Microsoft is changing how enterprises set up new Windows 11 devices. Starting in September 2025, eligible business and education customers will receive the latest quality updates during the Windows Out-of-Box Experience (OOBE), before the first login. The company stated that this move aims to enhance security and stability from the outset, reducing the number of updates needed after deployment. How It Will Work On the final page of OOBE, devices will now check for Windows updates and install any available quality updates. This means the latest bug fixes and improvements will already be applied when users log in for the first time. “You can seamlessly control quality update behavior during setup while ensuring alignment with your organization’s security and compliance requirements,” Microsoft wrote in its official announcement. This new default setting will not affect unmanaged consumer devices. It applies only to PCs running Windows 11 version 22H2 or later that are either Microsoft Entra-joined or hybrid-joined, and managed via Intune or a supported mobile device management (MDM) solution, with an Autopilot Registration Status Page (ESP) profile. IT administrators can manage this process by navigating to Devices | Enrollment | Enrollment Status Page in the Intune admin center and adjusting the new setting “Install Windows quality updates (may restart the device).” The new ESP profile will have this option enabled by default, while existing profiles will remain set to “No” until changed. Trade-off: Longer Setup Time for Enhanced Security While the new system offers more flexibility for administrators, there are conditions. If a device does not have an assigned ESP profile, updates will be installed automatically and cannot be disabled. This means organizations relying on Autopilot device preparation policies may find updates enforced by default. If these settings are correctly configured in update rings and assigned to the same group as the ESP profile, updates will also follow pause and defer rules. Without such alignment, Microsoft warns that settings may not always be consistently applied. For IT teams, this change reduces the burden of patching devices immediately after rollout, ensuring systems are compliant and secure from day one. Users may notice longer setup times, with some reports suggesting OOBE could now take up to 20 minutes before reaching the desktop. Industry observers have noted that while the feature enhances security, it also increases Microsoft’s control over update delivery—an ongoing concern for enterprise administrators.