How to Configure Windows Security Updates During OOBE with Intune ESP

Before configuring ESP security updates, confirm your devices meet the minimum requirements. This feature only works on Windows 11 version 22H2 or later and requires specific knowledge base updates.

Check the Windows version on a test device:

Get-ComputerInfo | Select-Object WindowsProductName, WindowsVersion, WindowsBuildLabEx

Look for Windows 11 with build numbers:

• 24H2: Build 26100 or higher
• 23H2: Build 22631 or higher
• 22H2: Build 22621 or higher

Verify the required KB updates are installed:

Get-HotFix | Where-Object {$_.HotFixID -eq "KB5060829" -or $_.HotFixID -eq "KB5060826"}

Sign into the Microsoft Intune admin center to configure your Enrollment Status Page profiles. This is where you'll enable the security update installation during OOBE.

Open your browser and navigate to:

https://endpoint.microsoft.com

Sign in with your Intune administrator credentials, then navigate to the ESP configuration:

1. Click Devices in the left navigation pane
2. Select Enrollment from the submenu
3. Click Enrollment Status Page

You'll see a list of existing ESP profiles. Note that existing profiles created before January 2026 will have the security updates setting defaulted to No.

The security updates feature only works with device-targeted ESP profiles, not user-targeted ones. Create a new profile or modify an existing device-targeted profile.

To create a new ESP profile:

1. Click + Create profile
2. Enter a descriptive name like "Autopilot ESP with Security Updates"
3. Add a description: "ESP profile for Autopilot devices with OOBE security updates enabled"
4. Click Next

For existing profiles, select the profile you want to modify and click Properties.

Ensure the profile uses device targeting by checking the Assignments tab. The profile should be assigned to:

• Device groups (not user groups)
• All devices (if using a broad deployment)
• Specific Autopilot device groups

Now configure the core setting that enables Windows security updates during OOBE. This setting appears in the Settings tab of your ESP profile.

Navigate to the Settings tab of your ESP profile and locate the security updates configuration:

1. Scroll down to find Install Windows quality updates (might restart the device)
2. Set this option to Yes to enable security updates during OOBE
3. Review the description: "Install the latest monthly security updates at the end of OOBE after ESP completes"

Configure the blocking behavior to ensure proper update installation:

1. Find Block device use until all apps and profiles are installed
2. Set this to Yes to prevent early ESP exit
3. This ensures the device waits for Windows Update for Business policies to sync before proceeding

Before ESP can properly handle security updates, ensure your Windows Update for Business (WUfB) policies are configured and assigned to the same devices as your ESP profile.

Navigate to Windows Update policies:

1. Go to Devices > Update rings for Windows 10 and later
2. Select an existing update ring or create a new one
3. Configure quality update settings:

{
  "qualityUpdatesDeferralPeriodInDays": 0,
  "featureUpdatesDeferralPeriodInDays": 30,
  "qualityUpdatesWillBeRolledBack": false,
  "featureUpdatesWillBeRolledBack": false
}

Key settings for OOBE security updates:

• Quality updates deferral: Set to 0 days for immediate installation during OOBE
• Quality update deadline: Configure based on your security requirements
• Automatic update behavior: Set to "Auto install and restart at maintenance time"

Assign the update ring to the same device groups as your ESP profile to ensure policy synchronization.

Assign your configured ESP profile to the appropriate device groups to ensure it applies during Autopilot deployment. The assignment must target devices, not users.

In your ESP profile, navigate to the Assignments tab:

1. Click + Add group
2. Select Include for assignment type
3. Choose your target groups:

Recommended group types:
- All devices (broad deployment)
- Autopilot device groups
- Department-specific device groups
- Hardware model-specific groups

Configure assignment filters if needed:

1. Click Edit filter if you want to use assignment filters
2. Create rules based on device properties like:

(device.deviceModel -eq "Surface Laptop 5") or 
(device.enrollmentProfileName -eq "Corporate Autopilot")

Save the assignment configuration and wait for policy propagation (typically 5-15 minutes).

Deploy a test device through Autopilot to verify the security updates installation works correctly during OOBE. This validates your entire configuration.

Prepare a test device:

1. Reset a Windows 11 device to factory settings
2. Ensure it's registered in Autopilot and assigned to your ESP profile group
3. Boot the device and proceed through OOBE

Monitor the ESP progress during deployment:

Expected ESP phases:
1. Device preparation
2. Device setup (apps and profiles installation)
3. Account setup (if user-targeted apps exist)
4. Windows Update scan and installation (new phase)

During the Windows Update phase, you'll see:

• "Installing Windows quality updates" progress indicator
• Percentage completion for update downloads and installation
• Automatic restart if required by updates
• Continuation of ESP after restart

Access ESP diagnostics if issues occur:

1. Press Ctrl + Shift + D during ESP
2. Click Collect logs to gather diagnostic information
3. Review the logs for update-related errors

Set up monitoring and troubleshooting procedures to ensure the security updates feature works reliably across your Autopilot deployments.

Monitor ESP completion in Intune:

1. Go to Devices > Monitor > Enrollment Status Page
2. Review completion rates and failure reasons
3. Filter by date range to track recent deployments

Common troubleshooting scenarios and solutions:

Issue: Updates not installing despite Yes setting
Solution: Check device targeting and WUfB policy assignment

Issue: ESP stuck at update phase
Solution: Verify internet connectivity and Windows Update service status

Issue: Device exits ESP before updates
Solution: Ensure "Block device use" is set to Yes

Use PowerShell to check update status on deployed devices:

# Check Windows Update service status
Get-Service -Name wuauserv | Select-Object Name, Status, StartType

# Review recent update installation history
Get-WinEvent -FilterHashtable @{LogName='System'; ID=19,20,21,22} -MaxEvents 10

# Check current update compliance
Get-ComputerInfo | Select-Object WindowsVersion, TotalPhysicalMemory

Review ESP logs for detailed troubleshooting:

1. Navigate to C:\Windows\Logs\ESPLogs on the device
2. Open Microsoft-Windows-Provisioning-Diagnostics-Provider%4Admin.evtx
3. Filter for Event IDs related to Windows Update (typically 30000-30999 range)