how can I identify a Win 10 (specific) PC on a network?
-
@Gertjan said in how can I identify a Win 10 (specific) PC on a network?:
Staying with '10' will cost money after 10/15 ^^
This is questionable - my personal machine is still on 10, and enabled the extended support. Didn't cost me anything, not even the 1000 MS reward points that I had (you can that many points in like 2 days with some stupid bing queries).
There is just nothing in 11 I am interested in currently. I have it on my work machine and it works sure - but on my personal machine.. I just extended the support - give me another year to decide if move to 11 or maybe just move to linux.
Now company machines - yeah there might be a cost to get extended support? But I was just going to spend MS reward points to get the extended support - and didn't even end up needing to do that.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1 -
@detox said in how can I identify a Win 10 (specific) PC on a network?:
all pc's are company owned and are fearful that the lack of security updates will bring potentially bring harm to the agency. In addition, they are looking for a 'discrete' way to strong-arm those staff to get the upgrade completed.
For a short commercial, we (and generally any MSP) will manage this for you. Even our Basic level provides managed patching, and we have all PCs' hardware and software info recorded. There's a small agent that lives on each PC.
If this is a domain you might be able to rig something up with remote Powershell to run the "ver" command line command. Win11 is "Microsoft Windows [Version 10.0.26100.6584]" for instance. I don't know if that will show ESU though; the fourth number would have to change with each update and tbh we pay attention to the feature update (third) number and whether we are detecting the monthly CU as installed or not. Then you'd have to find the IP (in CE) or MAC (Plus can block by MAC) and block it.
Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
Upvote 👍 helpful posts! -
What Windows management tools do you have?
Simply capturing the output from ver (is it < Win11) and grabbing the MAC could allow you to put them in a "special" IP range, then it is easy to block them with pfSense. -
@SteveITS said in how can I identify a Win 10 (specific) PC on a network?:
remote Powershell to run the "ver" command line command
if you have AD you sure don't need to do that - you can pull all the info from AD directly - the link I gave above shows details on how with the Get-ADComputer, you do need to load a module I believe.
But yeah all of this stuff is really outside of the scope of what you would do with a firewall.
-
Yup there's really no easy way to detect those machines at the firewall.
Maybe Snort can see something reaching out to a Windows 10 update query? I could imagine that but it's unlikely to be 100% accurate and would be time consuming to reasearch and setup. (Unless someone has already done it).
-
@stephenw10 you would hope that would be in an encrypted tunnel via https anyway - and you would think the fqdn they reach out to would be something common for windows update and not specific fqdn for windows 10 vs 11..
There are multiple ways to skin the cat when it comes to management of your devices on your network, and making sure they are updated, getting an inventory of their software and its versions, etc.
None of them comes to mind that would be done on the firewall. You might integrate some nac your running to do some verification of stuff from devices on your network, and prevent access if they don't meet criteria you have setup in your nac. Which could be maybe tied with your firewall, but normally what you do when machines don't meet criteria is put them in an isolated vlan - where your firewall then could block them from access to other parts of the network, or yeah the internet.
Something like packetfence can integrate with endpoints security clients on the devices, something like nessus or openvas to scan clients - and if they do not meet criteria or present some form of issue, be it infection or not patched for something could be isolated. So you can get pretty fancy with control of what can talk on your network from all kinds of levels. But that would be completely different system than your firewall.
-
@johnpoz said in how can I identify a Win 10 (specific) PC on a network?:
This is questionable - my personal machine is still on 10.
I switched my own 'home' PC (a Dell XPS) to 11, although the i9 processor was flagged as 'not good enough' and no TPM by using this I winded up using 25H2.
I did take a full backup first, as I'm pretty sure that "within one year" I will probably regret this as future upgrade will fail (something like that). I'll replace my 9 years old PC and make it a nice pfSense test platform if hardware conditions will allow this, as I can understand that a TPM will be mandatory in the future of every OS.
I'm still looking why I would prefer 11 over 10, every time I find words like 'recall' and 'pilot' I wind up finding stories that make me think why anybody (private person, company, country) would use 11.Sorry for going off script.
-
@Gertjan Staying off-script, there is only 1 reason to run Windows, and that is if you need MS Office. Linux Mint, Ubuntu, and Debian run well and can look similar if you want them to. The Fedora Linux branch has good options too.
-
@AndyRH said in how can I identify a Win 10 (specific) PC on a network?:
... you need MS Office
Believe it or not, I'm somewhat attached to Outlook (the Office Bloat Version).
A spread sheet at home (Excel) : I learned how to add etc. Word ? Not really needed anymore. People needed to write letters in the past. It 'click here' days now. These days, although many can read, not everybody can write, or let me be more precise : know how to express themselves by writing. (I'm not pretending I know) so exit msword. Publisher : will go thrown out of office anyway very soon.
But the real reason is ... do I dare to say it ? It must support Steam for my Factorio ^^
(please don't laugh) -
@Gertjan Steam runs just fine on Linux and they support the majority of games on Linux. There are office alternatives. Outlook is nice.
