how can I identify a Win 10 (specific) PC on a network?
-
I'd like to block these from gaining access until they upgrade to Win11 but I cannot find a way to do so.
Any suggestions?
-
@detox Why exactly - how do you know they are not on extended support. Are these machines work machines? Can you scan them? Its pretty difficult to identify the OS just from network traffic. Their mac is not going to tell you what OS they are running.
How do you know even if they are on windows 11 that they are current, they might be running a version of 11 from 2021 when it first came out, and never ran an update, don't have any antivirus running on it, etc.
If these are just byod sort of machines and no under company control, etc. - forcing a min sort of OS or security level from updates to software is difficult.
-
By blocking the access (to the Internet) they won't be able to update to Windows 11.
And what about these hundreds of millions of PC 's that can't (easily) upgrade to 11 because they have CPUs missing some instruction, not enough resources, no TPM 2.0 ?
Not sure what movies you're watching, but just consider that the "Windows 10 to Windows 11" jump is maybe 99 % commercial reasons and is way less then 1 % a security thing. Afaik, Microsoft want to take far more control over our PCs as they contains a lot of info worth a lot of money for them, let's say it nicely : "the publicity market". And how do I know that I'm not exaggerating ? Easy : If I worked for Microfilm, that is what I would do. After all : Windows 11 is free, so you are paying for it, just it differently.I would prefer this question : block Windows 11, "the recall and Pilot AI snatching ports"
Btw : I don't want to start another flame war. I'm a MS share holder after all, and I'm in it for the € (or $), so for me, "I don't care" ^^
-
johnpoz & Gertjan,,,
Thank you both for your responses / comments. I failed in adequate communication skills posting the question.
First, all pc's are company owned and are fearful that the lack of security updates will bring potentially bring harm to the agency. In addition, they are looking for a 'discrete' way to strong-arm those staff to get the upgrade completed. Of course, Microsoft spares no effort in fear-mongering (the sound of $$$ in purchasing Win11 certainly is enticing to them).
So,, for various reasons, corporate wants a way to block any laptop/desktop until any such PC is identified and can be upgraded. I could not find a way that was reliable outside of remoting into each one and doing a 'systeminfo' command. But, that will not be able to show any units squirreled away under a desk, used at home, etc.
I am not a Microsoft Guru. I'd rather use linux or a Mac. I was hoping for a clear answer to my speculation that there is no accurate way to identify Win10 /11 within a firewall.Thanks
-
@detox If they are company products - are they not managed at all? SCCM comes to mind.. The company I work for forces updates all the time - if you do not install the updated by X, then it is installed for you ;)
Controlling your windows machines OS and software is not something you would do at your firewall.
I assume your running AD - you can for sure determine what OS your member machines are running with a simple powershell query
https://techcommunity.microsoft.com/blog/askds/inventorying-computers-with-ad-powershell/397414
Be it they under a desk, or away from the AD, etc.
Once you have a listing of machines - you could then firewall them by their IP, or even mac address if you have pfsense plus and they are not behind a downstream router, etc.
Once you have a list of machines - you could at min have management send out a harsh email to the users of said machines. Or the department heads for whatever department those resources are allocated to.
-
@johnpoz said in how can I identify a Win 10 (specific) PC on a network?:
... send out a harsh email to the users of said machines
@detox If the devices are company owned, and not a gift to every employee, then, yes, the company has to says something about what OS must be used.
Btw : Afaik, an upgrade to 11 is free. Staying with '10' will cost money after 10/15 ^^
As said John above, a company that wants to maintain their systems needs an AD.
The AD will tell you the state of the PC collection at all moment, except for the ones not connected to the AD .... but in that case, it's time the employee hands back the PC to the company as he isn't the owner.No "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
@Gertjan I agree completely.. I think they were looking for an immediate way to locate all PC's and determine OS. until a corporate infrastructure (Intune , AD , etc. will be fully implemented. Thanks so much for the input!
-
@Gertjan said in how can I identify a Win 10 (specific) PC on a network?:
Staying with '10' will cost money after 10/15 ^^
This is questionable - my personal machine is still on 10, and enabled the extended support. Didn't cost me anything, not even the 1000 MS reward points that I had (you can that many points in like 2 days with some stupid bing queries).
There is just nothing in 11 I am interested in currently. I have it on my work machine and it works sure - but on my personal machine.. I just extended the support - give me another year to decide if move to 11 or maybe just move to linux.
Now company machines - yeah there might be a cost to get extended support? But I was just going to spend MS reward points to get the extended support - and didn't even end up needing to do that.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1 -
@detox said in how can I identify a Win 10 (specific) PC on a network?:
all pc's are company owned and are fearful that the lack of security updates will bring potentially bring harm to the agency. In addition, they are looking for a 'discrete' way to strong-arm those staff to get the upgrade completed.
For a short commercial, we (and generally any MSP) will manage this for you. Even our Basic level provides managed patching, and we have all PCs' hardware and software info recorded. There's a small agent that lives on each PC.
If this is a domain you might be able to rig something up with remote Powershell to run the "ver" command line command. Win11 is "Microsoft Windows [Version 10.0.26100.6584]" for instance. I don't know if that will show ESU though; the fourth number would have to change with each update and tbh we pay attention to the feature update (third) number and whether we are detecting the monthly CU as installed or not. Then you'd have to find the IP (in CE) or MAC (Plus can block by MAC) and block it.
Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
Upvote 👍 helpful posts! -
What Windows management tools do you have?
Simply capturing the output from ver (is it < Win11) and grabbing the MAC could allow you to put them in a "special" IP range, then it is easy to block them with pfSense. -
@SteveITS said in how can I identify a Win 10 (specific) PC on a network?:
remote Powershell to run the "ver" command line command
if you have AD you sure don't need to do that - you can pull all the info from AD directly - the link I gave above shows details on how with the Get-ADComputer, you do need to load a module I believe.
But yeah all of this stuff is really outside of the scope of what you would do with a firewall.
-
Yup there's really no easy way to detect those machines at the firewall.
Maybe Snort can see something reaching out to a Windows 10 update query? I could imagine that but it's unlikely to be 100% accurate and would be time consuming to reasearch and setup. (Unless someone has already done it).
-
@stephenw10 you would hope that would be in an encrypted tunnel via https anyway - and you would think the fqdn they reach out to would be something common for windows update and not specific fqdn for windows 10 vs 11..
There are multiple ways to skin the cat when it comes to management of your devices on your network, and making sure they are updated, getting an inventory of their software and its versions, etc.
None of them comes to mind that would be done on the firewall. You might integrate some nac your running to do some verification of stuff from devices on your network, and prevent access if they don't meet criteria you have setup in your nac. Which could be maybe tied with your firewall, but normally what you do when machines don't meet criteria is put them in an isolated vlan - where your firewall then could block them from access to other parts of the network, or yeah the internet.
Something like packetfence can integrate with endpoints security clients on the devices, something like nessus or openvas to scan clients - and if they do not meet criteria or present some form of issue, be it infection or not patched for something could be isolated. So you can get pretty fancy with control of what can talk on your network from all kinds of levels. But that would be completely different system than your firewall.
-
@johnpoz said in how can I identify a Win 10 (specific) PC on a network?:
This is questionable - my personal machine is still on 10.
I switched my own 'home' PC (a Dell XPS) to 11, although the i9 processor was flagged as 'not good enough' and no TPM by using this I winded up using 25H2.
I did take a full backup first, as I'm pretty sure that "within one year" I will probably regret this as future upgrade will fail (something like that). I'll replace my 9 years old PC and make it a nice pfSense test platform if hardware conditions will allow this, as I can understand that a TPM will be mandatory in the future of every OS.
I'm still looking why I would prefer 11 over 10, every time I find words like 'recall' and 'pilot' I wind up finding stories that make me think why anybody (private person, company, country) would use 11.Sorry for going off script.
-
@Gertjan Staying off-script, there is only 1 reason to run Windows, and that is if you need MS Office. Linux Mint, Ubuntu, and Debian run well and can look similar if you want them to. The Fedora Linux branch has good options too.
-
@AndyRH said in how can I identify a Win 10 (specific) PC on a network?:
... you need MS Office
Believe it or not, I'm somewhat attached to Outlook (the Office Bloat Version).
A spread sheet at home (Excel) : I learned how to add etc. Word ? Not really needed anymore. People needed to write letters in the past. It 'click here' days now. These days, although many can read, not everybody can write, or let me be more precise : know how to express themselves by writing. (I'm not pretending I know) so exit msword. Publisher : will go thrown out of office anyway very soon.
But the real reason is ... do I dare to say it ? It must support Steam for my Factorio ^^
(please don't laugh) -
@Gertjan Steam runs just fine on Linux and they support the majority of games on Linux. There are office alternatives. Outlook is nice.
