Microsoft has quietly dropped a powerful enhancement to the Enrollment Status Page (ESP) in Windows Autopilot — and it’s one that IT admins have been waiting for. The new Update feature allows devices to install pending Windows updates during ESP, ensuring that endpoints are secure and compliant right from the start.

Let’s unpack what this means, why it matters, and how you can enable it.

🧩 What Exactly Gets Installed?

Let’s be clear: this new ESP setting only installs monthly security updates. It does not include:

• Feature updates
• Driver updates
• Optional updates

The setting is called Install Windows updates (might restart the device) and it controls whether these monthly patches are applied during OOBE.

⚙️ How It Works

If your device is running a supported version of Windows 11 (22H2, 23H2, or 24H2) and has the June 2025 D updates or later installed, the update functionality is built-in. If not, Windows will automatically apply a Zero Day Package (ZDP) before ESP begins.

Starting with the September 9, 2025 (9B) updates, this behavior is enabled by default for newly created ESP profiles. For existing profiles, it remains disabled unless manually changed.

🛠️ How to Enable It

To enable monthly security updates during ESP:

1. Go to Intune Admin Center
2. Navigate to Devices > Windows > Windows enrollment > Enrollment Status Page
3. Edit your ESP profile
4. Set Install Windows quality updates (might restart the device) to Yes
5. Save and assign the profile

⚠️ Note: Enabling this setting may add 20–40 minutes to the provisioning process and can trigger device restarts. If your provisioning relies on autologon scenarios, consider leaving this setting disabled.

🛡️ Why It Matters

This feature closes a long-standing gap in Autopilot provisioning. By ensuring updates are applied during ESP:

• Devices are secure from day one
• You reduce post-enrollment update storms
• Compliance policies are more likely to pass immediately
• End users get a smoother experience

It’s a small checkbox with a big impact.

📦 Final Thoughts

Microsoft continues to refine Autopilot into a truly enterprise-ready provisioning solution. The new Update ESP feature is a quiet but powerful addition that brings us closer to a fully automated, secure, and compliant device onboarding experience.

If you haven’t enabled it yet — now’s the time.