Microsoft is set to change the way Windows 11 devices are initially set up for enterprise and education customers, starting September 2025, by installing the latest Windows quality updates during the out-of-box experience before the initial login.
The company’s rationale behind this shift is to enhance security and stability from the outset, thereby decreasing the number of updates required post-deployment. Functionally, on the final out-of-box experience page, devices will automatically check Windows Update and install any available quality updates. This ensures that systems are patched with the latest bug fixes and improvements when the user first logs in.
“You can maintain seamless control over quality update behavior during provisioning, while ensuring alignment with organizational security and compliance requirements,” Microsoft stated in its announcement. This update will be applied to Microsoft Entra-joined or hybrid-joined PCs running Windows 11 version 22H2 or later that are managed through Intune or supported mobile device management solutions with an Autopilot Enrollment Status Page profile.
IT administrators can manage this process through the Intune admin center by navigating to Devices | Enrollment | Enrollment Status Page and adjusting the setting labeled “Install Windows Quality Updates (Might Restart The Device).” New Enrollment Status Page profiles will have this option enabled by default, while existing profiles will remain set to “No” unless manually changed. However, there are certain conditions; if a device is not assigned an Enrollment Status Page profile, the updates will automatically install and cannot be disabled.
This could affect organizations that rely on Autopilot device preparation policies, as the updates will be enforced by default. The updates will also adhere to pause and deferral rules if these settings are correctly configured in Update Rings and assigned to the same group as the Enrollment Status Page profile. Microsoft warns that inconsistent application of settings may occur without this alignment.
While this change reduces the burden of patching devices immediately after deployment, it may result in a longer setup time. Some reports suggest that the out-of-box experience process could take up to 20 minutes before the desktop is accessible. Industry observers note that this feature enhances security but also increases Microsoft’s control over update delivery, which has previously been a concern for enterprise administrators.
Separately, at Black Hat 2025, Microsoft detailed how its security teams are working to proactively counteract hackers and prevent attacks from escalating.
