Don't want Windows 10 FILTH on the company network? Step this way
Master your domain – and kill it at source
If they ignore the official policy...
Which brings us to the idea of users installing stuff on their own computers. Given the choice, your users really shouldn't be able to install their own stuff on the machines you've given them.
Their user IDs need to be given sufficient privileges to run the stuff they need, but you certainly shouldn't allow people the privileges to install their own apps or libraries: when the software auditor comes to call it's not their butt that will be kicked for licence infringements.
But because you're using AD to control everything, and because the PCs are all under AD administration, this is nice and easy to enforce.
Argh, they've got it on a pen drive!
We've noted that you'll be able to install Windows 10 via a clickable upgrade-style link on the desktop, but of course there'll also be the option of downloading an offline installer as an ISO disk image and mounting it via a USB drive.
You don't want your work systems looking like this, do you?
Hold on... you let users mount USB drives? Are you raving mad? And even though it's slightly more involved to prevent people booting from USB drives, you should nonetheless make the effort and do so. Unapproved storage devices are the work of the devil, and you should nail the door shut on them both before and after the OS has booted.
Oh no, they found a way
But what if someone manages to circumvent all the protections you've put in place and actually gets Windows 10 on their machine? Easy: bin it from Active Directory. Since it's AD that defines what a machine and a user can do, if you blow away the computer from the Active Directory structure – or if you're feeling more elegant, you apply a super-restrictive group policy based on client OS version – the user will rue their decision as they won't be able to access anything in order do their job.
So how's this different from any other restrictions?
Preventing unexpected Windows 10 installations from springing up on your network is no different from protecting yourself against any other unwanted access or software installations. Nothing here is in any way unusual, and everything we've talked about is stuff that you ought to be doing anyway, regardless of what new Microsoft toys are waving at your users shouting “Install me!”
Put all your corporate devices into AD. Centralise your software updates, and get a reduction in Internet traffic as a happy side-effect. Enforce group policies. Prohibit unauthorised storage devices.
Oh, and don't forget that Acceptable Use Policy everyone signed up to as part of their employment contract: wave a deterrent at people and get a bit of stress relief therapy by dishing out some written warnings if anyone should manage to get around the restraints. ®