Citrix App layering, and probably other Citrix products, may not yet support the very latest version of Windows 10.  For instance, Windows 10 1703 (Creators Edition) was not supported in App Layering until version 4.8.  Unfortunately, "Feature Updates" are hard to block, because the Windows Update UI itself no longer allows you to select individual updates.  

Note that this is separate from disabling all Windows updates altogether, which is what you would want to happen on desktops.  This article applies when you are updating Windows 10 on the IM or PM and need to avoid going to 1703, 1709, or some other Feature Update.

---

Instructions

1703 Creators Edition and 1709 Creators Edition Update count as a "Feature Update".  To block those specifically, you need to edit the Group Policy setting Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates.  Choose "Select when Feature Updates are received", then "Edit policy setting".  This is what you will see:




The settings in the screenshot are the most assertive ones you can pick for delaying 1703 (or a later feature update) as long as possible.

Note that Microsoft is serious about forcing you to use telemetry:



You have to allow Windows 10 to phone home if you want to block Feature Updates!  There might be some way of blocking the effects of turning on telemetry if you are a secure site, but that's out of the scope of this article.

The Windows Update policy doesn't tell you where to allow telemetry.  The "Allow Telemrtry" setting is under Computer Configuration > Administrative Templates > Windows Components >  Data Collection and Preview Builds.  It needs to be Enabled, and set to 1, 2, or 3.  


 

Use Group Policy to stop Windows 10 1703, 1709, or other Feature Updates from being downloaded by Windows Update.