Windows 10: Microsoft forces feature upgrades again

[German]Microsoft has apparently started to force users of older Windows 10 builds to upgrade to the current Windows 10 builds. Settings for deferred updates are ignored in business versions of Windows 10. Here's an overview about what I found out up to now.

The AdDuplex report from February 2018 shows, that Windows 10 Version 1703 and Version 1709 are the major builds of Windows 10 in use.

(Source: AdDuplex)

But Redmond decided, to force the remaining systems with older build to update to the most recent version of Windows 10.

Sufficient security (updates) only for current builds

Microsoft wants Windows 10 users to upgrade to the latest Windows 10 build. The KB article on Update KB4092077 for Windows 10 Creators Update (version 1703) contained the following remark:

Windows Update Improvements

Microsoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 Feature Update based on device compatibility and Windows Update for Business deferral policy. This does not apply to long-term servicing editions.

I interprets the note, that the update client has been patched for all Windows 10 builds. Microsoft points out that the latest feature upgrades are offered to all Windows 10 systems that automatically receive updates (so offline systems and WSUS/SCCM-managed environments are left out). So all system with older Windows 10 builds are moved to the most recent Windows 10 build (currently still Windows 10 Fall Creators Update, version 1709). From April 2018 on this will switch to Windows 10 Spring Creators Update (Version 1803).

The restrictions that Microsoft specifies: Only systems with known incompatibilities and Windows 10 Enterprise LTSC SKUs are excluded. Note also the statement 'based on … Windows Update for Business deferral policy', which means, the administrators' settings for deferred updates are kept under Windows 10 Pro and Enterprise.

Some upgrade hints

Microsoft has published a support article 4023814 on March 5, 2018 announcing some changes in update policies for Windows 10.

• If you're currently running Windows 10 Version 1507, Version 1511, Version 1607 or Version 1703, you can expect to receive a notification that states that your device has to have the latest security updates installed. Windows Update will then try to update your device.
• When you receive the update notification, click Update now to update your device. This update is also offered directly to Windows Update Client for some devices that have not installed the most recent updates.
• Windows 10 Version 1507 and Version 1511 are currently at "end of service." That devices no longer receive the monthly security and quality updates that contain protection from the latest security threats.
• Windows 10 version 1607 and version 1703 are not yet at "end of service." However, they must be updated to the latest versions of Windows 10 to ensure protection from the latest security threats.

Microsoft recommends that users update the system to the latest Windows version, Windows 10 Version 1709.

Feature updates are forced again

I got a first hint from AskWoody who are referencing to this tweet and some forced updates.

Hey @woodyleonhard , it seems Microsoft is now forcing Windows 10 1607 and 1703 users to upgrade to 1709, even if Feature Updates have been deferred. This notification just popped to my laptop, which is running 1703.
Couldn't stop it upgrading.
More info:https://t.co/9hgphP7QI9 pic.twitter.com/IYBouieDl0

— Juzu Operatzija (@juzuo) 8. März 2018

Woody Leonhard has published a Computer World article. He are citing a user's experience, who wrote at AskWoody Lounge:

This happened to me last night. In the past I've been updated to the next feature update always through Windows Update. This time WU checked like always and it said I was up to date. About 30 minutes later, a box pops on my screen and informs me that there are security updates available and that it needs to update to latest version of Windows 10 to be able to install them and then starts the update.

I have Dell XPS8900 with version 1703 and when the update finished, I had version 1709, but no sound, no color ( everything black and white ), reinstall software notifications and errors saying certain shortcut keys are not available.

In the Windows Update Advanced Options pane), I had pause on for 35 days enabled and 365 days set on feature updates. After restoring an image and disabling WU service, the forced update began to update all over again !!!

The first time it came on I didn't catch it until it was 80% done and had to let it finish. The second time it popped up, I killed it before it got started. If all of settings are set to defer and update service is turned off, it would seem that this update was directly downloaded and didn't update through WU. If this is the case, how do you stop something like that ?

However, the user with the Dell XPS8900 system in question experienced problems after the upgrade and tried a rollback. Result: Windows 10 feature update reinstalled the faulty update over and over again. Woody Leonhard writes that this wasn't the first time.

• Mid November 2017 Microsoft forced many Windows 10 version 1703 systems with deferred update settings to ugrade to version 1709.
• Mid January 2018 Microsoft forced many Windows 10 version 1703 systems with deferred feature update for 365 day to update to Windows 10 version.

To: To sum it up, deferred updates didn't work anymore.

Telemetry settings are the root cause?

Woody Leonhard mentioned within the Computer World article, and German blog reader OlliD@IRQ8 mentioned it within a comment. Woody Leonhard wrote:

Win10 1607 and 1703 machines with the Diagnostic Data level set to zero – the "Security" setting – are getting forced onto Win10 version 1709. Those who send more data to Microsoft – say, the "Basic Health & Quality" level – don't seem to be getting the forced upgrade.

OlliD@IRQ8 wrote:

If the policy 'Allow telemetry' is set to 0, the policies to defer feature and quality updates have no effect and are not applied.

Some commenters within my German blog mentioned, that group policy may be used, to block updates. But a remark from user @abbodi86 at AskWoody has a contra dictionary observation:

The upgrade to the latest Windows 10 version is being delivered in two ways now: The usual one through Windows Update, which I suppose respects deferral settings/policies; and one through Update Assistant, which may not comply with deferral settings/policies.

If you combine the observations and assumptions, this means that no matter how an administrator set group policies, he can run into difficulties and is facing an unexpected behavior of Windows Update. If you depend on stable systems, it will be hard, to manage that in the area of Windows as a service.

My question to administrators, who have to use the stuff in industrial environments (robots, controllers, SCADA systems, etc.): How do you manage updates? Do you use WSUS and SCCM to block updates effectively?

Addendum: Microsoft admits a bug

Microsoft admits in a note in kb article 4023814, that it's a bug (Susan Bradley cateched it here):

Important

Microsoft is aware that this notification was incorrectly delivered to some Windows 10 Version 1703 devices that had a user-defined feature update deferral period configured. Microsoft mitigated this issue on March 8, 2018.

Users who were affected by this issue and who upgraded to Windows 10 Version 1709 can revert to an earlier version within 10 days of the upgrade. To do this, open Settings > Update & Security > Recovery, and then select Get started under Go back to the previous version of windows 10.