Ideally, one day I’ll have a lab set up and will be playing with things and trying to write up things I’ve done or learned. However, I’m cheap and still debating over my hardware. So as to not be the guy that basically set up an empty blog on an unused domain, here you go!
The Windows 10 Lifecycle…probably isn’t the most intuitive. IT pros who deal with Windows have probably learned that Windows 10 is not Windows 10 is not Windows 10; trying to communicate to domain users that their PC is out of support can be trying. It is a little confusing that their 2 year old Windows 10 PC is out of date when their coworkers Windows 7 PC is still running. Also, when not pushing feature packs through WSUS, many don’t understand the difference between the OS being out of support and the machine being “up to date.” Ironically, once these machines fall out of support, Windows Update will (erroneously, in my opinion) tell the user that they are fully up to date.
Anyways, each environment is different, but I find the easiest way to track these down are to check Active Directory for machines with old versions of Windows 10.
As of today, this would capture all of the expired ones:
$expired = Get-AdComputer -Filter {OperatingSystemVersion -like “*10240*” -or OperatingSystemVersion -like “*10586*” -or OperatingSystemVersion -like “*14393*”} -Properties *
If you need to capture less you can check all the properties of one of the computers to see what you really want to capture (do so by typing $expired[0] to see the first entry). Then just manually type the properties you want to capture instead of the wildcard. You can get more specific with the version. “*10240*” and the like are meant to capture the full “10.0 (10240)” value. There are no false positives when using this to select.
Depending on how many machines you’re looking at, you may want to start manipulating the object, selecting columns, and outputting to a file. If that’s the route you need to go, I’ve used this as a template for a while now. If it’s not much you can always view it in the terminal.
A view I frequently use is this:
$expired | select name,operatingsystemversion,operatingsystem,lastlogondate
This allows me to check for the few outliers, in the case of 14393, that have the Enterprise SKU extension. Also, it should show here if they’re LTSB. It also allows me to filter out machines that haven’t been cleaned up from AD. Depending on how structured your AD is you could pull the canonical name, description, or IP address to help identify the machine.