In recent developments, Microsoft has acknowledged a significant issue where certain Windows devices are being offered Windows 11 upgrades, despite existing Intune policies designed to block such updates. This problem, identified as a "latent code issue," has been affecting Windows desktop devices since April 12, 2025. Microsoft is actively deploying a targeted code fix to prevent further impact and recommends pausing Windows feature updates via Intune until the fix is fully implemented. Devices that have already been erroneously upgraded will require manual rollback to their previous Windows versions.
Microsoft Intune serves as a cloud-based service that enables organizations to manage and secure their devices, applications, and data. A critical function of Intune is controlling Windows updates, allowing IT administrators to enforce policies that dictate when and how updates are applied. This control is essential for maintaining system stability, ensuring compatibility with enterprise applications, and adhering to organizational compliance standards.
Source: BleepingComputer Microsoft: Some devices offered Windows 11 upgrades despite Intune blocks
The Role of Intune in Managing Windows Updates
Microsoft Intune serves as a cloud-based service that enables organizations to manage and secure their devices, applications, and data. A critical function of Intune is controlling Windows updates, allowing IT administrators to enforce policies that dictate when and how updates are applied. This control is essential for maintaining system stability, ensuring compatibility with enterprise applications, and adhering to organizational compliance standards.The Emergence of the Upgrade Issue
The current issue surfaced when devices began receiving Windows 11 upgrade prompts, even though Intune policies were explicitly configured to block such upgrades. This anomaly has raised concerns among IT administrators, as unauthorized upgrades can lead to compatibility issues, disrupt workflows, and potentially introduce security vulnerabilities.Microsoft's Response and Recommendations
In response to this issue, Microsoft has initiated the deployment of a targeted code fix aimed at resolving the problem. To mitigate further impact, Microsoft advises organizations to pause Windows feature updates using Intune's Windows Update client policies until the fix is fully rolled out. For devices that have already been upgraded to Windows 11 due to this issue, a manual rollback to the previous Windows version is necessary.Historical Context: Previous Unintended Upgrades
This is not the first instance of unintended Windows upgrades. In November 2024, Microsoft confirmed that some Windows Server 2019 and Windows Server 2022 devices were unexpectedly upgraded to Windows Server 2025 without prior warning. Administrators reported that servers were automatically upgraded overnight to a Windows Server version for which they did not possess licenses. While Microsoft addressed the issue, guidance on rolling back the automatic upgrades was limited to restoring systems from backups.Technical Insights: The Impact of KB4023057
Further complicating the management of Windows updates, the installation of update KB4023057 has been observed to alter Windows Update policies. This update can create registry keys that override Intune-managed policies, causing devices to pause updates or receive unintended upgrades. Administrators have noted that after installing KB4023057, the registry pathHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate is created, leading to conflicts with Intune settings.Community Experiences and Solutions
The IT community has actively discussed these challenges, sharing experiences and solutions. For instance, administrators have reported instances where devices, despite being managed by Intune with policies to block Windows 11 upgrades, still received upgrade prompts. In such cases, creating a dedicated Feature Update policy alongside the Update Ring policy has been suggested to ensure that Windows 11 upgrade offers are effectively blocked.Best Practices for Managing Windows Updates with Intune
To effectively manage Windows updates and prevent unintended upgrades, consider the following best practices:- Review and Adjust Intune Policies: Regularly review and configure Intune's Update Rings and Feature Update policies to align with organizational requirements.
- Monitor Registry Settings: Be vigilant about registry changes that may override Intune policies, especially after installing updates like KB4023057.
- Implement Group Policies Cautiously: Ensure that Group Policies do not conflict with Intune settings, as this can lead to unintended behavior.
- Stay Informed: Keep abreast of Microsoft's updates and advisories to promptly address any emerging issues related to Windows updates.
Conclusion
The recent issue of Windows 11 upgrades being offered despite Intune blocks underscores the complexities of managing Windows updates in enterprise environments. By understanding the interplay between Intune policies, Windows updates, and potential conflicts introduced by specific updates, organizations can better navigate these challenges. Proactive monitoring, regular policy reviews, and staying informed about Microsoft's developments are key to maintaining control over device updates and ensuring system stability.Source: BleepingComputer Microsoft: Some devices offered Windows 11 upgrades despite Intune blocks
Last edited:
