WSUS pushing out Windows 10 upgrades

[Vertigo]

Just noticed that some of my client machines are showing the Windows 10 upgrade in the system tray!

Checked the WSUS server and the upgrades in question are showing as "Not Approved", because they aren't in my auto-approvals list (duh!) yet are obviously still being pushed out to clients and showing as needed updates.

Err, what the hell is going on?

 

[leigh_boy]

i would go to the local setting on them machines and check the wsus server parameters are what you expect

 

[randal]

Yeah we've had the same today too.

At least I don't think it's WSUS, because I can't find the KBs in the repository. However each machine has staged the upgrade locally and is displaying GWX in the system tray.

All domain machines, all WSUS managed.

You're not an MS Partner are you per chance?

 

[Felix]

I am sure these were being pushed out via WSUS months ago.

I am sure I had to do some fiddle to stop it from being pushed out. Either changing the approvals or classfications. IE syncing with auto approval off, then find the KB for the notification, denying it and then re-enable auto approval.

 

[randal]

I'm a bit stumped with it all at the moment, because I can't find the KBs in WSUS to even start with!

Currently I'm debating writing a PS script that uninstalls them via GPO, that's how much it's annoyed me.

 

[randal]

Slightly (just a bit) more elegant solution:

If you haven't already, grab the updated ADMX/ADML GPO templates from here (W8.1/2012):

https://www.microsoft.com/en-US/download/details.aspx?id=41193

Or W7/2008r2: https://support.microsoft.com/en-us/kb/3050265

Move the templates into your relevation SYSVOL \ PolicyDefinitions location, then build a new GPO.

Check out:

Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Update -> Turn off the upgrade to the latest version of Windows through Windows Update.

edit - if installed you'll still have to remove some of or all of the following KBs:

KB2952664
KB3035583 (the KB that you can't flush)
KB2976978
KB3021917
KB3044374
KB2990214

 

[Vertigo]

Luckily we're a small enough outfit (50-ish) that I can send a scary email round saying "don't you dare!" and people will refrain.

Just annoyed that it's suddenly done an end-run around the WSUS setup.

This seems relevant: http://www.neowin.net/news/microsoft-angers-system-administrators-with-new-windows-10-upgrade-push

 

[Rroff]

Wow that could really mess things up for some businesses.

EDIT: Ah looks like in most cases it just notifies that the update is blocked by the administrator.

 

[MagicBoy]

Depends how you are licensed. Professional will pester you to upgrade without the GPO intervention or registry tweaks. Machines running Enterprise edition ignore the GWX crapware out of the box.

Thankfully we're on Enterprise...

 

[Vertigo]

We're on Pro here - vast majority of licences came OEM with the machines so they're all eligible for the free upgrade but they're all hooked up to WSUS via group policy.

 

[Vertigo]

Wow that could really mess things up for some businesses.

EDIT: Ah looks like in most cases it just notifies that the update is blocked by the administrator.

If the user isn't a local admin yes. If they are then they can perform the upgrade.

As I said, as we have a fairly small and trustworthy staff, many people are in fact local admins as it makes installs/maintenance much easier.

 

[Felix]

Nothing really wrong with windows 10. We are slowly moving across having gone through and seen what software does or doesn't work. A few tweaks here and there and GPOs to sort out.

 

[paradigm]

many people are in fact local admins as it makes installs/maintenance much easier.

Sorry but that's quite frankly a daft attitude to have. Even us "admins" aren't admins here, we have separate admin accounts.

For what it's worth this site is 70 heads, so not massively different.

 

[nutcase]

Very bad idea to have local admin rights.

 

[#Chri5#]

Users with local admin rights are the spawn of Satan.

However, over the years I've seen way too many business applications that want local admin rights. No, no and no again. I'm sure Sage (spit) used to demand this.

 

[chenko]

Push the DisableOSUpgrade and that other registry key, I do this as well as the GPO (in the new admx) option because I really do not trust Microsoft.

If you're really paranoid look at aegis script or something to pull that.

Users with local admin rights are the spawn of Satan.

However, over the years I've seen way too many business applications that want local admin rights. No, no and no again. I'm sure Sage (spit) used to demand this.

Actually you don't need to give that software/user admin rights to the whole PC.

What you do is find the folders/registry keys it needs access to and give A GROUP access to that folder. You can push this via GPO easily so won't need to do it per machine either. I include mine inside the same policy that deploys the software, though sometimes I push these permissions even if the software has no deployment package. You then add users to this group, even if its the "everyone" group to this group, still better than

Even if you don't push these changes with GPO you need to DOCUMENT the changes, even if its just a notepad file stored wherever the installer is located.

Then look at SRS or the new AppLocker (if you have Enterprise) to restrict the rest.

If you are unsure which folders to allow access to, you can run up Process Monitor (SysInternals) and look at denied folder entries for the process of the application you're running. An audit like this should only take 10-20 minutes.

If the user isn't a local admin yes. If they are then they can perform the upgrade.

As I said, as we have a fairly small and trustworthy staff, many people are in fact local admins as it makes installs/maintenance much easier.

Trustworthy doesn't help with accidental changes/installs and/or the spread of said malware etc.