This article is more than 1 year old
Don't want Windows 10 FILTH on the company network? Step this way
Master your domain – and kill it at source
Windows 10 is here. Now, while I have Windows Upgrade Fatigue and I'm in no rush to make the change, plenty of people out there received the upgrade when it arrived. There will certainly going to be a mighty spike in net traffic that day – not least because the upgrade from Windows 7 or Windows 8 is a free one.
If you're a corporate IT person, though, the last thing you need is for your users to be randomly upgrading their desktops and laptops.
You presumably have Windows 7 or Windows 8 there for a reason – and that reason is because you have a set of standards that you know how to support and for which your service desk and PC support teams are trained.
Given that the upgrade is a really easy process for the user (it's pretty much click-and-go) is there anything you can do – or need to do – to prevent arbitrary, uncontrolled upgrades?
Your invitation is withdrawn...
If you have a Windows 7/8 machine running basic Windows Update (more about the alternatives to that later) then there's every chance that the box has the Get Windows 10 extension installed.
This is an add-on that presents you with an easy-to-click icon on your existing Windows machine that will fetch the Windows 10 update for you: Microsoft knowledge base article 3035583 tells you all about it.
Clearly you don't want to be presenting users with the ability to click something, so just use the Control Panel to remove the update in the standard way.
As an aside, it's nice to see that Microsoft are mimicking Apple's approach: the world has been installing new versions of MacOS for ages via the on-board updater in this way. Microsoft also seems to agree with Apple that X is funkier and more sexy in Latin than the plain old numeral 10 and have called the Get Windows 10 updater “GWX”.
This brings us to the obvious question: if you have corporate machines, do you really let them run Windows Update to download patches and extensions directly from Microsoft? If so, then you really do need to change your ways as there are so many reasons to use a corporate update server.
First is bandwidth: the size of a modern Windows update is roughly the number of inches to Jupiter, so why let several dozen machines download and install the same updates over your Internet connection at random times? The second is control: with Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM) you not only download once and install to PCs over the LAN, but you also get to vet which updates are installed and when. Hence you have complete control over which items get downloaded and are available to install on your desktops.
So I'll need a domain then...
If you want to enforce updates through your central service then of course you'll need to have your PCs attached centrally controlled in general – which unless you're into wild, wacky directory services you'll do using Active Directory (AD). All your user machines should be attached to the AD structure, and you'll use Group Policy Objects to enforce the restrictions you need. This is to force them to update themselves via your controlled server, rather than Microsoft's global one.