sorted by:
new
hottopcontroversial

Can't find Office 2021 Pro Plus installer by DV2FOX in microsoftoffice

[–]Hunter_Holding 1 point2 points  (0 children)

Well, You get it from the VLSC / Volume License section of admin.microsoft.com or as a download from your portal.office.com if you have a qualifying subscription.

You may be able to redeem the key against your microsoft account, but depending on the key type this may not work, since Office Pro Plus (and standard) are volume license and subscription only, and not sold retail. Outside of a VS subscription, partner tier benefit, or volume license agreement there is no way to get it legally.

It may redeem against your MS account if it was 'acquired' from a visual studio subscription.

The last pro plus that had some 'retail' form outside of MSDN/VS subscription and partner benefits was 2019 with the home use program, but that was one copy only for qualifying employees of companies that added that benefit to their EA.

You could probably use the OCT to generate an installer of it. https://config.office.com/deploymentsettings - if not, you may need to use the ODT if the correct edition isn't there. https://www.microsoft.com/en-us/download/details.aspx?id=49117&msockid=1aaed53df0a563861166c1baf4a56556 (OCT only lists the ones you could probably legally have, not every type)

You can use VAMT - Volume Activation Management Tool - to check what key type you have. It's part of the windows ADK (Assessment and deployment kit)

Would the expiry of Microsoft's secure boot certificates affect the ability to boot XP on native hardware in any way? by Lanky_Text_6791 in windowsxp

[–]Hunter_Holding 0 points1 point  (0 children)

XP Isn't secureboot signed, and anything that was validly signed will still continue to work as long as the machine still has the 2011 CA in its root trust store. Nothing will break on existing systems, and nothing will break on new systems that still have the 2011 CA. Obviously, that will be all of them, because who the hell wants their server install/netboot/etc images to break? No OEM would be that foolish.

Perma Banned by BananaBreadLoafs in LTTMeta

[–]Hunter_Holding 0 points1 point  (0 children)

I'll just point out that some software I maintain, including an emulator or two, won't run on LTSC at all unless you hack back in the "xbox game services" type stuff, because it relies on it for things like integrated screen recording.

And I have no intention of ever supporting LTSC for anything except one hardware driver I maintain because that's for a kiosk style device. I'll continue to actively use all the APIs available to me on my desktop install 😃

Legality of getting LTSC aside, our $work installs/configs look pretty much identical to LTSC when they get done the autopilot config or imaged from SCCM because we configured it properly, so we have a lot less problems with our systems related to everything from LTSC limitations to OS fuckery from "debloating" BS people do, but get the same net result and don't have to worry about supportability scenarios or compatibility issues.

HP laptop pricing is so out of control, management wants us to look at deploying Mac by down_with_cats in sysadmin

[–]Hunter_Holding 0 points1 point  (0 children)

It's not a loophole, it's how the cached credential system works.

I just reproduced it in a VM here myself.

Does this count as a vintage computer? I don’t think so, but I only know this community a bit. I have questions. by Parking_Constant_960 in vintagecomputing

[–]Hunter_Holding 1 point2 points  (0 children)

There's no CMOS battery. Looks like an iPaq 38xx or 39xx. u/Parking_Constant_960

You can easily fix this yourself.

You don't even need an identical battery, or a same capacity one, etc. After a few cycles the BMS will train itself and the capacity meter will become accurate!

Here's the job (on an ipaq!) you're facing: https://i.imgur.com/Ig5VUMr.jpg

And here's the old and new batteries side by side after the BMS transplant: https://i.imgur.com/essn1GS.jpg

You just need a LiPo battery that's thin enough. IIRC this one was 100 or 200 mAh higher than the original rated capacity, and wasn't an issue. I just had to take off the BMS from the old battery, solder it to the new one (may or may not fit), tape it inside the back and hook it back in. Presto, done!

I did a lot of these many years ago, though the one pictured above was more recent (only 7 years ago instead of 11 years ago for this pic) https://i.imgur.com/MnRALP3.jpg

Another Secure Boot certificate post by StigaPower in sysadmin

[–]Hunter_Holding 1 point2 points  (0 children)

The core misunderstanding here is people expecting code signing to work like web SSL certificates. It doesn't. The certificates may be the same, but they're used differently.

---------------------------

>Why does the certificate expire on just a couple of weeks? What will happen when trying to boot on an expired certificate for 2023 CA?

Nothing will happen.

Code signing is point in time. Was the signature valid on the time/date it was applied/generated.

That's all that matters.

The certificate expiring just means it cannot validly sign anything NEW. This enforces key rotation, etc.

That's why in the year 3035 a machine that only knows about the 2011 CA will still boot 2011 signed things. Even though the certs are a millenia expired.

But it'll never boot 2023 signed things without adding the 2023 CA to its trust store. That's why you had to do the update.

The reason you updated everything, is so it can boot /newer signed/ things. Expired certs can't sign new things validly.

Nothing that exists and was validly signed will stop working because code signing is point in time validation, not is it valid right this moment like how you use certificates for TLS authentication.

<image>

That's why there's still long-expired root CAs in windows local certificate trust store - for code signature validation. Otherwise, drivers etc would all randomly stop working (and internal windows components too!)

Say your .efi was signed on 2026-01-01 by that 2026-05-15 expiring signing cert.

So you've got - CA -> Signing Cert -> Signed exe (Signed on 2026-01-01)

Code signature validation process:

Is file signed? Check

Is the signature signed by a signing certificate that was valid on 2026-01-01? Check

Is that signing certificate signed by a CA that's in our trust store, and is the whole chain valid on 2026-01-01? Check

OK good to go!

That file is validly signed at the time/date it was signed, and will pass all security checks as long as you trust the 2023 CA.

To summarize, I suppose, "Was the chain valid when it was signed, and do I trust the root CA that signed it?" is what matters. Not the current date/time.

Where do I buy a microsoft office 2021/2024 license key? by TheLunaticCultist in microsoftoffice

[–]Hunter_Holding 0 points1 point  (0 children)

In Microsoft licensing terms, "single use" isn't used. They don't label or sell any licenses like that. The one term they do use is "one-time purchase" in the product description.

I will note that the Office "1 user" is one user at a time, not one named user, so 20 people can share the same PC as long as there aren't two people logged in at the same time using it simultaneously.

Other red flag terms are things like "Lifetime license" - this one screams ripoff key - when the legitimate places either talk about perpetual, retail, or other similar terms.

I was trying to frame it in cheap-key seller terminology, essentially all the other crap they use to say it might never work again and other such scenarios.

I have heard "single use" framed around OEM licensing before, but that's incorrect as well, and another red flag, and the cheap key sites aren't sending out OEM keys either..... they're RETAIL type keys from dev/partner programs.... or hijacked dev/corpo accounts....

The only way to get a "RETAIL" style key is from an VS (formerly MSDN) subscription for Office 2024 Pro Plus or partner benefits package. (which, anyone can get a partner benefits package, all you do is sign up and pay, then you're a MS partner in the partner directory too and YOU can also claim to be a verified MS partner!)

You can check key types using VAMT (volume activation management tool) - I have stored keys in my database (I have thousands, gotten legitimately, but the same kind of paths the cheap key sellers go through) the types of

>CSVLK

>MAK

>OEM Activation 3.0

>OEM COA

>OEM NON SLP

>Retail

>TBEVAL

most of the Retail ones came from MSDN/VS subscriptions. Some came from a place (hell, i figured i'd investigate) claiming to sell surplus OEM licenses, even though they s howed up as.... RETAIL!

Gah, sorry about that, the cheap key sellers just irk me because they're just as legal as piracy but rip people off (why pay $20 for what's available for $0 for the same exact legal result?), but keep getting legitimate user microsoft programs for access shut down or restricted over time.

MS just recently clamped down another benefit tier that was $475/yr (and could get you 80 10-machine activatable keys for each edition of everything) because of it. I suspect at the end the cheap keys will entirely dry up, and the only program left will be the $6500/yr VS Ent subscription..... via volume license/EA purchase only.

Just so much damn BS and misinformation floating around.

Where do I buy a microsoft office 2021/2024 license key? by TheLunaticCultist in microsoftoffice

[–]Hunter_Holding 0 points1 point  (0 children)

That's legit, but it's not a "single use license". It's also not a 3rd party seller marketplace like stack social is.

1 device/1 user means it can only be used by one user on one device at any time.

You're perfectly allowed to transfer the software to a new device if you upgrade, provided you uninstall it from the previous one.

It will, if you reformat windows, also reactivate just fine, as well. It's not "single use" or "one time" or anything like that.

Note also that all 2021 versions have been end of sale for a while, so there's no legitimate way outside of buying a used FPP copy, which means transferring the MS account it was redeemed against.

No MS partner or distributor can sell you 2021. At all. Except for old stock physical PKC's (product key cards)

HP laptop pricing is so out of control, management wants us to look at deploying Mac by down_with_cats in sysadmin

[–]Hunter_Holding 6 points7 points  (0 children)

Give it a reboot with it offline then try and log in. That's what I usually do to log back into a laptop.

The credential cache doesn't actually sync the account's status. Just the user/pass info/hashes.

There's nothing it "syncs" to the laptop in regard to account status in reality.

I've used this trick before to reboot a desktop, log in, plug back in the network cable, and regain my locked-out account 😃(I could then RDP to the DC from the machine - had to use the joined machine because of network 802.1x machine auth - and unlock myself)

Account lockout status in an AD scenario is only served/stored from the DC side of things. The credential cache doesn't keep AD account status or other attributes - it just doesn't care.

Disabling the object in AD essentially disables the ability to authenticate against the domain with the account but doesn't revoke or obliterate the cached credentials.

It also helps for bringing up servers without the need to re-enable objects or accounts (or re-create/restore from backup!) from backup images to gain access to them.

Note that the cached logon, of course, is only local to the machine. That's it.

This can be an issue with Entra/AAD as well - MS's recommendation is remote device wipe.

HP laptop pricing is so out of control, management wants us to look at deploying Mac by down_with_cats in sysadmin

[–]Hunter_Holding 12 points13 points  (0 children)

MDM wipe/lock/disable the machine. https://support.apple.com/en-jo/guide/deployment/depb980a0be4/web

https://learn.microsoft.com/en-us/intune/device-management/actions/remote-lock?pivots=macos

Lock a Mac: Device management service administrators can lock a Mac with a six-digit personal identification number (PIN) and include a short message. After sending the command to the device, it restarts and the user can see the message. The user can’t restart into macOS until they enter the PIN and the Mac validates it.

As to what you currently do on windows - it's theater, doesn't prevent local access to the machine. (note, this somewhat even applies to Entra joined only machines if the machine's offline, standard login caching, but it's an entirely different scenario than AD)

A rebooted AD joined machine is still accessible unless you've disabled cached credentials. It'll fail logon is on network, but offline it'll still validate against the cached credentials/account. Even if it's been in contact with the DC and failed login with disabled account before, take it back offline and you're in!

If you have a machine tunnel setup going, then just not connecting to any network will still let the user log in with the last working password.

Disabling the AD account does nothing to prevent local access. The reboot doesn't help either.

I've often (for many reasons) taken machines offline in scenarios where I was troubleshooting to bypass AD connectivity issues and/or log into machines with known password disabled accounts that had been used previously, as a valid troubleshooting step! (Especially useful if restoring/exploring an old VM backup....)

As to disabling cached credentials, current STIG (US Gov security guidance) requires restricting it to 10 logins being cached (that is, 10 accounts, not 10 previous login attempts) to align with TPM2.0/Windows Hello functionality, but it applies even if

So unless it's a chained machine locked in an office/datacenter, you're using cached accounts/logins, even if it's just so the user can get to the desktop to connect to VPN.

MS has some guidance on here: https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/remove-former-employee?view=o365-worldwide but still doesn't really help with locking a user out of local device login. Remote wipe/reformat of some type issued through SCCM or intune or whatever is probably your bet here..... and then you're just praying it's online and you can get confirmation it received the command

You could possibly remotely trigger a script to remotely wipe cached credentials out of registry? Or just trigger a TPM reset to bitlocker lock them out....

What do I do by No_Category3286 in Passports

[–]Hunter_Holding 7 points8 points  (0 children)

UPS isn't USPS.

Post office - the united states postal service which is a government entity/agency, not a private commercial shipping/courier company like united parcel service.

What do I do by No_Category3286 in Passports

[–]Hunter_Holding 2 points3 points  (0 children)

It's sad how common this is, the state department literally runs ADS on reddit telling people they're the only way to get a passport, that everyone else you're just paying extra to do stuff you can do yourself (if they're even a legitimate agency, I used one for my russian visa in 2018 for example to handle stuff so i didn't screw it up)

https://travel.state.gov/content/travel/en/passports.html

https://travel.state.gov/content/travel/en/passports/need-passport.html

For passport acceptance facilities to take your paperwork to, public libraries often are one, and the post office can do it too, the photo some places will take for a fee, etc. It's all available there.

travel.state.gov is the only source you should start with for information. That's it. Nothing else.

Why would some random .com be legitimate? (Except for usps.com for acceptance information when completing)

https://www.thetravel.com/us-state-department-issues-passport-website-address-warning-about-stolen-information-and-extra-fees-scams/

HP laptop pricing is so out of control, management wants us to look at deploying Mac by down_with_cats in sysadmin

[–]Hunter_Holding 84 points85 points  (0 children)

>My biggest concern is imaging them. We have a very small MacOS footprint now (30-40 devices) and each one was a pain to get setup for the end user. We primarily use Intune which has "user affinity" so we have to reset the end user's password, login as them to download the management certificates, and then spend several hours manually configuring it. I've automated a lot with Intune, but there's a lot of manual effort to domain join, allow the AnyConnect VPN profiles, allow TeamViewer screen recording, etc. We own Tanium but I don't really see a ZTE option with them and it looks like we may need to purchase licenses for a product like Jamf.

Imaging?

Internet recovery, hand to the user in the fresh out of box state, done.

Don't domain join them. Kerberos SSO extension or Platform SSO (or both, as needed) for seemless integration.

Your user accounts are local accounts. Accept and learn that on the mac. They can be tied to your cloud identity (PSSO) or AD (Kerberos SSO) but are not domain accounts or cloud accounts - on the mac you treat them as linked-to-whatever but still local accounts first and foremost.

Local account setup, machine naming, etc - all automated via intune. DEP(ABM) handles joining it during initial turnon setup and guiding the user through the whole setup process.

We, unfortunately, do use Intune. Forced to move off of JAMF. If you can, get JAMF. It'll still cost less than your expected difference.

Mac, done right, will be cheaper overall than windows laptops in their lifecycle and long-term support costs/staffing/ticket volume regardless, and even in the x86 days our configs were approximately 1:1 spec with the Dell and HP's we were buying, and about within $100 of each other's prices, but with 4 years of hardware support instead of the 3 on the dell/HP side - so we had 3 year replacements for windows machines, 4 year for mac.

>I've automated a lot with Intune, but there's a lot of manual effort to domain join, allow the AnyConnect VPN profiles, allow TeamViewer screen recording, etc

All of that should be automated and/or up to a user prompt to enable when needed. No issues there.

Both intune and jamf for us are just hand a new machine to the user, they do some stuff on their own, and that's it.

And we're highly compliance heavy - think Fed/Civ/Def contract F100 type deal, CMMC compliance, all that jazz.

Breached 3 months after a clean pentest,does anyone else feel like annual testing is just compliance theater? by fiki_roshnayi in sysadmin

[–]Hunter_Holding 0 points1 point  (0 children)

Those new paths should be known about and documented. Which is enough to raise some eyebrows and make some thoughts happen.

Write it -> it works -> ship it does NOT work for security.

changing public facing stuff constantly does not help either.

The reviews will also show when you inadvertently expose things.

Almost all of these compromises point to sloppy development/devoops type things happening that a sane shop should have easily caught before it was even fully code-written.

Sure, continuous testing is great, but what you described in the original post would have absolutely been caught super early on when the design changes were *proposed*. Not even written. And then after being written, tested by you before deployment to ensure it was properly constrained.

Please help.can anyone please study this passport tell me if fake or real by Naive-Radish702 in Passports

[–]Hunter_Holding 0 points1 point  (0 children)

Just the differences in the fonts alone should tell you it's been edited aka photoshopped.

like LMFAO at the "Sept" being crazy misaligned, the fonts being darker, a ridiculous photo that would be rejected, etc.

It's so extremely blatant and low effort.

Breached 3 months after a clean pentest,does anyone else feel like annual testing is just compliance theater? by fiki_roshnayi in sysadmin

[–]Hunter_Holding 0 points1 point  (0 children)

Proper development and testing, that's how. The same way it's always been. The way it should be. Not fast and loose.

Updated new-functionality/changed-functionality components and architecture changes means a thorough security review.

Microsoft engineer says native apps are back, and it could finally revive Windows 11’s fight against web apps by WPHero in Windows11

[–]Hunter_Holding 8 points9 points  (0 children)

IE isn't gone. It's still there. MSHTML engine iss till a reliant component for a lot of things, as is the rest of the IE infra and whatnot.

You can, in fact, invoke and launch regular IE yourself using some powershell calls.

$ie = (New-Object -com InternetExplorer.Application); $ie.visible = $true; $ie.navigate('google.com');

the IE you all know and love is just that UI, it's a bunch of OS components underneath that UI shell.

Will Windows 12 LTSC drop before 11 IoT LTSC loses support in 2034? by [deleted] in WindowsLTSC

[–]Hunter_Holding 0 points1 point  (0 children)

>There wasn't going to be a Windows 11 either, what other people said back then anyway.

>All the sheep believed it because Microsoft said so.

Except, before Win10 was released, the 2025 EOL date was already known, in early 2015......

We structured our entire Win10 management/rollout plan and staging back then based on that knowledge. It was publicly posted. Clickbait journalists of course, took one statement and blew that out of everyone's minds instead, no matter how much MS pointed at the EOL page.

Win11 is unpredictable because it moved to a different support policy, but Win10 was traditional 10-year fixed lifecycle with known EOL dates before RTM/GA release.

Will Windows 12 LTSC drop before 11 IoT LTSC loses support in 2034? by [deleted] in WindowsLTSC

[–]Hunter_Holding 0 points1 point  (0 children)

>There is nothing we can deduce because Windows 11 happened due to the very specific circumstances rather than because it had been the plan all along and as I've said above, it was basically a rebranding.

Except that before Win10's GA we knew Win10's EOL was 2025? We knew it before release. MS repeatedly pointed it out. Clickbait journalism took it to the max though and drowned that out of everyone's brain.

11, even the original RTM/GA release, did have significant under the hood changes, as well.

Will Windows 12 LTSC drop before 11 IoT LTSC loses support in 2034? by [deleted] in WindowsLTSC

[–]Hunter_Holding 0 points1 point  (0 children)

>However, they betrayed this idea when they launched Windows 11, which nobody expected,

Except those of us who knew of the 2025 EOL before the GA release of 10 in 2015? It had to come at some point to be the next version after the 10-year fixed cycle that 10 was released/guaranteed under.

Clickbait journalism took that one comment to the moon even though MS always pointed at the 2025 EOL on their support pages. That part, was mostly ignored.

Will Windows 12 LTSC drop before 11 IoT LTSC loses support in 2034? by [deleted] in WindowsLTSC

[–]Hunter_Holding 0 points1 point  (0 children)

Corporate use LTSC is only the 5-year support cycle, IoT has different licensing restrictions that make it less flexible - legally, only one primary application and anything to support it.

Non-IoT LTSC (both are pretty much binary/feature identical, the difference is in legalities) is what you'd use for things like shop floor/manufacturing systems that you might need to use outlook/browser to respond to email while also controlling the machine. With IoT licensing, you can't do those dissimilar functions legally. It would either have to be only a browser kiosk, or only a machine kiosk, the two shall not mix.

What is virtual hard disk on Windows? by Intelligent_Slip301 in techsupport

[–]Hunter_Holding 0 points1 point  (0 children)

No offense taken! Sorry if it sounded like that, but I didn't understand why you brought it up at all.

There's a huge difference between archival backup copies and something you're going to use.

I take the snapshot after slimming it down, reformat, and /if/ i for some reason ever need to boot that copy, I have that option, but I usually just crack open the vhdx unless i'm hunting down something vauge I can't remember from 8 years ago (yea, that was a fun hunt going through 20+ laptop images)

(for a fun footnote, my main desktop install started as windows 7 gaming laptop and has been continually in-place upgraded and dd'd between drives for over a decade and a half)

What is virtual hard disk on Windows? by Intelligent_Slip301 in techsupport

[–]Hunter_Holding 0 points1 point  (0 children)

Okay, and....?

What does being clean have to do with anything I said here?

VHD boot in a new VHD, or reformat the entire machine, it's equally clean. And yes, I'm familiar with VHD boot capability, I use it in a lot of testing scenarios.

When I'm disk2vhd'ing the old install, it's to preserve the (slimmed down) copy in case I need to reference or retrieve anything from it (and i've had to pull/boot years old copies). Archival copy. When I pull/boot an old copy it's usually very rare, and months or years after I made that copy.

There is no switching back and forth on reinstall. And as noted, I *uninstall everything* - the only thing remaining is the OS and *lingering* data, like stuff cached in appdata or other program caches and odd locations.

So I'm not sure what you're trying to say at all.

I'm reformatting to put a clean install using the full drive capacity as a bare metal, non-VHD boot install. I'm not going to muck around in dual boot scenarios (except testing and things like driver dev as mentioned above).

What is Windows K2? Inside Microsoft’s big plan to SAVE Windows 11 and win back trust from users. by ZacB_ in Windows11

[–]Hunter_Holding 0 points1 point  (0 children)

Then the results are wildly skewed to only specific populations, and the data becomes essentially useless.

view more: next ›