBE, the device will now check Windows Update and install any available quality updates. That means the system should already be patched with the latest bug fixes and improvements when the user signs in for the first time.

“You can maintain seamless control over quality update behavior during provisioning, while ensuring alignment with organizational security and compliance requirements,” Microsoft wIf rote in its official announcement.

This new default will not affect unmanaged consumer devices. It applies only to Microsoft Entra-joined or hybrid-joined PCs running Windows 11 version 22H2 or later and managed through Intune or supported mobile device management (MDM) solutions with an Autopilot Enrollment Status Page (ESP) profile.

IT administrators can manage the process from the Intune admin center by going to Devices | Enrollment | Enrollment Status Page and then adjusting the new setting Install Windows Quality Updates (Might Restart The Device).”

New ESP profiles will have the option turned on by default, while existing profiles will remain set to No until changed.

A trade-off: Longer setup for better security

Although the new system gives administrators more flexibility, it comes with conditions. If a device is not assigned an ESP profile, the updates will install automatically and cannot be disabled. This means organizations relying on Autopilot device preparation policies may find the updates enforced by default.

The updates also respect pause and deferral rules if those settings are properly configured in Update Rings and assigned to the same group as the ESP profile. Without this alignment, Microsoft warns that settings may not always apply consistently.

For IT teams, the change reduces the burden of patching devices immediately after rollout, ensuring that systems are compliant and secure from day one. Users may notice a longer setup time, with some reports suggesting OOBE could now take up to 20 minutes before reaching the desktop.

Industry observers point out that, while the feature strengthens security, it also tightens Microsoft’s control over how updates are delivered, which has been a long-standing concern among enterprise administrators.

At Black Hat 2025, Microsoft revealed how its security teams work in real time to outpace hackers and stop attacks before they escalate.