System Operations

How can I block local Windows 10 logins to force an upgrade to Windows 11?

September 18, 2025

Asked By TechSavvyGiraffe42 On September 18, 2025

Hey folks,

I'm looking to enforce a block on users logging into any devices still running Windows 10. Our goal is to push everyone to upgrade to Windows 11 by making the Windows 10 operating system inaccessible.

I have access to a full Microsoft stack along with ManageEngine Endpoint Central, and the tools at my disposal include:

* Microsoft Intune
* Microsoft Defender
* Microsoft Entra ID

From what I've gathered, it seems that a Conditional Access policy in Entra ID only restricts access to cloud apps and resources (like M365, Teams) during modern authentication but doesn't prevent users from logging into the Windows 10 platform itself.

I'm seeking insights on how to achieve a hard block for local OS login on these specific Windows 10 devices. If anyone has scripts, specific policies, or lessons learned from similar situations, your help would be greatly appreciated!

5 Answers

Answered By SuperUserDude On September 22, 2025

Check out the 'allow local log on' setting in your device configurations. This setting lets you specify which group can log in. For example, if you create a local 'Super Users' group and apply it to all devices, only members of that group will be able to log in. You might also want to add IT staff to that group for troubleshooting.

Answered By UpgradeHelper99 On September 22, 2025

Instead of completely locking people out of their work, consider adding an interactive login message stating that after a certain date, the computer will no longer access network resources until it's upgraded to Windows 11. This way, you’re not being too harsh with users.

Answered By UpgradeAdvocate01 On September 21, 2025

If you're trying to stop users from working on Windows 10, why not just force the upgrade to Windows 11 directly? It would save you the trouble of blocking logins entirely.

Answered By NoLoginBoo On September 21, 2025

One option is to disable the computer in Active Directory. Alternatively, you could create a login script that shows a message telling users to contact IT and implement a shutdown or logoff with a 3-minute timer. It might give users a warning before they’re blocked out.

Answered By ScriptWizard75 On September 20, 2025

You could use a script to remove users from the interactive logon group on each machine. Check out the local users management settings for ideas. It’ll help keep users from logging in without completely blocking them from working.

Related Questions

Can't Load PhpMyadmin On After Server Update

Redirect www to non-www in Apache Conf

How To Check If Your SSL Cert Is SHA 1

Windows TrackPad Gestures

LEAVE A REPLY Cancel reply