Hi, we have co-managed devices with the Windows Update workload moved to Intune. We started with the feature update deferral policy set to zero and applying a feature update profile, but started to experience the known issue with co-managed devices upgrading to the latest version of Win 10 despite what is set in the profile.
So we moved from a feature update profile to the TargetReleaseVersion CSP which was at one stage recommended in the docs as a workaround for the issue:
How to create a feature update hold for co-managed Windows 10 devices - Intune | Microsoft Docs
This worked well the devices on 1909 remained on 1909. Then when switching the TargetReleaseVersion CSP to 20H2 none of them would update until they were un-enrolled from the WUfB Deployment Service. As stated in the docs below.
Configure Windows 10 feature updates policy in Intune | Microsoft Docs
This worked for a period of time (couple of weeks) but now none of the 1909 devices with a deferral policy for feature updates set to 0, the TargetReleaseVersion CSP set to 20H2 and confirmed as being un-enrolled from the WUfB Deployment Service are being offered the 20H2 Feature Update from Windows Update.
Any ideas what might be happening here or what I can check next? None of these machines are showing as having a Safeguard Hold in Update Compliance.