How to Remove, Block and Prevent “Get Windows 10” Application for Enterprise Environments

15 Mar

How to Remove, Block and Prevent “Get Windows 10” Application for Enterprise Environments



How to Remove, Block and Prevent “Get Windows 10” Application for Enterprise Environments

In the Enterprise environment, it is important to maintain control over your devices, while the “Get Windows 10” app is a great component for the home environment to help reserve and upgrade your Windows version (7, 8 and 8.1 Home or Professional) to the upcoming Windows 10 Operating system.

The “Get Windows 10” application can cause a stir in the corporate environment, there is however relief for those Administrators who wish to smite the application from their environment to ensure that it will not cause chaos.

Let’s start off with the basics about the “Get Windows 10” application by reading the article “Get Windows 10 App” – What does it mean for Enterprise Environments”. This article will cover the who, what, why and when with addition information linked to the Windows 10 FAQ.

Article: http://blogs.technet.com/b/charlesa_us/archive/2015/06/12/quot-get-windows-10-app-quot-what-does-it-mean-for-enterprise-environments.aspx

After you have read through this article and you understand the basics of the “Get Windows 10” application, let move on to how to remove it from your corporate environment.

On devices that qualify the application will appear in the System Tray as a white Windows symbol:

When clicked on this allows the user of the device to sign up for the reservation and auto installation of the Windows 10 Operating System when it is released.

Per the “Get Windows 10 App” – What does it mean for Enterprise Environments” article and the FAQ, this usually is not an issue in corporate environments, however it is often that such environments will have devices that run Professional versions of Operating Systems. Further in this day of mobile tablets, laptops and more while machines may be joined to a domain, they may stay out of touch from the domain for a very long time, this provides opportunity for the “Get Windows 10” application to creep into the corporate environment when not expected nor wanted.

There are three methods that you can remove \ block this application from your environment with a corporate solution in mind. We will cover each of these in this article.

The first I would like to talk about is blocking the “Get Windows 10” application by blocking the GWX.exe, this is the application itself.

If you were to take a system running the “Get Windows 10” application and open the Task Manager, you would see a process named GWX.exe running. If  you were to kill this process the icon in the system tray would be removed and also the ability for the system to auto upgrade to Windows 10 will be stopped.

Through the use of Domain Policy you can block this specific executable and prevent it from running.  Below you will find links to great TechNet Articles that cover these different methods to prevent the Executable from running.

For systems running Windows 8, 8.1:

AppLocker via Domain Policy: http://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx

For systems running Windows 7:

Software Restriction Policies: https://technet.microsoft.com/en-us/library/hh831534.aspx

The second method I would like to talk about is blocking the “Get Windows 10” application by Registry Key.

This method can be pushed out via Domain Policy or a ConfigMgr Package to devices. This section assumes you are familiar with the Windows Registry Editor and does not present knowledge on the Registry Editor Application.

In this method, you would perform the following steps to create a DisableGWX key under policies on the device, this would then disable the “Get Windows 10″ application and remove the system tray icon as well.

The registry key path is: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows”

  1. You will want to create a new Key called “GWX”
  2. Select the new “GWX” key you created
  3. In the right pane, right click and create a new DWORD named “DisableGWX” and set the value to 1

  1. Once done, export the registry key and save as DisableGWX.reg

You can now take this registry key and deploy it to the client devices that you wish to block the “Get Windows 10” application on via Group Policy or a ConfigMgr package. Below are some great links to help with these deployment methods.

Deploying Custom Registry Changes through Group Policy: http://blogs.technet.com/b/askds/archive/2007/08/14/deploying-custom-registry-changes-through-group-policy.aspx

For ConfigMgr package deployment, this guide will not go into step by step for package creation and assumes you have familiarity with ConfigMgr Processes (Package Creation, Collection Creation, Deployments):

1. Create a Package in ConfigMgr

2. Set the Program for the package to the following:

  • General:
  1. Command Line: cmd.exe /c Regedit.exe /s DisableGWX.reg
  2. Run Normal
  3. After Running No action required
  • Environment:
  1. Program can run Whether or not a user is logged on
  2. Run with Administrative rights

3. Deploy to a collection containing the devices

The third and final method  I would like to talk about is blocking the “Get Windows 10” application by deleting the task from Task Scheduler. That is correct, there are two Keys in Task Scheduler for the “Get Windows 10” application.

If you were to take a system running the “Get Windows 10” application and open the Task Scheduler (taskschd.msc). Then navigate to Task Scheduler Library \ Microsoft \ Windows \ Setup you will find under the setup key two more sub-keys.

  • GWX
  • GWXTriggers

Both if these keys are tasks to automatically launch the “Get Windows 10” application at intervals.

Both of these Scheduled Task keys can be removed via Group Policy and via Command line that you could deploy with ConfigMgr package. Below are two great links that will provide you information on using these two methods to remove the Scheduled Tasks.

Configure a Scheduled Task Item with GPO: https://technet.microsoft.com/en-us/library/cc725745.aspx

Creating and Managing Scheduled Tasks from Command Line: https://technet.microsoft.com/en-us/library/cc738335(v=ws.10).aspx

Further for ConfigMgr package deployment, this guide will not go into step by step for package creation and assumes you have familiarity with ConfigMgr Processes (Package Creation, Collection Creation, Deployments):

1. Create a Package in ConfigMgr

2. Set the Program for the package to the following:

  • General:
  1. Command Line: cmd.exe /c <Command Line Here>
  2. Run Normal
  3. After Running No action required
  • Environment:
  1. Program can run Whether or not a user is logged on
  2. Run with Administrative rights

3. Deploy to a collection containing the devices

 

All of these methods are to remove and prevent the “Get Windows 10” App from running once it is on a machine. However, you will want to also assure that the KB Update that applies the “Get Windows 10” application is not being pushed out by your Current Patching Process either. The Update for the “Get Windows 10” application that installs it is “KB3035583”.

Here is the KB article for the update: https://support.microsoft.com/en-us/kb/3035583

Disclaimer: The information on this site is provided “AS IS” with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of any included script samples are subject to the terms specified in the Terms of Use

 

Main System Center blog: http://blogs.technet.com/b/systemcenter/

Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/

Data Protection Manager Team blog: http://blogs.technet.com/dpm/

Orchestrator Team blog: http://blogs.technet.com/b/orchestrator/

Operations Manager Team blog: http://blogs.technet.com/momteam/

Service Manager Team blog: http://blogs.technet.com/b/servicemanager

Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Microsoft Intune: http://blogs.technet.com/b/microsoftintune/

WSUS Support Team blog: http://blogs.technet.com/sus/

RMS blog: http://blogs.technet.com/b/rms/

App-V Team blog: http://blogs.technet.com/appv/

MED-V Team blog: http://blogs.technet.com/medv/

Server App-V Team blog: http://blogs.technet.com/b/serverappv

Forefront Endpoint Protection blog: http://blogs.technet.com/b/clientsecurity/

Forefront Identity Manager blog: http://blogs.msdn.com/b/ms-identity-support/

Forefront TMG blog: http://blogs.technet.com/b/isablog/

Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/

The Surface Team blog: http://blogs.technet.com/b/surface/

Have a question about content? Join us on Yammer