Sounds like you're a Tech working on a User's issue with the Surface4 on a Ticketed problem. You need to get a hold of the Network Admin or Network Engineer who takes care of the Domain PDC server for the organization (or if this User with the Surface works for your Company and not a Client-company then for your organization). Since all other Users on your portion of the network are getting the Updates, Neemo is right about having an issue with that User's domain account. Have you tried using your Domain Account login on the Surface4 instead of the User's login? Since you mentioned that all other domain users both WITH/WITHOUT Admin privileges are getting the Updates, then your Account should have the correct GPO settings. If the Updates begin to come in when you are logged into the Domain, then clearly your User's Surface4 is at fault and needs to be repaired or replaced, as well as their Domain Account corrected.
You will also need to make sure that WUDO is enabled and turned on for that Surface4 as well. See here for how to do this:
Windows Update Delivery Optimization: FAQ Of the 3 settings available (disabled,
PCs on your local network, and
PCs on your local network and PCs on the Internet), you will most likely need to pick the 2nd one as your Network Admin most likely will block random traffic from unknown computers outside their organization on the Internet via NAT, or some kind of firewall block. It's also possible on larger networks that are distributed over greater distances such as your location is connected via VPN to the server in another city, state, or country, that they have
WUDO disabled and opt rather to distribute Windows Updates internally on their network themselves via a login script pointing to a server folder location or ftp server where updates are downloaded on another secondary server that serves as an update repository, downloading updates into that folder and then redistributing to Users via any of several mechanisms, such as using a
Roaming Profile where inside the login script a command will instruct each User's PC to find the update repository folder/server and download & install the update(s). In other words
WUDO is completely replaced by the Network Admin's own distribution mechanism. This can be done for a variety of reasons, such as security, and control over the update process itself.
Should the last mechanism be employed, and they employ disk-imaging using a variety of software programs to do so, you could simply wipe the hard drive of the Surface4, or ask the Network Admin to do for you. Typically, they will have a script that can be run by him or you to re-image the Surface4 simply by plugging it into the network. You might need bootable W10 media to do this such as a DVD disc or USB stick. He/she will tell you how to do it. One company I worked at had this setup, and when I scrambled my PC, they had one of their Techs login to my PC with a special Admin repair script, and an OS disc; he rebooted the computer right there in front of me, ran the script and it appeared to wipe out everything on my computer! He told me to go downstairs to the cafeteria and get a cup of coffee and come back in 20 min. I did so, and when I returned he instructed me to login again with my User credentials. I did so, and all my programs were there, the Internet was working, and amazingly all my files were there too! (the Login repair script had backed up my Library folders to a different server temp folder and then restored back to my PC one the disk wipe & OS image reload were completed).
Part of working in IT is knowing who to talk to and asking the right questions. You should find the owner of your Network as I explained and ask him if this is a schema that they use and have a repair procedure for. If it's automated, you could save yourself hours, days, even weeks, trying to fix a problem like this. If they have an automatic or even semi-automatic method of repair, that can be suggested to you or performed for you by another Tech or Engineer.
When we had to do this, and the machine failed the automatic repair at the User's desk location, it would be transported down the basement where the IT techs worked, they would work their magic and a few hours later or by the next day a different machine or my PC after repair would be back at my desk. I would then use my network credentials to login and all was fixed and working.
They never had to go over 24 hrs. without a repair being fixed in this manner.
Hopefully, you'll get some specific information for your network once you do this. Neemo basically implied this, but you really need to have a conversation with the Network Owner or to your boss who should be able to do that for you and instruct you on what to do or how to do it.
Best of luck,
<<BIGBEARJEDI>>