Blocking Windows 10 with Never10

Many Windows 7 and 8.1 users have no interest in Windows 10. But, Microsoft is determined to spread their latest OS far and wide. Resistance, however, is not futile. There are a number of ways to inoculate Windows 7 and 8.1 from being infected with Windows 10. 

Steve Gibson has just released Never10, the newest Windows 10 blocker. Before going into it, however, some background. 

GWX CONTROL PANEL 

gwx.ctl.panel

GWX Control Panel by Josh Mayfield

In the beginning, there was Josh Mayfield's GWX Control Panel (originally called GWX Stopper) and it was good, according to every article ever written about it.

Just yesterday, an article at Neowin listed seven reasons why GWX Control Panel (GWX = Get Windows X, a.k.a. 10) is better than other Windows 10 blockers. But, the article also points out twelve changes in the latest release. That feels like an awful lot to digest and deal with, just to block Windows 10. Not to mention, the constant stream of new versions/releases

KNOWLEDGE BASE 3080351

ms.kb3080351

Microsoft Knowledge Base KB3080351

Back in July of 2015, Microsoft added a new option to Windows Update that would block it from invading your PC with Windows 10. The good news is that it's a one-time thing, set a flag and you're done. The bad news is everything else.

For one thing, it flew under the radar for a while. Woody Leonhard claims that Microsoft first documented this in August 2015, while Ed Bott reports that it was first written up in January of this year. Microsoft puts a "Last Review" date on their Knowledge Base articles, but, even after all these decades, they have still not learned how to put a creation date on them. 

To me, the documentation on this is written in an unhelpful manner. Opinions aside, it has also been wrong. According to Woody Leonhard, Josh Mayfield "... analyzed the descriptions in KB 3080351 and found several errors in Microsoft's documentation...". 

Ed Bott has a great article on the subject: How to block Windows 10 upgrades on your business network (and at home, too). A disclaimer at the beginning says "This article has been updated multiple times since its initial publication to incorporate up-to-date information." In other words, Microsoft's own documentation stinks. 

group.policy.edit.blockwinten

Group Policy Editor can block Windows 10

Although the new Windows 10 blocking feature exists in Windows Update, we don't configure Windows Update directly. Instead, we use the Group Policy Editor (gpedit.msc). As shown above, you block Windows 10 by enabling the option that "Turns off the upgrade to the latest version of Windows through Windows Update".

But, the low end editions of Windows 7 and 8.1 do not include the Group Policy Editor. Anyone with a Home edition of Windows has to manually update the registry in the most dangerous way - by creating new keys.

Either approach is beyond the ability of many Windows users, which, I assume, is just fine with Microsoft.

RECOMMENDED UPDATES

recommended.updates

Configuring Windows Update to not install recommended updates

The next option for blocking Windows 10 was to disable recommended updates in Windows Update. This became necessary when Microsoft changed the status of Windows 10 from an optional update, to a recommended one.

This conversion started at the beginning of February. At the time, Woody Leonhard wrote in InfoWorld that 

"Upgrade to Windows 10" has moved from an occasionally sighted Optional update to the much more common Recommended. Many Windows 7 and 8.1 users report the upgrade now appears as a checked item in Windows Update, clearing the way for the installer to launch automatically -- typically when the system reboots.

At least Microsoft warned techies ahead of time. Many non-techies were, no doubt, assimilated into the Windows 10 collective.

STEVE GIBSON's NEVER10

neverten.screenshot

Never10 by Steve Gibson reporting good news

Now we have a new generation of Windows 10 blocking software, Steve Gibson's Never10.

Like his nifty Wizmo program, Never10 is portable. That is, no formal installation is needed, you just run the never10.exe file. As you might expect, Never10 requires Administrator access. 

What Gibson has done, is take Microsoft's complicated techie instructions for blocking Windows 10 and boil them down to a single button click.

He also does the hard work of checking pre-reqs. That is, he first insures that your edition of Windows is appropriate for this, and then he also checks that the necessary version of Windows Update is installed. If Windows Update is not up to spec, then he automates its installation (I have not yet experienced this first hand). Thank you, Steve.

Personally, I had been modifying all the Windows 7 and 8.1 computers that I ran across using the Group Policy Editor instructions from Microsoft. But, I had just encountered a Windows Home machine, which would have meant editing the registry of someone else's computer. Never10 arrived just in time for me. 

But the first time I ran it, I was surprised.

The Windows 7 system in question had already been inoculated from Windows 10 using the Group Policy Editor, yet (as shown below) Never10 reported in bold red letters that "Windows 10 OS Upgrade is ENABLED for this system!". 

never10.enabled.screenshot

Never10 reports that Windows 10 can still be installed even after using Group Policy Editor to prevent it

The reason for this lies in the title of the Microsoft Knowledge Base article: "How to manage Windows 10 notification and upgrade options". There is one registry modification for "notification" and one for "upgrade".

"Notification" refers to hiding the icon for the Get Windows 10 app that would otherwise appear in the notification area. Notification is controlled here:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Gwx

If the subkey DisableGwx is set to 1, notification is disabled. 

regedit.disableosupgrade

Stopping Windows Update from installing Windows 10

Upgrading to Windows 10 via Windows Update is controlled here

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

If the subkey DisableOSUpgrade is set to 1 (shown above in regedit), upgrading is disabled.

Clicking on the "Disable Win10 Upgrade" button in Never10, sets both these registry keys.

Using the Group Policy Editor, as per Microsoft's instructions, only changes the DisableOSUpgrade key. It does not change the DisableGwx (notification) key. This, despite Microsoft's tough talk that "Computers that have this Group Policy Setting enabled will never detect, download, or install an upgrade to the latest version of Windows."

So, if you were Steve Gibson, what would you do if you found the DisableOSUpgrade key set but not the DisableGwx key? He chose to treat this as if the upgrade was enabled. I suppose its best to err on the side of caution.

This explains my initial surprise. Gibson has not documented this, but unless both  registry keys are in their disabled state, Never10 warns that Windows 10 can be upgraded.

To be sure of this, I tested with the DisableGwx key set to 1 but not the DisableOSUpgrade key. In this case too, Never10 reported that the OS Upgrade is enabled (which it mostly is). 

The most important point is that when Never10 says things are disabled, they truly are.

In an earlier turn to the dark side, Microsoft has been surreptitiously downloading Windows 10 to computers running Windows 7 or 8 for a long time. The downloaded bits can be up to 6 gigabytes.

GWX Control Panel will actively remove this un-requested copy of Windows 10. Never10 does not actively delete anything, but Gibson has reported that after both registry keys are set to 1, Windows does eventually remove a downloaded copy of Windows 10 on its own. 

Another nice thing that Gibson does when blocking Windows 10 is make the two registry keys read-only. It's not perfect protection from someone or something else changing them in the future, but it helps. 

Update: March 31, 2016 9PM ET: According to Gibson, version 1.2, released just as I was finishing this, removes the read-only protection of the two registry keys. While it worked fine for 66,000 people, it seems to have caused a problem for one person. 

COMPARE and CONTRAST

The reason why GWX Control Panel is so complicated, is that its fighting an octopus. Microsoft's system for assimilating Windows 7 and 8.1 machines into the Windows 10 collective is complicated. The last time I looked at the Task Scheduler, there were roughly a half dozen scheduled tasks involving GWX, including a few that could not be disabled, even by an Administrator. 

Never10 does not engage the octopus in hand to hand combat. It just sets two registry keys that Microsoft created to control the octopus.

Back in January, Woody Leonhard did a detailed examination of how these registry keys change the behavior of the octopus and reported that

... although the Registry entries succeed in keeping the most visible part of GWX from appearing ... they do absolutely nothing to keep GWX off of Windows 7 and 8.1 PCs. In fact, the phalanx of programs, settings, scheduled tasks, and automatic Registry-changers continue to work behind the scenes no matter how you jigger those settings.

A few days earlier, he wrote:

The DisableGWX value, which GWX Control Panel has been setting since version 1.0, does one thing, and one thing only: When the scheduled GWX.EXE task runs, it checks for that registry value, and if it's set, GWX.EXE quits itself. That's how you remove the icon from your notification area. But this doesn't do anything about the several background tasks that Microsoft installs along with GWX.EXE.

In his recent article comparing GWX Control Panel to Never10, Woody again looked at the octopus in detail and reported that

Never10 performs precisely as advertised ... If you click the Disable Win10 Upgrade button, the Windows 10 upgrade routine refuses to run, even if you manually try to run it. The Get Windows 10 routines that run behind the scenes stop running.

Anyone wanting to totally remove the proverbial octopus should opt for Josh Mayfield's GWX Control Panel, but, with the realization that Microsoft creates new tentacles all the time and the program has to be constantly revised to combat this.

Personally, I prefer Never10, especially on Windows machines that have yet to be infected with the octopus.

Related:

Copyright © 2016 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon