- March 11, 2018
- Posted by: jlund
- Category: IT Security
Just when you thought Win10 Fall Creators Update was finally starting to look stable, Microsoft pulled another tone-deaf move. Reports have been pouring in from people who were forced to upgrade from Win10 1607 (the Anniversary Update) or Win10 1703 (the First Spring Creators Update) to the latest version of the last edition of Windows, Win10 1709
This isn’t the first time Microsoft has forced Win10 1709 upgrades onto machines that were specifically set to prevent the upgrade. Forced upgrades snared Win10 customers previously on two occasions:
- In mid-November 2017, Microsoft pushed many Win10 1703 customers with “Current Branch for Business” selected onto 1709.
- In mid-January 2018, Microsoft pushed many Win10 1703 customers onto 1709, even though they had “feature update” deferrals set to 365 days.
Neither of those pushed upgrades were announced in advance.
Last Monday, a new and largely overlooked Knowledge Base article, KB 4023814, warned that:
If you’re currently running Windows 10 Version 1507, Version 1511, Version 1607 or Version 1703, you can expect to receive a notification that states that your device has to have the latest security updates installed. Windows Update will then try to update your device…
Windows 10 version 1607 and version 1703 are not yet at “end of service.” However, they must be updated to the latest versions of Windows 10 to ensure protection from the latest security threats.
Which seems to imply that Microsoft isn’t going to put much effort into security patches for Win10 1607 or 1703 any more, regardless of their end-of-service dates. As of this moment, Win10 1607 Home and Pro hit end of service next month (1607 Enterprise and Education have been extended to Oct. 9). Win10 1703 Home and Pro reach end of service in October (1703 Enterprise and Education stretch out to April 2019).
This latest pushed upgrade seems to involve an obscure setting called the Diagnostic Data level. As best I can tell, Win10 1607 and 1703 machines with the Diagnostic Data level set to zero – the “Security” setting – are getting forced onto Win10 version 1709. Those who send more data to Microsoft – say, the “Basic Health & Quality” level – don’t seem to be getting the forced upgrade.
Put another way, if this analysis is correct: if you’ve set your machine to send the minimum amount of telemetry to Microsoft, you’re going to get upgraded.
Moreover, this forced upgrade doesn’t go through Windows Update. It happens even if you’ve turned the Windows Update service off. Per @abbodi86:
The upgrade to the latest Windows 10 version is being delivered in two ways now: The usual one through Windows Update, which I suppose respects deferral settings/policies; and one through Update Assistant, which may not comply with deferral settings/policies.
Windows Update Improvements
Microsoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 Feature Update based on device compatibility and Windows Update for Business deferral policy. This does not apply to long-term servicing editions.
And the Configure Windows Update for Business site says:
For Windows Update for Business policies to be honored, the Diagnostic Data level of the device must be set to 1 (Basic) or higher. If it is set to 0 (Security), Windows Update for Business policies will have no effect.
How “Windows Update for Business policies” override Windows settings escapes me.
How can you tell if your machine has its Diagnostic Data level set to zero? The easiest way I’ve found is to go into the Settings Feedback & diagnostics pane (Start > Settings > Privacy > Feedback & diagnostics; see screenshot); if either Basic or Full is checked, you’re fine.
If those options are grayed out, it’s possible your Diagnostic Data level has been set to zero through a Group Policy (or maybe a registry?) setting. The Diagnostic Data level can be set through the Group Policy editor () at Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Allow Telemetry.
I’ve seen reports that running the O&O Shutup10 tool can, in some circumstances at least, set the Diagnostic Data level to zero.
It looks like you can roll back from 1709 to your previous version, as long as you haven’t run a disk cleanup in the interim. Click Start > Settings > Update & security > Recovery. Under Go back to the previous version of Windows 10, click Get started. And pray.
Windows 10 is the gift that keeps on giving.
Thx to @juzuo, @abbodi86, @EP, @bobcat5536, @EyesOnWindows, and many others on the AskWoody Lounge.