Note: The issue and resolution are still being reviewed.
Here is what we know so far:
We have been informed by multiple clients that they are seeing the following message stating, “Your device needs the latest security updates”. This prompt is being generated on Windows 10 machines with builds prior to v1709 after 2 specific KBs are installed.
Explanation of the issue per Microsoft:
This issue is occurring due to a recently released update KB4023814 (also KB4023057). The release is causing an alert to users, on Windows 10 versions older than 1709, about the new feature updates. If you’re currently running Windows 10 Version 1507, 1511, 1607 or 1703, you can expect to receive this notification. Windows Update will then try to update your device. When you receive the update notification, click Update now to update your device.
This update is also offered directly to the Windows Update Client for some devices that have not installed the most recent updates. Windows 10 Version 1507 and Version 1511 are currently at “end of service”. This means that devices that are running these operating systems no longer receive the monthly security and quality updates that contain protection from the latest security threats. To continue receiving security and quality updates, Microsoft recommends that you update the system to the latest Windows version, Windows 10 Version 1709. While Windows 10 version 1607 and version 1703 are not yet at “end of service”, they must be updated to the latest versions of Windows 10 to ensure protection from the latest security threats.
Microsoft is aware that this notification was incorrectly delivered to some Windows 10 Version 1703 devices that had a user-defined feature update deferral period configured. Microsoft mitigated this issue on March 8, 2018.
Workaround:
Kraft Kennedy is vetting resolutions and will update this blog once we confirm a valid solution(s). In the meantime, we would recommend not approving the following both KB4023814 and KB4023057 from WSUS or SCCM ADRs, pending a final solution. If these two KBs have been installed, developing and testing the uninstalls of the KBs via WUSA.exe, Microsoft Updates and/or Programs and Features are other options to review at this time.