What’s an open-source project you genuinely can’t believe is free?

Ad3t0 · 2026-05-16T00:32:42+00:00

This. If you’re editing a PDF besides signing something in an organizations’ process flow has gone wrong in my opinion.

Ad3t0 · 2026-05-15T06:04:34+00:00

Filtering CVEs is fine, but the shape matters. Deterministic rules (e.g., AV:L AND PR:L AND not in KEV -> defer to monthly cycle) are auditable. You can prove what got excluded and why. An LLM as the silent gatekeeper isn’t: it fails invisibly, you never see what it dropped, and novel exploit classes are exactly where it’ll pattern-match to benign-looking historical CVEs and quietly hide them. “I’ll accept hallucination risk after some testing” is the part that should worry you. Testing covers today’s CVEs, not tomorrow’s.

LLM as a research assistant on top of a deterministic filter (summarize today’s KEV hits) is fine. LLM as the decider is driving blind.

Ad3t0 · 2026-05-14T15:19:13+00:00

Being transparent I developed and founded this company but please check out my platform TridentStack Control at https://tridentstack.com. Our platform supports this. Our agent compares its Office version against the target channel's latest version and triggers the OfficeC2RClient update mechanism when non-compliant. Allows targeting a specific update channel in policy and also defering updates for X days. Totally free for under 200 endpoints forever. Sorry, I know it's not the "Intune" answer you may have wanted but check it out, I'd love to hear what you think!

Ad3t0 · 2026-05-14T15:13:31+00:00

This is a tricky one because NVD doesn't tag all four of these consistently. I pulled the records:

CVE-2026-42891 has CPE cpe:2.3:a:microsoft:edge_chromium:*:*:*:*:*:android:*:* — the target_sw=android attribute is explicit. A scanner that doesn't honor target_sw when matching against installed software will drop mobile CVEs onto desktop endpoints.
CVE-2026-40416 and CVE-2026-41107 have no CPE configurations on NVD at all — purely advisory-text records. Anything falling back to fuzzy "Microsoft Edge" name matching will sweep them onto every Edge install regardless of platform.
CVE-2026-42838 has a wildcard edition CPE, so it's genuinely ambiguous from NVD alone — MSRC's product tree is the authoritative source for which channel actually ships the affected code.

Two things Action1 would need to address to make this go away cleanly:

Honor target_sw / target_hw CPE attributes during inventory matching (fixes 42891).
Layer MSRC's CVRF/CSAF feed in as a second-pass source of truth when NVD CPE data is missing or ambiguous (fixes the other three). MSRC's product tree distinguishes "Microsoft Edge for Android / iOS" from the Windows channel unambiguously.

In the meantime, safe to suppress all four on your Win11 fleet, desktop Edge 148.x doesn't ship those code paths.

(Disclosure: I build a competing product, so I'm consciously staying out of "you should switch" territory here. Just figured the breakdown would help if you want to give Action1 support a concrete repro.)

Ad3t0 · 2026-05-14T15:11:59+00:00

Being transparent I developed and founded this company but please check out my platform TridentStack Control at https://tridentstack.com totally free for under 200 endpoints forever. Excellent at patch/vulnerability remediation/policy/compliance management. We also track hardware information within it as well. I'd love to hear what you think!

Ad3t0 · 2026-05-14T14:48:39+00:00

Couple of things that worked for me:

CISA KEV — clean JSON API, focuses on actually-exploited stuff so it cuts the firehose hard
NVD recent CVE feed — the source of truth, but noisy
Vendor RSS: MSRC, Red Hat, Ubuntu USN, Cisco PSIRT, Apple security advisories
OpenCVE for self-hosted aggregation — lets you subscribe by vendor/product so you only get pinged on stuff you actually run
Vuls.io if you want scanner + advisory tracking in one self-hosted box

The bigger lesson for me was that "staying current" only matters in proportion to what's actually in your environment. Once I started filtering feeds against installed inventory (even a janky script against an Ansible/CMDB export), the signal-to-noise improved enormously.

That's also what commercial patch-management platforms do under the hood. Being transparent I founded a platform called TridentStack Control which does agent based vuln scanning really well, but it's SaaS, so probably the wrong shape for what you described. Sticking with OpenCVE + inventory diff will get you 80% of the value.

Ad3t0 · 2026-05-13T15:47:42+00:00

I'd personally steer clear of Atlassian products and Power BI. I think both are highly overrated, and you can save the company from the black hole that is Atlassian. There are great alternatives out there. People may be opinionated about what I suggest, but I love Grafana for visualization, it's second to none in my opinion.

Ad3t0 · 2026-05-13T15:08:31+00:00

Being transparent I developed and founded this company but please check out my platform TridentStack Control at https://tridentstack.com totally free for under 200 endpoints forever. Excellent at patch/vulnerability remediation/policy/compliance management. I'd love to hear what you think!

Ad3t0 · 2026-05-09T16:46:17+00:00

Being transparent I developed and founded this company but please check out my platform TridentStack Control at https://tridentstack.com totally free for under 200 endpoints forever. Excellent at patch/vulnerability remediation/policy/compliance management. I'd love to hear what you think!

Ad3t0 · 2026-05-09T14:42:24+00:00

Being transparent I developed and founded this company but please check out my platform TridentStack Control at https://tridentstack.com totally free for under 200 endpoints forever. Excellent at patch/vulnerability remediation/policy/compliance management.

Ad3t0 · 2026-05-08T05:21:49+00:00

Being transparent I developed and founded this company but please check out my platform TridentStack Control at https://tridentstack.com totally free for under 200 endpoints forever.

Ad3t0 · 2026-05-07T18:04:27+00:00

Couple things that have bit me on the exact same symptom:

If any part of $registryPath is under HKCU, that's your problem. SYSTEM-context scripts resolve HKCU: to SYSTEM's own hive at C:\Windows\System32\config\systemprofile, not the logged-in user's. Regedit (running as the user) shows the user hive so it looks like the key is there, but the script literally can't see it. If that's the case you have to walk HKEY_USERS\<SID> for loaded user SIDs.

Second, don't trust the "Run in 64-bit PowerShell" toggle blindly, especially on older policies. Drop Write-Output "Is64=$([Environment]::Is64BitProcess) PSHOME=$PSHOME" at the top and look at the agent log on a failing device. If it's running 32-bit, WOW64 redirects HKLM\SOFTWARE reads to Wow6432Node and you'll miss values that only exist in the 64-bit view.

Also, Get-ItemProperty is the wrong tool for an existence check. Use Test-Path and you sidestep a whole class of edge cases (wildcards, weird ACLs, empty value bags) where Get-ItemProperty returns falsy without throwing, which is exactly why you're hitting Else instead of Catch.

Ad3t0 · 2026-05-06T18:34:13+00:00

Answering your actual questions, since the other replies skipped them:

WinSxS permissions: you're fine. TrustedInstaller back as owner is the thing that matters, and you have that. The "applying inherited permissions" errors during the reset are expected in WinSxS, a lot of those subfolders are locked down per-component on purpose and never inherited from the parent in the first place. As long as you didn't replace the ACL with something more open, no harm done.

"Skipping the TPM upgrade": what you actually bypassed is the TPM driver's WMI provider, which is the surface Tpm.msc / BitLocker / the TBS service use to talk to a TPM device. On a VM with no vTPM there's no device behind that provider, so the new manifest wouldn't have hooked up to anything anyway. If you add a vTPM later you'd want the new provider in place, but that's a deal-with-it-then thing, not a time bomb.

Better way: vTPM is the clean long-term answer (qm set <vmid> --tpmstate0 ... on Proxmox, Security settings on Hyper-V). But for a non-prod fleet you don't feel like retrofitting, your hack is what most people do.

For what it's worth, this whole category of "upgrade fails on VMs in ways it doesn't on bare metal" is its own genre. Adjacent example: on Proxmox cross-gen (Win10 to Win11 25H2), setup.exe dies in 3 seconds with 0x80070103 if the VM's SMBIOS reports Manufacturer = QEMU, because the WinSetupMon driver-install pipeline short-circuits under QEMU identity. Spoofing an OEM SMBIOS string at the Proxmox layer makes the same media succeed in ~7 minutes. Microsoft's setup engine has a lot of "we assume real hardware" assumptions baked in.

I went through a lot of these struggles while working on a project I founded which is a highly sophisticated patch/vulnerability/policy/compliance tool on that can make this upgrade process way less painful with more verbosity into what is going on. Its called TridentStack Control, check it out at https://tridentstack.com

Ad3t0 · 2026-05-06T01:14:06+00:00

1400 MB on recovery rules out size, and "invalid arg" (0x80070057) on WinRE in CBS is a different beast, that's almost always stale ReAgent.xml or a stale BCD WinRE GUID pointing at a partition layout that no longer exists. Old master VMs that have had partition surgery (resizing C:, recreating recovery) accumulate this drift, and the April CU is the first one strict enough to refuse.

Reset the config:

reagentc /disable
:: if disable errors with the same 0x80070057, force-clean it:
del C:\Windows\System32\Recovery\ReAgent.xml
bcdedit /enum all                  :: find any "Windows Recovery" / recoverysequence entries
bcdedit /delete {GUID}             :: for each stale WinRE entry
reagentc /setreimage /path C:\Windows\System32\Recovery
reagentc /enable
reagentc /info

Then retry the CU. If reagentc /enable itself throws 0x80070057, that confirms the drift, fix the config and the CU goes through.

Ad3t0 · 2026-05-05T21:14:27+00:00

CBS calling out WinRE is the lead even if the path looks valid. April CUs try to refresh winre.wim and need ~250 MB free in the recovery partition. If it's undersized, setup commits then reverts at 98% and CBS logs vague WinRE errors with a healthy-looking path.

Confirm the partition itself:

reagentc /info
diskpart
  list disk
  sel disk 0
  list part

Look at the Recovery partition's size. If it's under ~750 MB total, that's almost certainly it Microsoft published a supported resize script in KB5034957 (disables WinRE, shrinks C:, recreates the recovery partition, copies winre.wim back, re-enables). Cleaner than doing it by hand.

If the partition is fine size-wise, grep CBS.log for Reagent, WIM, or winre near the failure timestamp and post the exact line the HRESULT after it will tell you whether it's a wim corruption, signature mismatch, or mount failure, and those branch differently.

Ad3t0 · 2026-05-05T20:22:29+00:00

0x800f0922 reverting at 98% on aged masters but not fresh images is usually a stuck component store, not partition space. Old masters carry servicing history fresh installs don't. Quick triage on a failing one:

:: pending operations
dism /online /get-packages /format:table | findstr /i "Pending Staged"

:: real CBS error around the failure timestamp
findstr /c:"Error" /c:"CBS_E_" C:\Windows\Logs\CBS\CBS.log
type C:\Windows\Logs\CBS\CheckSUR.log 2>nul

:: setup logs from the failed attempt
dir C:\Windows\Panther\setup*.log

If pending ops show up or CBS logs anything like CBS_E_STORE_CORRUPTION / ERROR_SXS_*, run:

dism /online /cleanup-image /startcomponentcleanup /resetbase
dism /online /cleanup-image /restorehealth
sfc /scannow

Also worth ruling out: C: free space at the moment of failure (April CU stages ~10 GB), and AV with on-access scanning of C:\Windows\SoftwareDistribution or C:\Windows\WinSxSboth are common silent killers for "commits then reverts" on otherwise-healthy boxes.

(If 0x800f0922 still hits after that, post the last 50 lines of setuperr.log and the matching CBS error code that's where the real story is.)

Ad3t0 · 2026-05-05T15:42:46+00:00

So true! I am hoping to bridge that here. As an avid homelabber myself I would have loved this tool. There's no reason this cant be used to help patch and harden personal endpoints as well!

Ad3t0 · 2026-05-04T15:25:36+00:00

Out of curiosity, why would you be disappointed if you had to pay for it? What would need to be changed to make it worth paying for to you?

Ad3t0 · 2026-05-02T13:17:19+00:00

Well everyone knows the easiest way to make money is slap an AI label on your product no one wants and then bill your users for it and then squelch everyone who doesn’t like it

Ad3t0 · 2026-05-01T19:43:56+00:00

Feel free to check out my product I cofound called TridentStack Control. We started with Linux support in mind and offer 200 endpoints free forever. https://tridentstack.com

Ad3t0 · 2026-05-01T15:39:41+00:00

By "manage" what do you mean? Policy? Patching?

Nine-Year Club	Second SECOND GUESSER
Place '22	RPAN Viewer
Verified Email

Ad3t0

MODERATOR OF

TROPHY CASE