[German]Exciting question, which I would like to discuss in this blog post. It’s based on an observation that Windows 10 is forced to upgraded from version 1709 to 1909 in the enterprise environment when WSUS is unavailable for enterprise clients for a few days.
Blog reader Markus H. confronted me with this question yesterday and documented his personal observations on a test client. It has to be said that Markus had read either somewhere, that the forced upgrade for Windows 10 version 1709 had started. Windows 10 Enterprise will reach end of support on April 14, 2020.
Windows 10 V1709 Enterprise receive an Upgrade
Markus describes in his email a very crude observation he made on his test Windows 10 Enterprise client running on version 1709. Here is the translation of his mail:
W10 1709 / Forced install on 1909 / for enterprise users if WSUS is not available for some days?
Do you currently receive reports that the update process to 1909 will be “forced” for companies using WSUS?
I had read an article about this, that this is now activated by MS for private installations.
A) This morning I was greeted with the following message box on the test client:
(Feature Update for Windows 10 V1709 Enterprise)
So Markus received a reminder on his Windows 10 V1709 Enterprise that a feature update is available. But the update is distributed by WSUS. Here is the relevant screenshot of the Windows Update window.
You can see the pending feature update and that Windows is waiting for its installation. However, Windows Update is managed by policies – the update distribution is done by WSUS. Markus writes about this:
Although this [the feature update] was explicitly deactivated in WSUS and also (actually not released by me), which surprises me especially for our patch management.
The only difference to the other clients is that I tried to force the client to a new WSUS server of a branch office.
Microsoft as “Alternative URL” was not specified by us via the WSUS parameters or the registry of the client.
Markus has sent the following screenshot of the WSUS settings and writes about it: As you can see, there are no feature updates available for download on WSUS.
Furthermore I received the two screenshots with registry entries set as shown below. The default update server is WSUS.
And here’s the entry from the registry that should actually explicitly exclude feature updates.
Personally, I would now have assumed that the client with Windows 10 version 1709 Enterprise, despite the end of support, would remain on this version. But I had already documented a similar observation from summer 2019 in the German blog post Windows 10 Enterprise V1709 versucht Upgrade auf V1803. Markus writes about the current situation:
Is it possible that if the WSUS client does not reach the WSUS server internally for some time, it will force itself to switch to the Microsoft updates and pull the 1909 there? This would be a setting that has only been active for a short time.
If so, this would have an impact on our entire patch management, since several of our staff/clients are on sites where no WSUS server can be reached from this location for some time.
I assigned this test client to the downstream server via Regedit about 8 days ago. Since the client does not appear there, there might be a new firewall rule between the locations.
The fact that Microsoft forces a forced download from the MS Windows update servers seems to be the only explanation.
If none of you has a logical explanation for the above observation, I would agree with Markus’ analysis.
WSUS status from production clients
In an additional mail, Markus mentioned that he get different status information on his Windows 10 clients, which are used productively and where updates are managed from WSUS:
B) In addition, we now receive different information from our production clients about the WSUS notes when searching for updates:
Both screenshots below are from clients in the same deployment ring (productive)
Markus has send me the second Screenshot from a different client and wrote about that client:
A new warning, although the same patch status from November to the above mentioned client exists here!
We had some problems with updates with our internal applications, which we could fix since 3 days.
Markus also sent me the Windows Update log file, where we can see how the client switches to Microsoft Windows Update after several connection errors to the WSUS. The file is huge, so I don’t publish it here. Question: Can someone explain that, or can someone confirm the behavior?