MC1134168: Plan for Change: Windows quality updates during the out-of-box experience

Beginning with the September 2025 Windows security update, quality updates will get installed by default during the out-of-box experience (OOBE) for devices that are on Windows 11, version 22H2 or later.

Expected in Intune’s August (2508) service release, we will introduce a new setting "Install Windows updates" in the Enrollment Status Page (ESP) to allow you to manage the installation of quality updates during OOBE. Stay tuned to What’s new in Intune for the release.

How this will affect your organization:

If you are using Windows Autopilot and ESP, the Install Windows updates setting will be automatically set to “Yes” for new ESP profiles and “No” for existing profiles. If the ESP setting is set to “Yes”, updates will be delivered during OOBE. When configured to “No”, updates will be prevented during OOBE. Additionally, update rings settings (if assigned, as defined below) will be delivered during the ESP and the quality updates page will be shown while the update is applied after ESP completes.

Important: Devices enrolling with Windows Autopilot device preparation or with ESP disabled, cannot prevent Windows updates during OOBE and will receive the latest published security updates.

What you need to do to prepare:

Update your documentation and user guidance as needed. To manage quality updates installed during OOBE for devices using ESP:

1. In the ESP profile, set Install Windows updates to “Yes” to allow updates or “No” to prevent updates.
2. (Recommended) Use or create an update rings policy to manage pause and deferral settings for quality updates. Quality updates installed during OOBE will follow this policy.
3. Assign the ESP profile and the update rings policy to “All devices” or device groups with devices registered for Windows Autopilot.

Related information:

• Coming soon: Quality updates during the out-of-box experience
• Set up the Enrollment Status Page