Coincidentally, the day after I was just praising Microsoft for bringing SQL Server to Linux to both people that might care on my Facebook, they go and push a “security patch” for Internet Explorer that confused a lot of admins (myself included) this morning. This patch pushed the infamous Windows 10 upgrade notification on a lot of Windows 7 domain joined computers. When I started seeing several computers popping up the upgrade icon, I went to /r/sysadmin on Reddit, and sure enough the top post was already a self post about an admin experiencing the outcome of this “patch”. Go ahead and Google “Windows 10 upgrade domain” and filter it to show the last 24 hours, you’ll already see quite a few people complaining and confused.
For a lot of admins that have click happy users or are paranoid about them upgrading their own computers, this obviously wasn’t the greatest thing to come into work and see. Microsoft has a KB article about suppressing the Windows 10 icon and notification. This article isn’t 100% clear on what exactly you need to do, so I thought I’d write up exactly what I did to help out anyone else that are also not very happy with Microsoft this morning. Do the following to get rid of that pesky icon and alert.
Create a Windows 10 Upgrade Disable GPO
Add/update a registry key that will hide the Windows 10 notification area icon.
1. Go to your domain controller server and open Group Policy Management.
2. Right-click on your domain under the Domains folder in the left pane and choose “Create a GPO in this domain, and Link it here…” (or put it in an OU of your choosing). Name it “Disable Windows 10 Upgrade”.
3. Under Computer Configuration, go to Preferences, Windows Settings, and then Registry.
4. Right-click in the open area and choose New, then Registry Item.
5. Feel free to copy my screenshot below. It’s a registry key that essentially disables GWX, the application that’s actually popping up that stupid icon. Make sure the Hive is HKEY_LOCAL_MACHINE and the Key Path is SOFTWARE\Policies\Microsoft\Windows\GWX.
6. Click the OKs or Saves to close everything.
Technically, that should be good enough to get rid of the Windows 10 icon. You can try running (in elevated mode) gpupdate /force in command prompt or restarting your computer to see if that’s good enough. If not, you can also create an SRP (Software Restriction Policy) in Group Policy Management to block GWX through it’s filepath.
Creating an SRP in your “Disable Windows 10” GPO to block GWX
1. If you’ve clicked out of Group Policy Management, go back and right-click your Disable Windows 10 Upgrade GPO and choose “Edit…”
2. Under Computer Configuration, go to Policies, Windows Settings, Security Settings, then Software Restriction Policies.
3. If you haven’t activated Software Restriction Policies, do it now. Once done, you’ll see the following in the main area when Software Restriction Policies is clicked.
4. Right-click on Additional Rules and choose New Path Rule…
5. Create the SRP by copying my configuration below and click OK. Make sure the Path is C:\Windows\System32\GWX\GWX.exe and the Security Level is Disallowed.
From here on, you can try running a gpupdate /force or restarting a computer that was affected by Microsoft’s generous IE patch. The Windows 10 notification icon should be gone on those affected computers.