If your organization is upgrading to Windows 11 and wants to block users from logging into the domain using older systems like Windows 10, you can enforce this through a combination of Group Policy, Intune, and Conditional Access.
Windows 11 24H2 introduces advanced security baselines, AI-driven system protections, and TPM 2.0 enforcement that make older OS versions like Windows 10 less compliant for enterprise environments.
By allowing only 24H2 or newer builds to join or authenticate to your domain, you can:
- Maintain consistent security policies
- Ensure compatibility with modern management tools
- Reduce vulnerability exposure from unsupported devices
Method 1: Enforce Windows 11 24H2 with Intune Compliance Policy (Recommended)
If your environment uses Microsoft Entra ID (Azure AD) and Intune, this is the most reliable and modern approach.
Step 1: Create a Compliance Policy
- Open Microsoft Intune Admin Center → Devices → Compliance policies → Create policy.
- Choose Platform: Windows 10 and later.
- Under System Security, find OS version.
- Set:
- Minimum OS version:
10.0.26100.0(Windows 11 24H2 build number)
- Minimum OS version:
- Save and assign the policy to all Windows devices.
Step 2: Enforce with Conditional Access
- In Entra Admin Center, navigate to Security → Conditional Access.
- Create a new policy:
- Assignments: Select the user groups that require compliant devices.
- Cloud apps: Choose All cloud apps or specific ones like Microsoft 365.
- Conditions: Under Device state, select Require compliant device.
- Grant access only if the device meets compliance.
Result: Any Windows 10 or earlier 11 builds will be marked non-compliant and blocked from domain or Microsoft 365 login.
Method 2: Use Group Policy with WMI Filter (On-Prem AD Environments)
If you’re running a traditional Active Directory domain, you can use a WMI filter to apply policies only to systems running Windows 11 24H2 or later.
Step 1: Create a WMI Filter
- Open Group Policy Management Console (GPMC) on your domain controller.
- Expand your domain, right-click WMI Filters, and select New.
- Name it:
Windows 11 24H2 or later. - In the Query box, enter:
SELECT * FROM Win32_OperatingSystem WHERE Version >= "10.0.26100" AND ProductType = "1"(Windows 11 24H2 corresponds to build 26100)
- Save the filter.
Step 2: Link the Filter to Your Policy
- Attach this WMI filter to your “Allow Logon” GPO.
- Create another GPO with logon restrictions (like “Deny access to this computer from the network”) and do not apply the filter.
Result: Only devices running 24H2 or newer versions will receive logon permission policies.
Method 3: Use Network Access Control (Optional but Strong)
For organizations using 802.1x authentication or NAC solutions (Cisco ISE, Aruba ClearPass, Microsoft NPS):
- Configure posture checks to allow only devices with:
OSVersion >= 10.0.26100- Deny or quarantine devices with older Windows versions.
Result: Non-compliant systems are blocked even before domain authentication.
Method 4: Logon Script Enforcement (Fallback Method)
If you can’t use Intune or NAC, a simple PowerShell script can automatically log off unsupported systems at login.
Step 1: Create a Logon Script
$os = (Get-CimInstance Win32_OperatingSystem).Version
if ([version]$os -lt [version]"10.0.26100.0") {
Write-EventLog -LogName Application -Source "OSCheck" -EventId 999 -Message "Blocked login: Unsupported OS version."
shutdown /l
}Step 2: Apply via Group Policy
- Go to User Configuration → Windows Settings → Scripts (Logon/Logoff).
- Add the PowerShell script above as a logon script.
Result: The user can technically authenticate, but the script immediately logs them off if their device runs Windows 10 or older.
Method 5: Inventory and Communication
Use PowerShell to identify and warn users still running older OS versions:
Get-ADComputer -Filter * -Property OperatingSystem |
Where-Object {$_.OperatingSystem -like "*Windows 10*"} |
Select-Object Name, OperatingSystemSend upgrade reminders and set a clear deadline before full enforcement.
How to Verify the Restrict Domain Logins Policy
After implementing your restriction method:
- Test logon using a Windows 10 client – it should fail to connect.
- Verify that a Windows 11 24H2 system can successfully authenticate.
- Monitor Event Viewer → Security logs for rejected connections or compliance violations.
Blocking domain logins for older Windows versions ensures your network remains secure and compliant with Microsoft’s latest standards. If your setup already uses Entra ID + Intune, that’s the best long-term solution.
For on-prem setups, GPO + WMI filters offer a quick, low-maintenance enforcement option.
Read More:
- How to Fix “Connection to Server Not Supporting” in Windows 11
- Fix: Can’t Turn On Network Discovery in Windows 11? Here’s How
- Fix “Something Happened to Your PIN” Windows Sign-In Error
- Fix Azure Login Error AADSTS5000225: “Sorry, We’re Having Trouble Verifying Your Account”
- Fix Netflix Stuck at 540p – Play Netflix in High Resolution
- Fix: Installation Failed in the SAFE_OS Phase Error (0xC1900101)
- Fix: Intel Extension 2.1.10105.19 update keeps reinstalling
- How to Fix Windows 11 25H2 Search Not Working After Update
- Fix: Enter Old PC Name in Windows Backup During File Transfer
By combining both methods, you can fully transition to Windows 11 24H2 or higher while maintaining a controlled and secure environment.
