1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WSUS pushing out Windows 10 upgrades

Discussion in 'Servers and Enterprise Solutions' started by Vertigo1, Apr 11, 2016.

  1. Vertigo1

    Capodecina

    Joined: Dec 28, 2003

    Posts: 14,818

    Just noticed that some of my client machines are showing the Windows 10 upgrade in the system tray!

    Checked the WSUS server and the upgrades in question are showing as "Not Approved", because they aren't in my auto-approvals list (duh!) yet are obviously still being pushed out to clients and showing as needed updates.

    Err, what the hell is going on?
     
  2. leigh_boy

    Wise Guy

    Joined: Sep 12, 2012

    Posts: 1,848

    Location: East Sussex

    i would go to the local setting on them machines and check the wsus server parameters are what you expect
     
  3. randal

    Capodecina

    Joined: Oct 1, 2006

    Posts: 12,396

    Yeah we've had the same today too.

    At least I don't think it's WSUS, because I can't find the KBs in the repository. However each machine has staged the upgrade locally and is displaying GWX in the system tray.

    All domain machines, all WSUS managed.

    You're not an MS Partner are you per chance?
     
  4. Felix

    Mobster

    Joined: Jan 25, 2003

    Posts: 2,702

    I am sure these were being pushed out via WSUS months ago.

    I am sure I had to do some fiddle to stop it from being pushed out. Either changing the approvals or classfications. IE syncing with auto approval off, then find the KB for the notification, denying it and then re-enable auto approval.
     
    Last edited: Apr 11, 2016
  5. randal

    Capodecina

    Joined: Oct 1, 2006

    Posts: 12,396

    I'm a bit stumped with it all at the moment, because I can't find the KBs in WSUS to even start with!

    Currently I'm debating writing a PS script that uninstalls them via GPO, that's how much it's annoyed me. :D
     
  6. randal

    Capodecina

    Joined: Oct 1, 2006

    Posts: 12,396

    Slightly (just a bit) more elegant solution:

    If you haven't already, grab the updated ADMX/ADML GPO templates from here (W8.1/2012):

    https://www.microsoft.com/en-US/download/details.aspx?id=41193

    Or W7/2008r2: https://support.microsoft.com/en-us/kb/3050265

    Move the templates into your relevation SYSVOL \ PolicyDefinitions location, then build a new GPO.

    Check out:

    Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Update -> Turn off the upgrade to the latest version of Windows through Windows Update.

    edit - if installed you'll still have to remove some of or all of the following KBs:

    KB2952664
    KB3035583 (the KB that you can't flush)
    KB2976978
    KB3021917
    KB3044374
    KB2990214
     
    Last edited: Apr 11, 2016
  7. Vertigo1

    Capodecina

    Joined: Dec 28, 2003

    Posts: 14,818

  8. Rroff

    Man of Honour

    Joined: Oct 13, 2006

    Posts: 68,453

    Wow that could really mess things up for some businesses.

    EDIT: Ah looks like in most cases it just notifies that the update is blocked by the administrator.
     
  9. MagicBoy

    Capodecina

    Joined: Oct 18, 2002

    Posts: 16,024

    Location: South Manchester

    Depends how you are licensed. Professional will pester you to upgrade without the GPO intervention or registry tweaks. Machines running Enterprise edition ignore the GWX crapware out of the box.

    Thankfully we're on Enterprise...
     
  10. Vertigo1

    Capodecina

    Joined: Dec 28, 2003

    Posts: 14,818

    We're on Pro here - vast majority of licences came OEM with the machines so they're all eligible for the free upgrade but they're all hooked up to WSUS via group policy.
     
  11. Vertigo1

    Capodecina

    Joined: Dec 28, 2003

    Posts: 14,818

    If the user isn't a local admin yes. If they are then they can perform the upgrade.

    As I said, as we have a fairly small and trustworthy staff, many people are in fact local admins as it makes installs/maintenance much easier.
     
  12. Felix

    Mobster

    Joined: Jan 25, 2003

    Posts: 2,702

    Nothing really wrong with windows 10. We are slowly moving across having gone through and seen what software does or doesn't work. A few tweaks here and there and GPOs to sort out.
     
  13. paradigm

    Caporegime

    Joined: Aug 26, 2003

    Posts: 35,649

    Location: Staffordshire

    Sorry but that's quite frankly a daft attitude to have. Even us "admins" aren't admins here, we have separate admin accounts.

    For what it's worth this site is 70 heads, so not massively different.
     
  14. nutcase

    Sgarrista

    Joined: Oct 18, 2002

    Posts: 7,625

    Location: SX, unfortunately

    Very bad idea to have local admin rights.
     
  15. #Chri5#

    Soldato

    Joined: Feb 27, 2003

    Posts: 6,857

    Location: Shropshire

    Users with local admin rights are the spawn of Satan.

    However, over the years I've seen way too many business applications that want local admin rights. No, no and no again. I'm sure Sage (spit) used to demand this.
     
  16. chenko

    Mobster

    Joined: Oct 18, 2002

    Posts: 3,883

    Push the DisableOSUpgrade and that other registry key, I do this as well as the GPO (in the new admx) option because I really do not trust Microsoft.

    If you're really paranoid look at aegis script or something to pull that.


    Actually you don't need to give that software/user admin rights to the whole PC.

    What you do is find the folders/registry keys it needs access to and give A GROUP access to that folder. You can push this via GPO easily so won't need to do it per machine either. I include mine inside the same policy that deploys the software, though sometimes I push these permissions even if the software has no deployment package. You then add users to this group, even if its the "everyone" group to this group, still better than

    Even if you don't push these changes with GPO you need to DOCUMENT the changes, even if its just a notepad file stored wherever the installer is located.

    Then look at SRS or the new AppLocker (if you have Enterprise) to restrict the rest.

    If you are unsure which folders to allow access to, you can run up Process Monitor (SysInternals) and look at denied folder entries for the process of the application you're running. An audit like this should only take 10-20 minutes.



    Trustworthy doesn't help with accidental changes/installs and/or the spread of said malware etc.
     
    Last edited: Apr 16, 2016