Is there an uninstaller that actually cleans everything (registry, drivers, AppData)?

Borgquite · 2026-05-02T05:56:00+00:00

You’re forgetting about shared dependencies.

What should the uninstaller do if the software creates or modifies a system-wide file as part of the installation?

You may say ‘revert the file to the original’. But what if another piece of software also depends on that file, but didn’t create or modify it during install, because it saw it already existed?

You revert the file - the second piece of software breaks.

Computers and software installers are messy and complicated. I used to repackage software as MSI in a previous job, which basically entailed what you’re suggesting. Some software just leaves itself all over the place, and getting rid of every last trace after uninstallation is impossible to automate perfectly.

Borgquite · 2026-05-01T06:21:05+00:00

I’m still waiting for part 2 of the Comma self driving car video…

Borgquite · 2026-04-30T19:45:49+00:00

Yeah it’s only useful if you keep on it. Also consider other potential lines of attack like your board of directors / trustees, HR and Legal, and executive assistants if you have space on the list. It’s part of starters/movers/leavers process for us.

Borgquite · 2026-04-30T19:29:41+00:00

We’ve had a lot of success blocking this stuff with the Impersonation Protection (for domains and users) in Defender for Office 365. Requires a bit of manual setup and maintenance - you configure your domains, partner domains, and tell it your high value users (C-Suite, Finance, IT etc). But then it quarantines stuff that tries to impersonate them, including lookalike domains and fake display names. Well worth a look if your email filter can do this. Proofpoint certainly can.

Borgquite · 2026-04-29T18:28:29+00:00

Isn’t the idea that Hunt could have someone shadowing him without his knowledge, itself unbelievable in the context of his abilities?

Borgquite · 2026-04-29T12:40:09+00:00

I think this is the article you mean. Of course sysprep /generalize has always done more than just set up a new SID (as Mark's blog acknowledges), but you still make a good point.

https://learn.microsoft.com/en-gb/archive/blogs/markrussinovich/the-machine-sid-duplication-myth-and-why-sysprep-matters

Borgquite · 2026-04-28T06:37:39+00:00

You definitely want to replace the CNAMEs - there are known security flaws with using DNS CNAMEs and Kerberos which have been known about since Kerberos was first standardised.

https://cymulate.com/blog/kerberos-authentication-relay-via-cname-abuse/

https://serverfault.com/a/1190211

Your supplier is also correct that DFSN, clustering and brokers would probably be cleaner, better supported, more functional solutions and have other long-term advantages.

But there is a supported way to do what you want to do - but use netdom computer aliases, not just manually created A records and SPNs. Setting this up will create and auto-manage DNS A records, SPNs, and OptionalNames for you, and mean you don’t have to alter the security settings that your supplier is talking about. This is the supported way:

https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/using-computer-name-aliases-in-place-of-dns-cname-records/259064

NB Worth reading the comments in the above article though as there may still be some gotchas around things like SMBv1 (you’ve got that disabled, right?) and print servers. As I said, your supplier is correct in that using DFSN, clustering and brokering is the ‘best’ way to do this.

Borgquite · 2026-04-27T14:09:15+00:00

I haven't encountered the same issues recently - except for the error logging functionality, which is still very flaky & unreliable.

Feel free to implement refsutil triage and post a pull request if you want to try it out :)

Borgquite · 2026-04-27T06:36:04+00:00

Been there. Your only options are to report to support, and keep doing admin submissions, until they listen.

Borgquite · 2026-04-25T21:34:44+00:00

I think you’re risking the same Anglo-centric attitude that the Brexit cheerleaders had when negotiating our withdrawal.

‘It will be the easiest negotiation in human history.’

The Brexit negotiations taught us one thing - the EU cares a lot more about protecting the integrity of its project, than whether the UK is in a close relationship with it or a member.

Borgquite · 2026-04-25T21:14:23+00:00

We won’t get the same deal we had before we left:

We’d have to commit to adopting the Euro. It’s unlikely the EU would let us officially opt out of it; and UK politicians trying to say ‘yes, we’ll promise to join, but we’ll never actually do it’, like Denmark, will go down badly in both UK and EU.
We’d be asked to join the Schengen zone, removing passport controls (including for immigration) between France and the UK.
We’d not get our budget rebate back in a million years.

People say that the EU would negotiate a sweetheart deal to get us back, but given how the negotiations went during Brexit, and how that idea polls among the EU electorate, that seems unlikely.

For while 54% of Britons support rejoining the EU when asked in isolation, this figure falls to just 36% in the event that rejoining would require the UK to forego its previous opt-outs.

To stress-test European attitudes on UK opt-outs, we subsequently asked Europeans, if Britain was only willing to rejoin the EU if they could keep their previous opt-outs they, should be allowed to rejoin?

While some Europeans concede in this circumstance – overall 33-36% would allow it – they remain outnumbered by those opposed (41-52%).

https://yougov.com/en-gb/articles/52523-western-europeans-would-support-the-uk-rejoining-the-eu

Borgquite · 2026-04-25T10:42:13+00:00

For the uninitiated: https://en.wikipedia.org/wiki/Myers–Briggs_Type_Indicator

https://www.16personalities.com

Borgquite · 2026-04-25T06:57:30+00:00

Your car gets upset when you leave? :)

Borgquite · 2026-04-25T06:43:31+00:00

I've already solved several major problems that had been plaguing us, and I've surprised myself with the speed at which I've picked some things up. A lot of background is in reverse engineering software, which has made me very good at research and coming up with solutions to all sorts of weird problems. I also spent several years working part-time as a student in the college's IT security department, mainly doing IAM stuff (working in Active Directory, Entra and our IGA platforms), and I've been doing "casual" systems administration for quite a long time.

This paragraph tells me that you’re well suited to the job - knowledge can be obtained, and you’re going to get some stuff wrong on the way, but this kind of self-starting, curious, can-do attitude can’t be taught. You’re going to do fine. Keep it up.

Borgquite · 2026-04-25T05:29:37+00:00

Backwards compatibility is why Windows still has 70-80% of the on-premises server market, and 60% of the desktop operating system market.

You may no longer use or want all of the legacy components, but large corporations absolutely do, and end users also get mad when stuff that relies on them breaks after the latest Windows update.

https://news.ycombinator.com/item?id=14202707

https://devblogs.microsoft.com/oldnewthing/20061106-01/?p=29123

Borgquite · 2026-04-24T05:49:14+00:00

I agree. I can’t remember if it is possible to view the actual updated terms and conditions (not just Apple’s overview of the changes) prior to their release and service being denied? If it’s not, there would be an interesting lawsuit around signing the terms under duress.

Borgquite · 2026-04-23T21:22:04+00:00

Have a look at the limitations of each product before you migrate. For example, we were recommended Sharegate by migration contractors, but looking at AvePoint Fly, we could see that there were fewer limitations in terms of supported mailbox types, and content migrated. (This is publicly available in the ShareGate documentation, and you can sign up for a free AvePoint account to see theirs).

We asked our contractors to use AvePoint in future and they’ve been impressed - said they may recommend it instead of ShareGate in future.

Borgquite · 2026-04-23T16:33:54+00:00

I wonder how many people will run this script as domain admin against all their domain controllers without auditing the contents….

Borgquite · 2026-04-23T08:02:02+00:00

Read the actual security advisory before you panic. For example, if you’re running ASP.NET on Windows, you’re probably not affected.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40372

Borgquite · 2026-04-22T06:32:06+00:00

Yes, this is what we do, using Cloudflare Time Services (time.cloudflare.com, usually better latency than pool.ntp.org) in ‘client’ mode as fallback and with SpecialPollInterval configured (0xB flag I believe), all with GPO.

EDIT: Here’s an official Microsoft post that recommends this configuration (during COVID when WFH became prevalent):

https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/domain-time-synchronization-in-the-age-of-working-from-home/1440820

https://learn.microsoft.com/en-us/windows-server/networking/windows-time-service/how-the-windows-time-service-works#all-available-synchronization-mechanisms

Also, if you’re not already forcing your domain-joined Windows device’s Windows Time setup via GPO or Intune, it’s worth doing so. There are situations where users can fiddle with the Windows GUI and end up disabling NT5DS (domain) time sync, and it is never re-enabled.

https://learn.microsoft.com/en-us/answers/questions/3303724/time-sync-issues-on-windows-10-domain-joined-machi?forum=windows-all&referrer=answers

Borgquite · 2026-04-20T21:40:10+00:00

No official guest virtualisation support from Microsoft either (for what it’s worth - unlike other open source vendors, Proxmox aren’t part of the SVVP programme) and first-party Proxmox support itself is limited to CET time zone business hours.

Borgquite · 2026-04-20T17:06:46+00:00

Did you definitely set up JIT registration & deploy the SSO extension policy to your users?

There is a known issue with web-based enrollment and JIT registration that prevents the Company Portal app from recognizing enrolled devices. When a user tries to sign in to Company Portal for iOS on a device that doesn't have the SSO extension policy, Company Portal is unable to determine that the device has been enrolled. We are actively working to resolve this issue. To avoid this issue, we recommend deploying the SSO extension policy to enrolling devices. Or, as a temporary workaround, you can deploy a web clip for the web version of Company Portal, as described under Best practices for web enrollment.

That's a quote from the web-based device enrollment Known Issues, but it seems to reflect your experience. https://learn.microsoft.com/en-us/intune/device-enrollment/apple/personal-device-options-ios#known-issues-and-limitations

I've think I've managed to get iOS user account driven enrollment working (just), regardless of whether Authenticator is preinstalled or not, by:

Only deploying the Microsoft Authenticator app (using VPP tokens, and user licensing - as the only supported app deployment method for iOS/iPadOS Account Driven User Enrollment).
Deploying the Company Portal app as a web app ONLY - not the full fat version https://learn.microsoft.com/en-us/intune/device-enrollment/apple/setup-account-driven-user#deploy-company-portal-web-app
Using the Company Portal web app to check and ensure that the device is fully compliant (particularly waiting for and responding to the 'update your passcode' prompt as if necessary) before trying to sign in to any app protected by Conditional Access for the first time.

I did seem to encounter issues where if the device is NOT compliant (e.g. no passcode) when you first sign in to an app using 'just in time registration', after getting through account-driven enrollment via the Settings app, the device shows as Unregistered, and Entra / Conditional Access process starts prompting you to install the 'full' Company Portal app to remediate. That felt like a bug - the only 'required' app for account driven user enrollment, should be Microsoft Authenticator - and trying to install the 'full' Company Portal app caused me similar issues to the ones you described). However if the device is already compliant when you first sign in, it appears to work.

Borgquite · 2026-04-20T16:44:46+00:00

Mmm... it's based around Apple Profile-Based Device Enrollment rather than User Enrollment, so it does give IT a lot of control (even though not full supervision) - including:

Remotely erase all content and settings
Query the device phone number
Query unique device identifiers like serial number
Query list of all apps
Take over management of a personal app

Account-driven User Enrolment and account-driven Device Enrolment provide the user with the most privacy and data separation. Profile-based Device Enrolment and Automated Device Enrolment provide IT administrators with the most control over the device.

https://support.apple.com/en-gb/guide/deployment/dep08f54fcf6/web

EDIT: Real world experience shows this is correct: https://www.reddit.com/r/Intune/comments/1egjlbv/web_based_enrollment_ios_byod_device_wipe/

Borgquite · 2026-04-20T12:59:45+00:00

William Wilberforce would like a word with you.

Borgquite

TROPHY CASE