New Windows 11 Devices Will Now Update During Out of the Box (OOBE) Experience
The change will take effect starting with the September 2025 security update
Microsoft is changing the way new Windows 11 devices are set up. Starting with the September 2025 security update, eligible PCs will get the latest quality and security patches during the out-of-box experience (OOBE), so users sign in on day one with everything already up to date.
This rollout applies to Microsoft Entra joined or hybrid joined devices, covering editions like Pro, Enterprise, Education, and SE. The feature is enabled by default, though IT admins can manage it through Microsoft Intune or other supported solutions.
Updates Built Into OOBE
Here’s how it works: at the final stage of OOBE, Windows Update will check for any pending quality updates and install them before the device hands over control to the user. Microsoft says this cuts down post-deployment patching and ensures systems meet security requirements from the very first login.
If you’re using Windows Autopilot with the Enrollment Status Page (ESP), you’ll notice a new option called “Install Windows quality updates.” For new ESP profiles, it’s switched on by default, while older profiles will need to be updated manually.
Admin Controls Stay in Place
Organizations concerned about timing can still enforce pause or deferral policies. Microsoft notes that linking your Windows Update rings profile with your ESP device group ensures those rules apply even during OOBE.
For those managing devices outside Intune, some third-party MDM solutions may also support this functionality if they’ve integrated ESP properly.
Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more
User forum
0 messages