Enrollment Status Page support for installing Windows security updates during Windows OOBE

Week of September 1, 2025

Device management
Enrollment Status Page support for installing Windows security updates during Windows OOBE
Starting on September 9, 2025, by default, the Windows out-of-box experience (OOBE) installs the latest available security updates to help ensure devices are secure and up to date from day one. Windows OOBE is used by Intune and by Windows Autopilot scenarios through the Intune enrollment status page (ESP) configurations. Intune refers to these security updates Windows quality updates.

To help you manage this behavior, we've updated the Intune enrollment status page with a new setting you can use to allow or block the automatic installation of these updates.

The new setting is Install Windows quality updates. These security updates, also known as Windows quality updates in Intune, are installed by default during the Windows out-of-box experience OOBE that's used by Intune and by Windows Autopilot.

By default, this setting is set to Yes in all new ESP profiles you create, which results in the most recent security updates being installed. In all your previously created ESP profiles this setting is set to No until you choose to edit those profiles to change it. When set to No, OOBE doesn't install the updates which can give your internal teams time to test the updates before allowing them to install on new devices you provision.

For more information about the Intune enrollment status page, see Set up Enrollment Status Page. For information about Windows quality updates, see Windows quality update policy.

Applies to:

• Windows

Device security
Device configuration recommendations from the Security Copilot Vulnerability Remediation Intune agent
To help reduce your organization’s attack surface against vulnerabilities, the Security Copilot Vulnerability Remediation Intune agent now provides recommended configurations for settings related to a reported vulnerability.

You can find the recommended configurations after selecting Agent suggestions for a reported vulnerability, which opens the Suggested action pane. On the suggested action pane there is a new section of information titled Configurations.

If the Intune settings catalog contains relevant settings for the reported vulnerability, the Configurations section provides information to help you configure device policies. These policies can help minimize future risk from that vulnerability. This includes:

• A list of the settings that are relevant to the current vulnerability, which can be deployed through an Intune settings catalog policy. Only the specific settings that are relevant to the vulnerability are listed.
• Each setting is presented with a recommended configuration.
• Selecting the citation icon next to a setting displays that settings description. The description can also include a link to content for the Configuration Service Provider (CSP) that the setting represents.

If there are no recommended device configuration settings to deploy, the Configurations section will indicate that no recommended settings catalog policy configurations are available.

To learn more about Agent suggestions, remediation guidance, and the new recommended configurations, see Agent suggestions in Vulnerability Remediation Agent for Security Copilot in Microsoft Intune.