Here’s how you can enable or control the installation of quality (critical/security) Windows updates during the Out-of-Box Experience (OOBE) when using Windows Autopilot with Microsoft Intune:
What’s Changing (Mid-2025 Onward)
- Starting mid-2025, Microsoft is rolling out a new policy that activates Quality Updates during OOBE for Windows 11 devices (version 22H2 or later). This ensures devices are up-to-date with security patches before users first sign in. (TECHCOMMUNITY.MICROSOFT.COM, Petri IT Knowledgebase)
- With this change, Intune will introduce a new setting — likely named “Install Windows updates” — on the Enrollment Status Page (ESP), granting you direct control over whether OOBE applies these updates. (Out of Office Hours)
What You Can Do Now (as of Late August 2025)
According to recent updates:
- Beginning with the September 2025 Security Updates (expected Patch Tuesday after this release), Quality Updates during OOBE will be installed by default for eligible devices (Windows 11, 22H2 or higher). (Out of Office Hours)
- Intune’s August 2025 (2508) service release will include the new “Install Windows updates” toggle on the ESP — allowing you to opt in or out of OOBE updates. (Out of Office Hours)
- The default behavior appears to be:
- Off for existing ESP profiles (i.e., you’re opted out by default if you’re already configured).
- On for any new ESP profiles created after the update. (Out of Office Hours)
Summary: Enabling or Disabling OOBE Updates
| Scenario | Action Required |
|---|---|
| Already using ESP profiles | Expect Quality Updates off by default — you can manually enable via the new ESP setting once available. |
| Creating new ESP profiles (post-2508) | Quality Updates during OOBE will be On by default — you can disable if desired. |
| Not using Autopilot/ESP | OOBE updates aren’t enforced; Group Policy (MDM or GPO) can still disable updates if needed. (TECHCOMMUNITY.MICROSOFT.COM, Petri IT Knowledgebase, Windows 11 Forum) |
Action Plan for Your IT Team
- Watch for the Intune “Install Windows updates” setting in the ESP when the 2508 update rolls out (expected August 2025).
- Review your existing ESP profiles — if you want updates during OOBE, enable the new setting; if not, leave it disabled.
- Monitor new ESP profiles — understand OOBE updates will be enabled by default, so proactively disable if that doesn’t align with your rollout strategy.
- Leverage your existing quality update policies (deferrals, pauses, etc.) — these will automatically sync and apply during OOBE. (TECHCOMMUNITY.MICROSOFT.COM, Petri IT Knowledgebase)
- If not using Autopilot, you still have control via Group Policy or MDM to disable quality updates during OOBE. (TECHCOMMUNITY.MICROSOFT.COM, anoopcnair.com)
In a Nutshell
- Yes, you can enable Windows Autopilot to patch devices during setup.
- The feature will be available starting late August 2025 via Intune ESP.
- Defaults: Off for old ESP, On for new ESP — giving you flexibility.
- Quality updates will respect your existing deferral policies and can be controlled via the ESP toggle.
- Group Policy remains an option if you’re not using Autopilot/ESP.
