From January 2026, devices going through Windows Autopilot now receive the latest monthly security update during the out-of-box experience (OOBE) — automatically, before the user reaches the desktop. This means every new device that lands on a user's desk is already patched to the latest security baseline, rather than sitting unpatched until its first Windows Update cycle after provisioning. For IT admins, this changes how you need to think about ESP timeouts, update ring assignments, and first-day device posture.
What Changed and When
Starting with the January 13, 2026 Windows security update (2026-01 B quality update), the Windows OOBE automatically installs the latest available monthly security update release for eligible devices. This applies to:
- Microsoft Entra joined devices on Windows 11 version 22H2 or later
- Microsoft Entra hybrid joined devices on Windows 11 version 22H2 or later
The device must also be imaged with the November 2025 Windows non-security update or later (or automatically updated via the November 2025 OOBE zero-day patch) for the setting to work.
Important: only monthly security updates are installed
This setting installs monthly security update releases only. Feature updates do not apply during Autopilot OOBE — they take effect at the first Windows Update scan after provisioning is complete. Do not confuse this with a full Windows upgrade happening during setup.
The New Enrollment Status Page Setting
Microsoft updated the Intune Enrollment Status Page (ESP) with a new setting to control this behaviour: "Install Windows quality updates (might restart the device)".
New ESP profiles (created after January 2026)
This setting defaults to Yes. Quality updates install during OOBE automatically. If you create a new ESP profile today, update installation is on by default.
Existing ESP profiles (created before January 2026)
This setting defaults to No until you open and edit the profile. Updates will not install during OOBE until you explicitly change this to Yes.
This means if your organisation has existing ESP profiles and has not reviewed them since January 2026, your new devices are likely not receiving updates during OOBE — even though the capability exists. Check your existing ESP profiles and decide deliberately whether to enable this, rather than leaving it at the default.
The Provisioning Time Impact
Adds 20–40 minutes to the provisioning process
Installing a monthly security update during OOBE normally adds 20–40 minutes to the total provisioning time, and may require one or more device restarts. Factor this into your ESP timeout settings. If your current ESP timeout is configured tightly, enabling this without adjusting the timeout could cause provisioning to appear to stall or fail.
Microsoft notes that delaying the install of monthly security update releases can give internal teams time to test the updates before allowing them to install on new devices during provisioning. If your organisation has a quality update testing process, you may intentionally want to leave this set to No on existing ESP profiles and control the timing through Windows Update rings instead.
Respecting Pause and Deferral Policies
If your organisation uses Windows Update rings to defer or pause quality updates, those settings can be applied during OOBE — but only if you configure them correctly. Here is what Microsoft requires:
To make deferral settings apply during OOBE:
Assign your Windows Update rings profile to the same Windows Autopilot pre-registered device group that your ESP profile is assigned to. During the device phase of provisioning, the ESP ensures the Windows Update rings policy is synchronised before the final Windows Update check. This means your deferral and pause settings are in place before OOBE installs updates.
If you do not do this, the update ring settings may not be applied in time, and the device could install an update your organisation has not yet cleared for deployment.
What to Do Now
Review all existing ESP profiles in Intune — check whether "Install Windows quality updates" is set to Yes or No, and decide if that matches your intent
Review your ESP timeout values — if you enable quality updates during OOBE, add at least 30 minutes to your current timeout to account for download, install, and restart
Assign your Windows Update rings profile to the same device group as your ESP profile if you want deferral settings to apply during OOBE
Test a new provisioning end-to-end with the setting enabled before rolling out widely — measure the actual time impact in your environment with your specific apps and update size
Official Microsoft References
- Microsoft Tech Community — Get Ready for Windows Quality Updates Out of the Box
- Microsoft Tech Community — Coming Soon: Quality Updates During the Out-of-Box Experience
- Microsoft Learn — Set Up the Enrollment Status Page in the Admin Center
- Microsoft Learn — What's New in Windows Autopilot
- Microsoft Learn — Windows Autopilot Known Issues