Blocking Win 10 on the domain
Windows 10 is here and frankly it’s great. You will, however, want to be careful to put some controls in place to stop the uncontrolled install of this new OS directly by end users.
Every firm has them, those users who really wish they were in IT and want to be on the bleeding edge of everything. While their enthusiasm is laudable, the impact of such upgrading abandon can often be an administrative nightmare for the technology staff. With the advent of Windows 10 the potential for such “installations in the wild” has increased many fold as most versions of windows are entitled to a free upgrade path from Windows 7/8/8.1 to Windows 10 – and all delivered direct to the machine via the web.
Obviously we as admins want to have some fairly tight controls over desktop environments so what is to be done? Thankfully Microsoft has extended already existing tools to give us everything we need to control unauthorized upgrades. In June of this year Microsoft pushed KB3050265 ( https://support.microsoft.com/en-us/kb/3050265 ) which extends the existing group policy options to add the following policy path and setting:
Policy path Computer Configuration / Administrative Templates / Windows Components / Windows Update
Policy setting Turn off the upgrade to the latest version of Windows through Windows Update (enabled or disabled)
To suppress this offer through the registry, set the following registry key:
DWORD: DisableOSUpgrade = 1
The extension of the existing group policy objects is a simple proposition. We would, however, encourage the backup of the existing settings prior to the application just as a matter of good practice. Obviously the application will only help you if you have control of the GP application to the machine. Those home machines, now that is another story. (Though the application of this GPO is just as applicable there and could be achieved via your MDM program).
We would suggest getting these settings in-place ASAP to avoid the inevitable call from that bleeding edge user.