In our environment we primarily use BigFix for patching our endpoints but we also allow users to get updates directly from Windows Update site.
Microsoft recently started to “strongly encourage” Windows 10 to users (even ones on the domain) by making it the main update that you see when going to Windows Update site. Even if you ignore the banner for Windows 10 and look at the additional updates they automatically select the “optional” update for Windows 10 while deselecting all the other updates.
Since we have users that are configured themselves for automatic updates, we found that about 25% of the environment have the two specific KB articles installed (KB 2952664 and KB2976978). The fear is that just uninstalling the KB’s will be useless since the machines are configured for Windows Update (or the users install them again).
Has anyone else seen this and have an approach to handle these machines. The answer of using a GPO to stop users from automatic updates/remove admin access to users is not going to fly in this environment.