I recently had the Situation in my Environment, that I’ve found a few managed Windows 10 1703 Enterprise Devices, which updated on their own to Windows 10 1709. I immediately had Dual-Scan in mind, however we don’t have any deferral policies configured in Group Policy, nor are we using any Servicing Plans in ConfigMgr.
Additionally, there were numerous Devices that installed Quality- and Driver-Updates from Microsoft Update.
As written, those devices are all being managed by Configuration Manager current branch, which also does all the Update Deployments. After raising a Support Call with Microsoft and few hours of troubleshooting later, we have enabled the following Group Policy Setting.
Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off access to all Windows Update features
This is the same setting, which was mentioned as a workaround in the above linked Dual Scan Blog post.
Since of today, we haven’t got any reports of other unexpected updates.
As an additional note, the above GPO Setting doesn’t break any Microsoft Store functionality. The one responsible for this is called “Do not connect to any Windows Update Internet locations“.