How to block Windows 10 Technical Preview upgrades

How to block Windows 10 Technical Preview upgrades

Microsoft just made it very simple to install Windows 10 via Windows Update.

While this seamless upgrade path is probably great news for Microsoft, IT professionals everywhere are about to discover their users are already upgrading to Windows 10!

The installation is a two step process that even novice users can follow.

  1. Visit http://windows.microsoft.com/en-us/windows/preview-download and click “Start upgrade now”. The user will be offered a 11MB file named “Windows10TechnicalPreview.exe”

-Download Windows 10 Technical Preview - Microsoft Windows

  1. Once executed and the computer reboots, Windows 10 can be installed by simply running “Windows Update”.

Windows 10 Upgrade

In the future, Microsoft could override the first step towards upgrade and make the upgrade automatic as it did with several versions of Internet Explorer.  As an IT Manager you will probably want plan ahead and this starts with blocking users from installing the update.   Not mention, even just users downloading the massive 2.8GB update will seriously impact your internet bandwidth.

Blocking Windows 10 upgrades with Local Group Policy Editor

  1. Open Local Group Policy Editor by clicking Start and typing “gpedit.msc”
  2. Expand User Configuration | Administrative Templates | System
  3. Double click “Don’t run specified Windows applications”
  4. Tick the “Enable” box and click “Show” next to List of disallowed applications.
  5. Add “Windows10TechnicalPreview.exe” to the list of disallowed applications and click “OK”
  6. Execute Windows10TechnicalPreview.exe to test that it was blocked.

Execution blocked by Group Policy

Note: The problem with this method is that users can simply rename the Executable file and get around the restriction. To ultimately prevent execution we need to enable AppLocker and block the executable by file hash.

Blocking Windows 10 upgrades using AppLocker

  1. Open Local Security Policy by clicking Start and typing “secpol.msc”.
    Execute selpol.msc
  2. Expand Application Control Policies | AppLocker.
  3. Click then Right click on “Executable Rules” and choose “Create New Rule”.
    Local Security Policy
  4. Click “Next”, Select “Deny” and then click “Next” again.
    AppLocker - Create Executable Rules
  5. Choose “File Hash” for the condition and click “Next”.
    AppLocker Block Executable Rules
  6. Click “Browse Files…” and choose the Windows10TechnicalPreview.exe file.
    AppLocker -Create Executable Rules
  7. Click “Next” and optionally add a description.
    AppLocker - Create Executable Rules
  8. Click “Create” and answer “Yes” to create the default rules.  When prompted, answer “Yes” to create the default rule set.
    AppLocker - Create Default Ruleset
    AppLocker executable rules
  9. Click AppLocker in the left pane and then click “Configure rule enforcement”
    AppLocker Screenshot
  10. Check the “Configured” box under Executable rules and choose “Enforce rules”
    AppLocker Configure rule enforcement
  11. Click OK to finish and reboot the computer to test the AppLocker rule.
    Executable Restrictions using AppLocker

IT Departments everywhere will eventually adapt Windows 10 but this undertaking comes after much compatibility testing.

Reference Articles

Comments are closed.