I ran into an issue where several Windows devices stopped receiving feature updates, even though they looked completely healthy and continued to install security and quality updates without any problems.
The tenant was managed using Intune update rings only. No feature update policies were assigned, and the deferral settings should have allowed the devices to move forward naturally. From the Intune portal everything looked correct. Compliance was fine, Windows Update was working, and there were no obvious errors.
After a lot of troubleshooting, it became clear that this was not a client side problem. The real cause turned out to be historical. The tenant had previously used feature update policies, and when those policies were removed and the environment switched fully to update rings, the devices were never properly unenrolled from the Windows Update for Business deployment service.
Because of that, several machines remained silently registered in the background and were blocked from receiving new feature versions. Some of them had been stuck on the same Windows build for more than a year.
This was especially confusing because everything appeared healthy. Clearing update caches, resetting Windows Update, running PowerShell scripts, and performing DISM or SFC scans had no effect. The devices were fully functional, but feature updates never arrived.
How feature update policies really work
When you create a feature update policy in Intune, assigned devices are onboarded to the Windows Update for Business deployment service. In the background, each device is represented as an updatable asset. This object can be queried through Microsoft Graph and is linked to the Entra ID device identifier.
The same mechanism is also used for quality updates and driver updates.
There are several states you might see:
enrolledorenrolledWithPolicy: Device is managed by a policy.enrolling: Device is in the process of being onboarded.notEnrolled: Normal when only update rings are used.- Not found: Device is not onboarded at all.
One critical detail: When a device is no longer assigned to any feature update policy, it remains enrolled in the deployment service. If you once used a feature update policy and later removed it, the device can stay in this hidden state. When that happens, feature updates may never arrive.
This was exactly my situation. Some devices had been stuck like this for more than a year and a half because of a policy that was never fully removed.
Connecting to Microsoft Graph
To investigate, I connected to Microsoft Graph using PowerShell. This allows me to query managed devices and their Windows Update enrollment state.
|
1 2 |
# Connect to Microsoft Graph with required permissions Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All", "WindowsUpdates.ReadWrite.All" |
Finding Devices That Are Stuck
Once connected, I retrieved all Windows devices in Intune and checked their updatable asset records.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
# Get all Windows devices from Intune Write-Host "Scanning Intune managed devices for stuck feature update enrollments..." -ForegroundColor Cyan $devices = Get-MgDeviceManagementManagedDevice -All | Where-Object { $_.OperatingSystem -like "Windows*" } $stuckDevices = @() foreach ($device in $devices) { try { # Check updatable asset status using device ID (Entra ID) $uri = "https://graph.microsoft.com/beta/admin/windows/updates/updatableAssets/$($device.AzureAdDeviceId)" $asset = Invoke-MgGraphRequest -Method GET -Uri $uri -ErrorAction Stop # Check enrollment state $enrollmentState = $asset.enrollment.feature.enrollmentState if ($enrollmentState -eq "enrolled" -or $enrollmentState -eq "enrolledWithPolicy") { $stuckDevices += [PSCustomObject]@{ DeviceName = $device.DeviceName DeviceId = $device.AzureAdDeviceId EnrollmentState = $enrollmentState LastModified = $asset.enrollment.feature.lastModifiedDateTime } } } catch { # Skip devices without an updatable asset } } |
Reviewing the Results
After collecting the devices, I displayed them so I could easily see which were stuck.
|
1 2 3 4 |
# Display stuck devices $stuckDevices | Format-Table -AutoSize Write-Host "`nTotal stuck devices: $($stuckDevices.Count)" -ForegroundColor Cyan |
Seeing this list was the breakthrough. Devices that looked normal in the Intune portal were still enrolled in an old feature update service and completely blocked from upgrading.
Offboarding Devices From Updatable Assets
There are two ways to remove a device from this management:
- Unenroll the device from Intune (useful for phasing out devices).
- Delete the updatable asset record via Microsoft Graph.
I used the second option because these devices were active and needed updates.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# Enter the Azure AD Device ID to offboard. $deviceToOffboard = "" if ($deviceToOffboard) { Write-Host "Attempting to offboard device: $deviceToOffboard" -ForegroundColor Yellow try { $deleteUri = "https://graph.microsoft.com/beta/admin/windows/updates/updatableAssets/$deviceToOffboard" Invoke-MgGraphRequest -Method DELETE -Uri $deleteUri -ErrorAction Stop Write-Host "Successfully offboarded device: $deviceToOffboard" -ForegroundColor Green Write-Host "Note: This also offboards quality and driver updates." -ForegroundColor Cyan } catch { Write-Host "Failed to offboard device: $($_.Exception.Message)" -ForegroundColor Red } } else { Write-Host "No device ID specified for offboarding. Skipping..." -ForegroundColor DarkGray } |
Deleting the updatable asset fully removes the device from Windows Update for Business management and clears the broken enrollment state. Be careful: this also removes the device from quality and driver update management.
Results
After offboarding the affected machines, they started receiving the correct feature updates during the next update cycle. Devices that had been frozen on an old version for more than a year finally moved to a supported Windows release.
Closing Thoughts
This issue is easy to miss. Everything looks healthy in the Intune portal, and security updates continue to install, so there is no warning. But hidden enrollment states in Windows Update for Business can silently block feature updates for a very long time.
If you ever see devices that refuse to move forward with feature updates, checking their updatable asset state via Microsoft Graph can save you many hours of troubleshooting.