Enhancements in Windows OOBE for Administrators
Beginning next month, Windows administrators will gain the ability to seamlessly integrate Microsoft’s quality updates into the Out of Box Experience (OOBE) by default. This enhancement addresses a longstanding issue faced by users without managed devices, who have often endured lengthy delays during the initial setup of Windows as updates are downloaded and installed.
The much-anticipated improvement allows eligible Microsoft Entra-joined or Entra hybrid-joined devices running Windows 11 22H2 or later to receive the latest quality updates during OOBE. Specifically, on the final page of the OOBE process, the device will automatically check for Windows Updates and install any relevant updates. Consequently, users can expect their devices to be up to date upon their first sign-in.
Control over this action remains firmly in the hands of administrators through a designated policy setting. Notably, updates during OOBE will adhere to any pause and deferral settings that have been configured. Microsoft emphasizes, “You can maintain seamless control over quality update behavior during provisioning, while ensuring alignment with organizational security and compliance requirements.”
However, administrators are advised to proceed with caution. The new setting within the Windows Autopilot Enrollment Status Page (ESP) to install quality updates is enabled by default for new ESP profiles, if available. It is important to note that disabling Windows updates during OOBE is not an option unless device ESP is being utilized.
Previously, administrators could install updates during OOBE before the first user sign-in, but this required a certain level of expertise with PowerShell. Indeed, a familiarity with PowerShell and the intricacies of Windows management has often been a prerequisite for overseeing a fleet of Windows devices.
To access the new setting, devices must have been imaged with the June 2025 Windows non-security update (or later) or have received the August 2025 update. Additionally, a Windows Autopilot ESP is required, and Microsoft strongly encourages administrators to utilize Intune, although it acknowledges that some non-Microsoft mobile device management (MDM) solutions can also leverage the ESP functionality.
For those eager to implement this new capability, the wait will not be long. Microsoft has announced that it will be available starting with the September 2025 Windows security update. One can only hope that this update proves to be significantly more stable than its predecessor from August.
