Important: While writing this post the news came that this capability got delayed again to help ensure delivery of the best possible experience. As the configuration is still available in Microsoft Intune, this post can still provide value.
This week is all about the new functionality to install Windows security updates during the Windows out-of-box-experience (OOBE). That functionality is focused on making sure that Windows devices are secure and up-to-date at the moment that the user will actually start using the device. At this moment, one of the main challenges is that organizations have to rely on the preinstalled Windows version on the device. That might not – and often does not – include the latest Windows security updates. This new functionality can help with addressing that challenge and directly install the latest Windows security updates during OOBE. Minor catch is that it does add 20-40 minutes to the provisioning process. Luckily, this functionality comes with a configuration option for the Enrollment Status Page (ESP). It will be important to find that right balance in the moment of installing the latest Windows security updates versus getting the user up-and-running as fast as possible. This post will start with a brief introduction of this functionality, followed with the configuration steps, and the user experience.
Introducing Windows security updates during out-of-box-experience
When looking at controlling the installation of the latest Windows security updates during OOBE, it is important to keep in mind that the functionality was added via the 2025-06 D updates (KB5060829 and KB5060826). For supported versions of Windows 11 that don’t have those updates (or later) installed, the functionality is automatically added via a zero-day package (ZDP). That will be done before the ESP is displayed. The first Windows security update that should be handled during OOBE is 2025-09 B.
It is also really good to understand that this new behavior can be managed by using the Install Windows quality updates (might restart the device) setting of the ESP profile. For any existing profiles that setting will default to No, to make sure that it has no unexpected impact on existing deployments and deployment processes. On the other hand, for any new profile that settings will default to Yes, which makes a lot of sense from a security-first principle. It is, however, important to keep in mind that this configuration does add about 20-40 minutes to the whole provisioning process of a Windows device. On top of that, it might restart the Windows device during the installation of the latest Windows security update, and that will make sure that the user must sign in again. To support this functionality, they must be running a supported version of Windows 11.
Important: Keep in mind that even though this capability is delayed, the default value for any new profile is still Yes.
The best part is that this functionality honors existing Update ring configurations, such as deferrals and pauses, and those configurations are synced before the ESP exits. That makes sure that the configurations are in place and can be used during the Windows Update scan. The last action will be the actual installation of the latest Windows security updates.
For new devices that are not registered with the different services, an All Devices assignment will be required.
Note: Windows Autopilot device preparation does not use ESP, which is why Windows security updates will always be installed during OOBE when using Windows Autopilot device preparation.
Enabling Windows security updates during out-of-box-experience
After being familiar with the ability to install Windows security updates during OOBE, it is good to get familiar with the configuration steps. Luckily, the configuration is pretty straightforward and is directly available within the ESP profile. And even better, with newly created profiles the Install Windows quality updates (might restart the device) setting already default to Yes. That makes it less interesting to look at the configuration of a new ESP profile. Existing profiles, however, default to No. For those profiles it is more interesting to look at the adjustments. The following steps walkthrough editing the default profile.
- Open the Microsoft Intune admin center portal and navigate to Devices > Windows > Enrollment > Enrollment Status Page
- On the Enrollment Status Page page, select the All users and all devices profile with the default priority
- On the All users and all devices page, navigate to Properties and select Edit with the Settings section
- On the Settings page, as shown in Figure 1, set Install Windows updates (might restart the device) to Yes and click Review + save
- On the Review + save page, review the configuration and click Save
Important: At this moment the provided configuration has no effect, as the capability got delayed
Experiencing Windows security updates during out-of-box-experience
When the configuration is in place, experiencing the behavior with Windows security updates during OOBE is pretty straightforward. At least, that is what it eventually should be. As the functionality got delayed, for now the user experience is only available via the Microsoft blog about Get ready for Windows quality updates out of the box – Windows IT Pro Blog.
More information
For more information about about Windows security updates during OOBE, refer to the following docs.
Discover more from All about Microsoft Intune
Subscribe to get the latest posts sent to your email.
Very useful setting, thanks Peter.