Decommissioning MDSD (Windows 8) and SD7 (Windows 7) Support desktops Where possible, Windows 7 (SD7) and Windows 8 (MDSD) machines should be rebuilt to Windows 10 (SDX) as this is the current supported desktop. If it is not possible, or if there are good reasons to avoid a rebuild, there are several measures which should be considered, including network segmentation and security issues. The detailed steps below outlines the procedures for removing machines from the management structures. SCCM The most important step is to remove the SCCM client from the device, so it no longer talks to the old SCCM server. This is done by running C:\windows\ccmsetup\ccmsetup.exe /uninstall from an elevated command prompt. Windows should continue to receive updates direct from Microsoft after the SCCM client has been uninstalled. Once the uninstall is complete, the c:\windows\CCM, and c:\windows\CCMcache and %ProgramData%\App-V folders can be removed. Group Policy and Active Directory Removing the SCCM client will prevent the device from receiving software updates etc from the SCCM server, but it will still be subject to SD7 Group Policies. Consideration should be given to whether the Group Policies are still appropriate or not, and if not, the device should be moved out of the SD7 OU to a new location (possibly in UoER). Moving a machine to a new OU can be a major step since you will need to have set up the required Group Policies ahead of time on the target OU ( e.g. folder redirection, network drive & printer mapping) Microsoft Extended Security Update If the device is a Windows 7 machine, then it should also have the Extended Security Update key applied, to allow for Microsoft Extended Support. 2022 is the 3rd year ESU has been in place, so hopefully all Windows 7 machines already have this applied. Windows 8.1 reached the end of Mainstream Support on January 9, 2018, and will reach end of Extended Support on January 10, 2023, so ESU is not a consideration here. Disk Encryption Disk encryption is also something to consider. If the machine is to remain in Active Directory, then it is possible to back up the blocker recovery key to the AD account, but if the device is to be removed from AD another location should be used to save the bitlocker key. All Bitlocker commands should be run from an elevated Command prompt. Replace drive_letter with the actual drive letter (e.g. C: ) Check Bitlocker Status: manage-bde –status drive_letter Turn Bitlocker Off: manage-bde –off drive_letter Turn Bitlocker On: manage-bde –on drive_letter manage-bde -protectors –add drive_letter -Recoverypassword To save Bitlocker key to a file: manage-bde -protectors -get drive_letter file Replace file with a path and filename to save the details. To save the bitlocker key to Active Directory: manage-bde -protectors -get drive_letter (take note of the Numerical Password ID) manage-bde -protectors -adbackup drive_letter -id {xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} replace with the Numerical Password ID from above This article was published on 2024-10-08
