There's been some news and discussion in the communities the last couple days over reports that Windows 10 is showing up on domain-joined computers running Pro versions of earlier operating systems (Windows 7 and Windows 8/8.1). This is despite Microsoft promising that this wouldn’t happen.
It's true. Windows 10 is showing up on domain-joined computers. BUT (and, that's a big but), there's may be a very good reason. Windows 10 will deliver to any computer under certain conditions. It doesn’t check for the edition of OS running, it checks to see if a valid request has been made.
I asked Microsoft about this situation, and received what I though was a pretty vague statement…
"For those who have chosen to receive automatic updates through Windows Update, we help customers prepare their devices for Windows 10 by downloading the files necessary for future installation. This results in a better upgrade experience and ensures the customer’s device has the latest software. This is an industry practice that reduces time for installation and ensures device readiness. For organizations, IT professionals can manage and control downloads on their networks." – a Microsoft spokesperson
But, really, if you read into the statement, and clip out the fluff, there's actually some important tidbits contained within:
Important part 1: Those who have chosen to receive automatic updates through Windows Update.
Important part 2: IT professionals CAN manage and control downloads on their network.
If you are seeing Windows 10 bits show up on computers on your network, there's probably one of several very good reasons. Maybe Microsoft was too cavalier in its approach to this subject, leaving IT admins with a sense that something magical would take place for upgrade avoidance, but that should never defy the due diligence to which us IT folks have always adhered.
Here's some reasons why Windows 10 might be invading your network and should serve as a list to help troubleshoot and track down why Windows 10 bits are hitting your PCs…
Users who have admin rights to the PC and able to bypass your controls and defenses, including requesting the upgrade. Admin rights? In 2015? I know, I know – in a lot of cases this is more of a political thing than a technical one, but it's time to sell this to management as a best practice, particularly since most security vulnerabilities can be mitigated by removing admin rights.
The blocking tools were not been deployed. Microsoft has offered ways to block the Windows 10 through GPO for a while now. These should have been deployed already.
Users login to multiple domains (work, client, home) that are configured differently. In a services organization where users travel and work at the client site, there's a good chance the remote location is configured differently – and a good chance their IT folks may have configured your company's PC to login to their network.
PCs are configured to get updates from Windows Update. Instead of using WSUS, System Center Configuration Manager, or some other 3rd party patching tool, some IT folks have rerouted PCs to grab updates directly from Windows Update. This is great in a pinch for troublesome, highly mobile PCs that rarely connect to the company's network, but it really takes the "management" out of patch management.
Discussions today tell me that Microsoft is continuing to have internal deliberations on this issue and is very aware of the situation. I'm sure we'll get a clearer statement soon and possibly some safeguards in the form of additional tools, guidance, or fixes. But, in the interim, keep your house in check and Windows 10 out until you are you sure you want it by ensuring you've considered the common reasons for penetration.
One additional thing: Access to the media creation tool. Anyone can download and use the media creation tool that Microsoft has supplied. You might consider throwing the link to this download (and the associated tool page) into a block list.