Windows 10: Admins, check your W7/W8/W8.1 domain machines

randal · 7 Aug 2015 at 16:44

Just found the W10 update pre-staged on all of our W7 machines on the domain at work.

Not alone it would seem:

http://www.theregister.co.uk/2015/08/07/windows_10_auto_injects_itself_into_windows_7/

Taken from the linked MS KB page:

The Windows 10 upgrade is automatically blocked (that is, no further action is required) on computers or other devices in the following scenarios:

The computer or device is joined to a domain.

Someone's in for a shoeing.

bledd · 7 Aug 2015 at 16:46

Yikes, sounds like someone at MS zigged when they should have zagged.

traveyb · 7 Aug 2015 at 17:15

Ouch, we use SCCM for updates but luckily the clients are locked down and can't select MS updates. Thought they would have put preventative measures in place :s

randal · 7 Aug 2015 at 17:20

I think it's all down to KB3035583 installing, be that via SCCM or WU. If the machine has direct Internet access then it'll DL the update (whether it's on a domain or not).

Our machines are W7 Pro, so I presume a W7 Enterprise machine wouldn't have got the update - either way the domain caveat should have stopped that in it's tracks.

Deleted member 77746 · 7 Aug 2015 at 17:27

We OK. Wouldn't like this on 6000 devices.

Vertigo · 11 Aug 2015 at 15:35

Surely this won't apply to machines configured to use a WSUS server? Whilst clients can opt to bypass and check Windows Update directly, unless they do so the relevant update shouldn't install as it won't be approved by WSUS.

randal · 11 Aug 2015 at 15:46

I can only really see this hitting smaller organisations who update directly from WU such as ourselves. We've got limited outbound connectivity to WU in lieu of a WSUS host which my predecessor never got around to configuring.

Needless to say it's now pretty high on my list of priorities...

Vertigo · 11 Aug 2015 at 17:11

Only issue with WSUS is that, by default, the client has the option to bypass it and go directly to WU so, unless this has been explicitly blocked by the firewall, there's still the opportunity for a user to get the update.

Granted it's nowhere near the same scenario as that detailed above and users would have to deliberately go looking for and download the update and then install it but it still shouldn't be possible. There will be a great many sysadmins out there who've configured WSUS and fully believe they're safe from unwanted Win10 upgrades and will find out to their horror that this isn't the case. There should be no way whatsoever that a domain-joined computer will allow the download or installation of the update unless explicitly allowed by the sysadmin.

MS dropping the ball spectacularly yet again. They really are clueless.

cuke2u · 11 Aug 2015 at 17:19

To a proper IT techie that route of accessing WU manually should be closed off anyway...

Skeeter · 11 Aug 2015 at 20:02

I'm a bit confused by this? If you allow your domain machines to download Windows Updates on their own, why are you then surprised when they... download a Windows Update on their own?

Presumably exactly the same happened with SP1 for Windows 7, or any large update?