MC1191345: Plan for Change: Windows quality updates during the out-of-box experience

Beginning with the January 2026 Windows security update, quality updates can be installed during the out-of-box experience (OOBE) for devices that are on Windows 11, version 22H2 or later. You can enable and manage these updates through Intune’s Install Windows updates setting in the Enrollment Status Page (ESP).

How this will affect your organization:

If you are using Windows Autopilot and ESP and have configured the Install Windows updates setting to “Yes”, updates will be delivered during OOBE. When configured to “No”, updates will be prevented during OOBE. Additionally, update rings settings (if assigned, as defined below) will be delivered during the ESP and the quality updates page will be shown while the update is applied after ESP completes. Refer to Set up the Enrollment Status Page for more details, requirements, and limitations.

Note: Devices enrolled with Windows Autopilot device preparation or ESP disabled cannot get Windows updates during OOBE, so they do not receive the latest security updates at that stage. Normal Windows update checks resume after OOBE is finished.

What you need to do to prepare:

Review your ESP profile and ensure Install Windows updates setting is configured based on your organization’s requirements. To manage quality updates installed during OOBE for devices using ESP:

1. In the ESP profile, set Install Windows updates to “Yes” to allow updates or “No” to prevent updates.
2. (Recommended) Use or create an update rings policy to manage pause and deferral settings for quality updates. Quality updates installed during OOBE will follow this policy.
3. Assign the ESP profile and the update rings policy to “All devices” or device groups with devices registered for Windows Autopilot.

Update your documentation and user guidance as needed.

Related information:

Get ready for Windows quality updates out of the box