With the Windows 10 cut-off approaching, I'm looking for a smart way to prevent Windows 10 machines from authenticating with Active Directory. Does anyone have suggestions on using Group Policy Objects (GPO), firewall settings, or any native options within an ADMX template? Ideally, it would be great to give users some feedback, like a message saying, "You can't log in to the domain since you're using Windows 10. Please contact help desk."
8 Answers
We’ve actually moved our Windows 10 devices into a specific OU that displays a warning banner at login instructing users to speak to the help desk. This setup has been working quite well for us so far.
You could disable the computer account, but remember that they might still be able to use cached credentials. It might be worth considering gathering all the workstation info—OS, user, last login—and have a project manager coordinate with techs to provide replacements. That way, when a Windows 10 machine shows up, you’ve got a strategy to handle it immediately.
One option is to completely remove the machines from the domain, which would force a local account login. But be careful, as this can cause a lot of issues with configurations and access rights!
There might be ways around this, but be wary! If you simply deny devices access, it can invalidate their BitLocker status, which might lead to boot issues. Something like managing BitLocker through commands could temporarily help, but it's not a complete solution.
Another option could be to purchase Extended Security Updates (ESUs) for any remaining Windows 10 machines, so you're covered for now while working on future plans.
You need to tread carefully here. If a user complains to management about being locked out, it could reflect poorly on the IT department. Make sure you have documented your attempts to assist with upgrades to Windows 11 to protect yourself.
Consider sending a message of the day via GPO at login with proper instructions. Just denying access could cause more trouble in the long run, so it's best to think this through!
One approach is to locate all the Windows 10 AD objects and disable them. This way, users can log in with cached credentials when off the network, but they’ll hit a trust error when on the network. You could also create a GPO that checks for Windows 10 using a WMI query and implements a login script that notifies the user to call the help desk before logging them out. Changing their desktop background to something informative could help as well.
That's a decent plan! Just make sure to keep users informed about the changes and coordinate any necessary upgrades as soon as possible.
Yeah, I’ve heard this breaks a bunch of things! Definitely not a first choice.