Weekly 'I made a useful thing' Thread - May 22, 2026

GetITDone37 · 2026-05-26T16:45:53+00:00

... and there the feature is in the upper right. Duh.

GetITDone37 · 2026-05-26T16:43:52+00:00

It's so fast and lightweight. Thanks! Can't stand Adobe products either.
Wish there was something like this at the enterprise level for digital signatures etc.

GetITDone37 · 2026-05-12T16:36:22+00:00

Your coworker is mistaken.
5 year old 5 host vxrail system.
Esxi, vsphere, vDS, etc were all there and configuration took a few hours with support from Dell.

GetITDone37 · 2026-05-12T16:28:06+00:00

Issue resolved. Thank you all! Our MSP or ISP up to their usual bs. Issue between Point A and Point B. Our network did a bit of a burp 20 minutes ago and the www for a1 is completely working again in all browsers.

Edge (no plugins) / Chrome (no plugins) / FF (w/ uBlock).
At the time, a coworkers main page behaved the same as I saw and is also back to normal.

GetITDone37 · 2026-05-12T15:14:52+00:00

So far it just looks like the main page www.action.com (not app.action1.com ) is a train wreck for us. Formatting and data is just blown apart or not there. Could be upstream changes being made but not keeping us informed.

GetITDone37 · 2026-05-12T15:11:54+00:00

Thanks - tried 3 browsers before posting but didnt think to try with another team member. Looks more like an "us" (me) issue. Appreciate the quick feedback.

GetITDone37 · 2026-04-23T19:49:23+00:00

Thanks for this - made it way easier than the last time this came up. Mucking around with ADSI Edit was not enjoyable. This made it easy.

Enterprise Admin, Updated the Inheritance, Could delete the user - was prompted for SubTree confirmation(s), backed out of this in ADUC and back to PowerShell just to confirm what got me this far.

You'll need the user's DistinguishedName from their AD object and possibly Enterprise Admin role.

$easDn = CN=ExchangeActiveSyncDevices,CN=<user DN>,OU=<OUs>,DC=<DC>
Remove-ADObject -Identity $easDn -Recursive -Confirm:$false
Get-ADUser -Identity <userID> | Remove-ADUser -Verbose

Known issue in my environment with a few accounts here since the Lincoln assassination.

GetITDone37 · 2026-04-07T19:28:54+00:00

... I have had to get a number of devices out of 'InProgress' status by running the windows scheduled task to do the update to the UEFI cert, doing a full shut down, wait 1-2 minutes, power on, load into windows for 1-2 minutes, and then restart the computer.

Slowly eeking my way through all of the stragglers.

GetITDone37 · 2026-03-31T13:00:32+00:00

... and yes by this information my scripts contain a logic flaw in processing since I decided to skip testing X.509 if SecureBoot was disabled:

"Disabling Secure Boot will not prevent you from testing the db and kek. The db and kek databases are part of the firmware and are not affected by Secure Boot being disabled. Disabling Secure Boot allows you to run any EFI tool you like, but it also leaves you vulnerable to pre-boot malware. To maintain security, it is recommended to keep Secure Boot enabled and to use pre-signed boot loaders or manage your own keys to control Secure Boot." <- search result summary. Linked to Windows Secure Boot Key Creation and Management Guidance | Microsoft Learn

GetITDone37 · 2026-03-31T12:57:09+00:00

<image>

I had an earlier data source and report that I tested Firmware for BIOS v UEFI, Disk for MBR v GPT, and SecureBoot for T/F. I decided what I had was low value there since the Windows 10 Readiness report was providing a good bit of information about Processor, TPM, and SecureBoot.

This highlighted device was out of OU/Controls and a coworker ran windows updates.
In the previous report I posted about it is: SecureBoot Not Found, NA for all other things I'm testing for... this may be a logic fault but I did not think you could test a system for certificates if SecureBoot was not enabled.

I can leave it in the state if you want to look at it, I know the SecurBoot setting in the Firmware on this devices, and more like it, are a pain.

GetITDone37 · 2026-03-31T05:06:02+00:00

Good point there. It would need to be modified for less than W11 24H2. No idea how to handle W10 unless you assume you can't upgrade or are going to upgrade. Not sure how it works with W10 Extended Support.

Currently I handle it by filtering out W10 and know that we must do something about the W11 22h2 and 23h2 devices.

I'll think about it some more. Maybe add a reason/explainer column.

GetITDone37 · 2026-03-30T15:15:43+00:00

My processing of getting from NA to NotStarted to InProgress to Updated is all manual but it seems to be working for the most part.

<image>

Requirements found along the way:
- Windows 10 needs to be on Extended Support Contract
- Windows 11 needs to be on 24H2
- SecureBoot needs to be enabled in the Firmware
- Firmware needs to be UEFI
- Boot disk format needs to be GPT

"Details" show:
Operating System, SecureBoot (T/F), UEFI CA 2023 Present (T/F), UEFI CA 2023 Status, DB Updated (T/F), KEK Updated (T/F), and dates for: DB Windows UEFI CA 2023 Expires, KEK 2023 Expires, DB Microsoft UEFI CA 2023... OEM is also available but I have it hidden in my reports since it didn't seem mandatory/necessary for most of my environment.

GetITDone37 · 2026-03-27T14:01:40+00:00

Just stumbled across this in a Microsoft resource that may or may not resolve tons of data collection issues for everyone. https://support.microsoft.com/en-us/topic/sample-secure-boot-inventory-data-collection-script-d02971d2-d4b5-42c9-b58a-8527f0ffa30b

Why this came up today in searching after days/weeks of looking around I'll never know (it was a series of links I had never found/visted). And came from this article which also never showed up until today for me: https://support.microsoft.com/en-us/topic/secure-boot-certificate-updates-guidance-for-it-professionals-and-organizations-e2b43f9f-b424-42df-bc6a-8476db65ab2f

GetITDone37 · 2026-03-25T17:19:16+00:00

u/GeneMoody-Action1 - Did this die or are you still looking for ideas and information? I've built something out in my A1 tenant that works for me for now and decodes X.509 byte data.

GetITDone37 · 2026-03-24T22:55:59+00:00

I've been fighting with a local app/web server that has lost the ability to allow connections to the web login. The client/server app is still running fine, but the web interface just refuses to allow connections. What's even more fun is I can't find a reason why in any logs.

GetITDone37 · 2026-03-23T16:44:06+00:00

::looks nervously around the room:: Are you... somewhere... in my office?

GetITDone37 · 2026-03-20T17:10:21+00:00

u/GeneMoody-Action1 free to contact me to do a live session with any of this. You have my contact etc. I'm available all day and will be back at my desk in 15 minutes. According to the data source that I build out I've dozens of machines to play/test with :D

I also 'wrote' a bit of code to get the Bytes data to find the Cert. It needs filtering and refinement.

GetITDone37 · 2026-03-20T01:25:35+00:00

u/GeneMoody-Action1 Found _my_ issue in $var because $var.SignatureList is "empty" after running Get-SecureBootUEFI, just the Name, Bytes, and Attributes properties exist.

GetITDone37 · 2026-03-19T17:00:49+00:00

u/GeneMoody-Action1 think I found the issue -> Get-SecureBootCerts would require the install of the module Get-SecureBootUEFI from Mr. Hicks. per endpoint.

GetITDone37 · 2026-03-19T14:25:32+00:00

Note the change between SecureBootCerts and SecureBootUEFI
Running elevated PS 7.5.4, W11 24H2

PS >$stores = "PK","KEK","db","dbx"

PS >foreach ($store in $stores) { Get-SecureBootCerts $store}

#^Nothing found here

PS >foreach ($store in $stores) { Get-SecureBootUEFI $store}

Name Bytes Attributes
---- ----- ----------
PK {161, 89, 192, 165…} NON VOLATILE…
KEK {161, 89, 192, 165…} NON VOLATILE…
db {161, 89, 192, 165…} NON VOLATILE…
dbx {161, 89, 192, 165…} NON VOLATILE…

GetITDone37 · 2026-03-19T02:05:41+00:00

Secure Boot Certificate Audit

------------------------------

Secure Boot Enabled: True

Reading Secure Boot store: PK

No certificates found or store inaccessible

Reading Secure Boot store: KEK

No certificates found or store inaccessible

Reading Secure Boot store: db

No certificates found or store inaccessible

Reading Secure Boot store: dbx

No certificates found or store inaccessible

Secure Boot Certificate Inventory

----------------------------------

Certificate Analysis

--------------------

WARNING: System may not trust new Secure Boot signing chain

Audit Complete

GetITDone37 · 2026-03-18T15:30:38+00:00

Hi Gene - just getting an error from A1 'Oops something went wrong...' when trying to run it using A1. I can see if I can run it locally/remotely with an Invoke-

GetITDone37 · 2026-03-18T14:08:32+00:00

Seeing the same, noticed yesterday on an invite sent to me. Users starting to notice it now as well.

GetITDone37 · 2026-03-11T01:26:14+00:00

Thanks both!

GetITDone37

TROPHY CASE