3

I'm struggling to remove the "Upgrade to Windows 10" Notification Area Icon on a bunch of Win 7 Pro machines on a 2008 R2 domain. No WSUS server.

I've tried enabling "Turn off the upgrade to the latest version..." setting in my domain's Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update, then gpupdating on my own PC to test. Restart. Update gp again. Restart. The icon is still there.

I need to install WSUS - it's a rainy day project that I've been planning on for a while. But it's sunny right now and I have more important shit to triage.

Any ideas? Thanks!

Edit: this question is not a duplicate, because these hosts are all part of a domain. It's fundamentally a very different situation.

I'm looking for a GP-style fix; registry hacks one at a time on individuals' PCs are not something I have time to do.

Tedwin
  • 559
  • 3
  • 13
  • Please read the answers to [the linked question](http://serverfault.com/questions/695916/registry-key-gpo-to-disable-and-block-windows-10-upgrade) before claiming it's not a duplicate. It does indeed cover computers on a domain. – Michael Hampton Mar 26 '16 at 02:43
  • I've read every word three times now. Clearly I have the update on my domain controller since I have the option to enable that particular GP setting. And the original question you've linked to is about a machine that is "[...] not domain-joined". Hopefully someone else on serverfault has experienced this issue and can help me. – Tedwin Mar 26 '16 at 03:04
  • I'll ask someone else to take a look. It's always possible that I am wrong! – Michael Hampton Mar 26 '16 at 03:10
  • Me too. My point is just that I've exhausted every other resource and recommendation I can find, including the page you linked to, long before I posted asking for ideas. I just can't go to every PC and drill into the registry. It's silly. I don't know why MS would allow this "offer" to show up on domain machines, and then not at least provide a means for admins to mitigate the ensuing shitshow. – Tedwin Mar 26 '16 at 03:17

1 Answers1

4

The Group Policy Setting inhibits the upgrade from actually happening. If you click the upgrade icon, you will get a message that the administrator has disabled upgrades. The setting does not kill the offer program (GWX.exe) if it is already running.

The official supported method for opting out of the Windows 10 upgrade is documented here: https://support.microsoft.com/en-us/kb/3080351

Here is what I did in my environment, based on the KB article.

I set the following registry values:

HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DisableOSUpgrade=0x1 (DWORD)
HKLM:\SOFTWARE\Policies\Microsoft\Windows\Gwx DisableGwx=0x1 (DWORD)
HKLM:\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\OSUpgrade ReservationsAllowed=0x0 (DWORD)

You can set the above with Group Policy Preferences. In my environment I have a set of PowerShell scripts that run periodically on our workstations, so I added it there. The exact method is up to you. Either way, I recommend that you use a recurring method to apply the registry setting (Group Policy, Startup Script, Scheduled Task, whatever) and not a one-shot command. It is possible that a future update may reset your registry settings and cause havoc.

The first value I listed corresponds to the Group Policy setting you mentioned. The registry values used by Group Policy are documented here: https://www.microsoft.com/en-us/download/details.aspx?id=25250

Note the third one is not documented by Microsoft anymore. I believe it was documented at one point (my script comments say it came from Microsoft), but I cannot find the source. Not sure if it is need anymore.

Additionally, you have to problem of any PCs that already have the upgrade offer icon (GWX.exe is running). You need a Scheduled Task or similar to find and kill any instances of GWX.exe. Since I already have a periodic PowerShell script in place, I added this code to it:

$processes = Get-Process | Where-Object {$_.Path -like "C:\Windows\System32\GWX\*.exe"}

if($processes)
{
    $processes | Stop-Process -Force
}

As an alternative, you could use Group Policy to create a Scheduled Task that uses the TASKKILL command to achieve the same thing.

One other comment: Some people have been advocating declining the security updates that include the upgrade offer. I do not recommend this. If you follow what I have listed above, you do not need to worry about what you approve in WSUS.

myron-semack
  • 2,573
  • 18
  • 16
  • Thanks for such a detailed answer. I will follow your lead on this one and let you know how it turns out. – Tedwin Mar 27 '16 at 07:50