nkeables
asked on
Windows 10 upgrade madness
We have had two domain joined Windows 7 Professional Volume Licensed via KMS, and updated via WSUS computers automatically upgrade to Windows 10 Pro. I was under the impression that this was not supposed to happen. When subscribed to a WSUS server the prompt to 'Reserve a Copy' is supposed to be suppressed and the Windows update mechanism for background downloads doesn't happen. Additionally if an install process does start, a check for Domain Membership takes place, and if it is 'True' the install should abort.
One computer I have in this state was joined to our Domain July 9, 2015 and has remained so since - confirmed with the "C:\Windows\debug\NetSetup
- 2016-01-04 09:24:16, Info MOUPG Target OS: Detected Source DomainName = [MyDomainName]
- 2016-01-04 09:24:16, Info MOUPG Target OS: Detected Source DomainJoined = [Yes]
The users of these two laptops are confident that they didn't download or 'accept' anything pertaining to Windows 10. Regardless, this was not supposed to happen for any of a number of different reasons. Has any one else experienced this or the solved Windows 10 virus problem yet?
One computer I have in this state was joined to our Domain July 9, 2015 and has remained so since - confirmed with the "C:\Windows\debug\NetSetup
- 2016-01-04 09:24:16, Info MOUPG Target OS: Detected Source DomainName = [MyDomainName]
- 2016-01-04 09:24:16, Info MOUPG Target OS: Detected Source DomainJoined = [Yes]
The users of these two laptops are confident that they didn't download or 'accept' anything pertaining to Windows 10. Regardless, this was not supposed to happen for any of a number of different reasons. Has any one else experienced this or the solved Windows 10 virus problem yet?
Domain membership does not prevent the installation. But everything else should have. GWX included - it does not run in a domain.
It think domain membership prevents the upgrade notification from showing up. It does not show up (by that I mean does not prompt) on any of our domain machines.
That's correct. GWX does not show up in a domain, even if installed.
So then, as I noted above, a user must have requested the upgrade (even if they were unaware).
You say they are Laptops. I don't know if this is true, but what I can imagine what happened is that when they were off-site they logged on using a local account with admin rights rather than the Domain account. Maybe then GWX does run?
ASKER
Thank you John, but I don't think that is it. The KB 'KB3035583' which is the GWX, Get Windows 10, advertisement, component is not available on our WSUS server so our computers should not be receiving the 'offer.' Also the laptop in question does not have that KB installed either. Even so, the installer should have exited once it determined that the computer is a Domain member.
Yes, our staff are Administrators and we have turned off UAC via GPO.
I think this issue is fairly small in scope for us. We have a fairly large infrastructure and I've only seen this on two computers, but it's been in a span of three days, so I'm concerned it may balloon.
Yes, our staff are Administrators and we have turned off UAC via GPO.
I think this issue is fairly small in scope for us. We have a fairly large infrastructure and I've only seen this on two computers, but it's been in a span of three days, so I'm concerned it may balloon.
ASKER
John, how does a user accidentally request the upgrade? We have disabled access to all Windows update tools for our users via GPO.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Rindi,
I think I addressed your request in my last response, but maybe not. Since these laptops are restricted from Windows Update via GPO then it shouldn't matter whether a local account or domain account was used. The GPO is a computer GPO and not assigned to any users. Also I looked for the KB related to GWX and it doesn't exist on the laptop, nor does the C:\Windows\System32\GWX folder.
I think I addressed your request in my last response, but maybe not. Since these laptops are restricted from Windows Update via GPO then it shouldn't matter whether a local account or domain account was used. The GPO is a computer GPO and not assigned to any users. Also I looked for the KB related to GWX and it doesn't exist on the laptop, nor does the C:\Windows\System32\GWX folder.
ASKER
To clarify my last post, Users have no access to run Windows Update in any context, local users or otherwise. GPO forces them to our WSUS server. The only way around that is to dis-join the computer from the Domain, which did not happen. This means that GWX is not an option for my users. Additionally I confirmed that the GWX components are not present on the laptop running Windows 10.
Yes,, the WSUS settings should retain if offline, and prevent accidental updates. Unless you explicitely request to search for updates online in the Windows Update applet.
You could check the old CBS.log of one of the machines - it should still exist in the Windows.OLD folder tree.
ASKER
My users are restricted from running the applet, and not allowed to apply updates that aren't authorized through WSUS.
ASKER
I checked the old CBS.log file and searched for KB3035583 but found nothing. There was activity on the day of, and around the time of the 'upgrade,' but I didn't find anything conclusive. Any suggestions on what to look for in the CBS.log file in particular?
Here is something you can put your company stamp on and take to the bank and deposit it.
It did NOT happen by accident or act of God. Someone did something. Probably curiosity killed the cat.
It did NOT happen by accident or act of God. Someone did something. Probably curiosity killed the cat.
I did not expect to see that update there, but maybe the 1511 upgrade? KB3124200 maybe? John should know the numbers, he is answering those questions all the time ;-).
I think my update was Cumulative Update for Windows 10 Version 1511 for x64-based Systems (KB3118754) on November 18.
The only update before that was a Windows 10 Flash update.
The update history was cleared out when the upgrade to Version 1511 occurred.
Cumulative Update for Windows 10 Version 1511 for x64-based Systems (KB3124200) was a different update on December 17
The only update before that was a Windows 10 Flash update.
The update history was cleared out when the upgrade to Version 1511 occurred.
Cumulative Update for Windows 10 Version 1511 for x64-based Systems (KB3124200) was a different update on December 17
July 9, 2015 is the date of windows 10 insider preview release date.
Are the users of those two laptops are computer enthusiasts and like to explorer about the new Windows 10?
If it is the case, in future, you need to factory restote the laptop before you join the computer to your domain network.
Are the users of those two laptops are computer enthusiasts and like to explorer about the new Windows 10?
If it is the case, in future, you need to factory restote the laptop before you join the computer to your domain network.
Microsoft has released the 1511 upgrade for WSUS, so if your WSUS is set up to auto-approve certain updates, no wonder.
"I was under the impression that this was not supposed to happen. When subscribed to a WSUS server the prompt to 'Reserve a Copy' is supposed to be suppressed and the Windows update mechanism for background downloads doesn't happen. Additionally if an install process does start, a check for Domain Membership takes place, and if it is 'True' the install should abort." - not quite. Domain members would not pull this update from the internet and initially, it was not published for WSUS. But now it is. About the check for domain membership if an install process starts: incorrect, that was never implemented.
"I was under the impression that this was not supposed to happen. When subscribed to a WSUS server the prompt to 'Reserve a Copy' is supposed to be suppressed and the Windows update mechanism for background downloads doesn't happen. Additionally if an install process does start, a check for Domain Membership takes place, and if it is 'True' the install should abort." - not quite. Domain members would not pull this update from the internet and initially, it was not published for WSUS. But now it is. About the check for domain membership if an install process starts: incorrect, that was never implemented.
ASKER
Our WSUS server only Auto-Approves updates which are classified as Security and Critical. I do see, on my WSUS server, that the 1511 set of updates are all classified as security or critical, and that they appear to be approved and 81% installed. This may pose a very large problem for us as we have a lot of Windows computers, over half of which are mobile, and in all cases so far, any computer that has been upgraded to Windows 10, is unable to connect to my 802.1X wireless network.
Do I understand correctly from the posts that, if applied, both the cumulative 1511 updates can result in an upgrade to Windows 10?
I'm running WSUS Server Cleanup now to eliminate all of my superseded updates, so I can roll back anything Windows 10 related. Will a WSUS roll back result in a reversion to the pre-upgrade OS, or will these machines need re-imaging?
Thanks
Do I understand correctly from the posts that, if applied, both the cumulative 1511 updates can result in an upgrade to Windows 10?
I'm running WSUS Server Cleanup now to eliminate all of my superseded updates, so I can roll back anything Windows 10 related. Will a WSUS roll back result in a reversion to the pre-upgrade OS, or will these machines need re-imaging?
Thanks
Now that you mention it - yes, I read something about MS "upgrading" W10 Upgrade to be non-"optional" anymore ...
The W10 Upgrade is performed the same way, so going back should be possible within 30 days of installation, maybe longer for WSUS, but I haven't seen anything mentioning the longer grace period.
The W10 Upgrade is performed the same way, so going back should be possible within 30 days of installation, maybe longer for WSUS, but I haven't seen anything mentioning the longer grace period.
BTW, with some fatal updates considered critical last year you should not auto-approve based on that.
ASKER
The two KB's mentioned, KB3118754 and KB3124200 only apply to computers with Windows 10 already installed, they don't help me understand how the install came to be on the computer in the first place.
We have identified two more computers on our network that have upgraded as well - since the 4th.
Is there any sure method, like a Windows log file that does not clear itself out for example, that can identify how and why the install took place? It seems that Windows 10 eliminates any vestige of the OS before it (as far as referencing log files anyway).
We have identified two more computers on our network that have upgraded as well - since the 4th.
Is there any sure method, like a Windows log file that does not clear itself out for example, that can identify how and why the install took place? It seems that Windows 10 eliminates any vestige of the OS before it (as far as referencing log files anyway).
The old OS files are moved to Windows.old - not sure if the CBS log remains there.
ASKER
Thanks Qlemo, I have already copied the CBS log to my workstation and combed through, but admittedly I'm not sure what to look for. I searched for the three KB's that have been discussed in this thread and none of them are present. I searched on many of the KB's that were represented in the log and none of them related to Windows 10. What should I expect to see?
I have tech support case with my Wireless vendor to address the trend of upgraded Windows 10 devices not connecting to my 802.1x wireless network, After that case is wrapped up, I'll be reverting to my previous OS to see if I can replicate the problem.
I have tech support case with my Wireless vendor to address the trend of upgraded Windows 10 devices not connecting to my 802.1x wireless network, After that case is wrapped up, I'll be reverting to my previous OS to see if I can replicate the problem.
The cumulative 1511 updates cannot result in an upgrade to Windows 10, they are only for systems that already run Win10 v1511. Logon to those systems, use the rollback function (start menu - search for recovery). And unapprove those at wsus. They will not uninstall if you remove or unapprove them from wsus, needs to be done manually.
ASKER
That is my plan, and in fact I've already unapproved the updates on WSUS, however the answer I'm looking for is how Windows 10 got on these computers in the first place. I can't eliminate my users, and I'm not finding anything on the systems themselves that point to Windows update as the culprit, but regardless of the method, I would hope to find some sort of log that records the process.
I would expect the last entries to be relevant.
ASKER
I attached the CBS.log file if anyone is interested, it decompress to approx. 3 Mb. It's clear when the upgrade took place, but I haven't discerned how it was kicked off.
CBS.zip
CBS.zip
In my (now many) experiences with Windows 10 upgrades, someone has to kick it off. Except in the case of my own ThinkPad X230 where updating Windows 8.1 kicked off the update (I am the machine administrator), all other upgrades took overt action to upgrade.
Also, in all cases the upgrade could only proceed with Admin Credentials.
ASKER
All of our staff are local Administrators. We have far too many random and non-managed application needs across our schools for them not to be local admins. It's a bane and a relief.
All of our staff are local Administrators <-- THERE is your reason and answer! I never let clients be local administrators. Someone permitted the upgrade.
ASKER
I accept that, how can I prove it?
Local administrators can do anything they want. You cannot prove that someone clicked the upgrade so far as I know. Why? The event viewer would be full of things they did. You might see it in event viewer. But that would be a lot of work for something you cannot prevent.
ASKER
I am aware of the level of access my users have, but that requirement has been dictated to the IT department. I am not arguing that they could have, I just want to prove that they did. Why, you ask, so I have something conclusive to show my Director regarding why the computer 'magically' got Windows 10, and if possible, to learn to prevent it from happening on other workstations. I think GPO registry settings will be my friend there.
I looked at the event viewer, nothing exists prior to Jan 4, the day the upgrade took place, for any of the Windows logs.
I looked at the event viewer, nothing exists prior to Jan 4, the day the upgrade took place, for any of the Windows logs.
You cannot prevent local administrators from changing or updating. They can change a GPO as well.
You cannot prove they okayed the upgrade. Also they cannot prove they did NOT okay the upgrade. There is no magic and you know that.
Local admins can do what they want and this it your result.
You can only prevent this by making your users Standard Users and enabling UAC full.
Nothing exists in the logs because the upgrade started the logs fresh.
Your learning here is simple: Local administrators can do what they want and circumvent anything.
You cannot prove they okayed the upgrade. Also they cannot prove they did NOT okay the upgrade. There is no magic and you know that.
Local admins can do what they want and this it your result.
You can only prevent this by making your users Standard Users and enabling UAC full.
Nothing exists in the logs because the upgrade started the logs fresh.
Your learning here is simple: Local administrators can do what they want and circumvent anything.
What you can do is download and run GWX Control Panel.
http://ultimateoutsider.com/downloads/
This introduces the following key that will hide GWX and not let it prompt.
HKEY_LOCAL_MACHINE\SOFTWAR
with a REG_DWORD called DisableGWX which has been set to 1.
Of course, your admins can undo this.
http://ultimateoutsider.com/downloads/
This introduces the following key that will hide GWX and not let it prompt.
HKEY_LOCAL_MACHINE\SOFTWAR
with a REG_DWORD called DisableGWX which has been set to 1.
Of course, your admins can undo this.
ASKER
I know there is no 'magic,' but that is the concept I am trying to battle, and I know GPO can be overridden by a moderately skilled user, thankfully, that process is far beyond most of our client base. Certainly, there is a risk. Unfortunately for those of us in the K-12 arena, there is very little we can do, at least in the short term, to effect any kind of policy change. While nearly everything the district does is dependent on the technology we support/provide, we have very little ability to effect direction, we are still a tool, to be used.
The GWX control Panel is what I had in mind. I suppose I hoped in vain for something specific. Thank you all for your time and input.
The GWX control Panel is what I had in mind. I suppose I hoped in vain for something specific. Thank you all for your time and input.
There is no way you can stop admin users from upgrading to Windows 10. None. You have to limit their user permissions.
ASKER
Part of our workstation image creation process is of Windows Updates. These take place prior to Domain Joining so there were no WSUS settings in place to restrict GWX from downloading. The folder now exists on every one of our recently deployed laptops (about 1600 of them). I could find no other explanation for the upgrade other than someone manually starting the process. Thank you.
Thanks for the update and I was happy to help.
And for these users, are they Administrators of their own machines? and do they have UAC turned OFF?