Find Obsolete Windows Workstations

Being able to identify personal computers that have reached their "end of life" support dates is the critical first step to ensuring that all systems are up to date and able to receive security patches provided by vendors. This article will focus on one vendor, Microsoft, and explain how to identify workstations in your environment that are running on unsupported Versions of the Windows operating system.

NOTE: The queries and dashboards shown in this article can identify unsupported Windows OS Builds as far back as 2010 and up to September 7th, 2021. However, the methodology to identify these systems can still be applied to a wider time range. 

Step 1. Build your scoping query 

Scoping queries in Axonius are used to generate a set of assets that are defined by one or more conditions. Once saved to the Axonius platform, these queries can be referenced later when adding additional conditions to subsequent queries based on the desired use case. For the purposes of this article, we will be creating a scoping query to define all Windows workstations that can be referenced later to find PCs running on unsupported OS Versions. 

The image below shows an example of a query that defines Windows workstations seen in the last 30 days. This query will be saved as "AX--Win Workstations (30d)" and referenced later in this article. 

 

 

Step 2. Build a query to define obsolete OS Versions

The next step is to build a query that defines the OS Versions that are no longer supported by Microsoft, which can be found in the "Personal computers versions" table in this article. One way to do this is to search for devices in Axonius by querying for OS Builds with the "Preferred OS Build" field. 

The screenshot below shows an example of a query that defines Windows workstations that have an OS Build past its "end of support" date. We will save this query as "AX--Obsolete Win Workstations (30d)" and we will reference this query later in the article. More details about the components of this query are below. 

With the first row of the above query, we are referencing our Saved Query to scope the results set to workstations only. This is particularly important for this use case as OS Builds and Versions can be shared between Windows workstations and servers (e.g. Windows 10 version 1809 and Windows Server 2019 both have OS Version equal to 1809 and OS Build equal to 17763).

The second row of the query leverages the "in" function, which will return any devices that have a Preferred OS Build equal to any integer supplied in the list of values supplied to the query. 

Additional logic is needed for this query in order to accommodate OS Versions that are partially supported, depending on the edition of the product. For example, Windows 10 with OS Build 17763 is past the "end of support" date for all product editions except Windows 10 Enterprise LTSC. To account for this condition, rows 3 and 4 of our query, magnified below, use an "or/and" expression to find devices with OS Build equal to 17763 AND a Full OS string that does NOT contain "LTSC". 

The Axonius Query Language (AQL) for this saved query is pasted below for re-use. NOTE: Be sure to fill in the QueryID from your workstations scoping query prior to running the AQL string in your environment. 

({{QueryID=INSERT QUERY ID FOR WORKSTATIONS SCOPING QUERY}}) and (("specific_data.data.os.build_preferred" in ["18363","18362","17134","16299","15063","10586","9200","7601","6002","3790","2715","2600","2195"]) or (("specific_data.data.os.build_preferred" == "17763") and not ("specific_data.data.os.os_str_preferred" == regex("ltsc", "i"))) or (("specific_data.data.os.build_preferred" == "14393") and not ("specific_data.data.os.os_str_preferred" == regex("ltsb", "i"))) or (("specific_data.data.os.build_preferred" == "10240") and not ("specific_data.data.os.os_str_preferred" == regex("ltsb", "i"))))

 

Step 3. Build your dashboard(s)

From the Dashboard module, you can now reference our saved query "AX--Obsolete Win Workstations (30d)" to build charts showing the breakdown of devices that are past their support date. The example below shows the configuration for a Field Segmentation chart that segments the obsolete workstations by their "Preferred OS Type and Distribution". 

 

The chart that gets created from this configuration is shown below: 

 

-1

Comments

0 comments

Please sign in to leave a comment.

Didn't find what you were looking for?

New post