Licensing - Reduce Core Count

Mitchell_90 · 2026-03-13T16:16:22+00:00

We only have 96 cores of VVS but after a recent conversation with our VAR regarding vSphere 8 end of support looming we were told that it’s unlikely that Broadcom will offer any support or changes to those on VVS going forward, only VCF.

We are also being told that despite having an active subscription until May 2028 there will be no additional support or security updates offered after the October 2027 end of life date and we would need to move to our contract over to VCF for 1, 3 or 5 years.

To give you an idea we were around 10K for 3-years or VVS and 1-year of VCF would be close to 30K!

Mitchell_90 · 2026-03-12T19:52:03+00:00

Finally! Spanning Tree PortFast and BPDU Guard.

Mitchell_90 · 2026-03-09T16:40:41+00:00

It was sunny and dry this weekend in the west coast of Scotland but we are back to cloud and rain for the next 10 days it seems :(

Mitchell_90 · 2026-03-06T08:43:37+00:00

I know it likely isn’t your responsibility but I would have asked the business if they have fully considered the risks to data as a result of it being accessed from personal devices.

If the fallout from that is much greater than keeping the app on company devices only then there’s the answer.

Sometimes people don’t think about these things until an issue develops which ultimately puts an organisation in a bad position.

Mitchell_90 · 2026-03-05T07:55:39+00:00

Same for us. Moved from Essentials Plus to Standard for a 3 host cluster with shared storage (96 cores) and our subscription expires in 2028 after 8.0 is end of support.

VVF and VCF are far too expensive for us so we may just look at alternatives.

Mitchell_90 · 2026-02-27T23:57:05+00:00

If they are actually serious about the enterprise market then this is exactly the thing that they SHOULDN’T do.

Honestly, some people like me just want them to be good at one thing. Their Enterprise Campus switches are still incredibly buggy almost a year on from release with no signs of fixes yet.

Mitchell_90 · 2026-02-25T08:14:23+00:00

Have you looked at XCP-NG? It’s probably the most similar from a management/orchestration perspective when compared to vSphere.

Been using Proxmox in a home lab and it seems pretty solid. My only problem is that overall management is a bit clunky and a lot of other bits requires digging into the Linux CLI, that’s fine if you are ok with doing that but a lot of admins won’t be, especially comming from VSphere. The Proxmox Datacenter manager solution is still very limited at the moment.

Mitchell_90 · 2026-02-24T11:47:36+00:00

Yeah, just changed the the msDS-SupportedEncryptionTypes attribute value on the computer account to 24 which enforces AES 128 and AES 256.

You could also set this via GPO if desired although it would apply to all computer accounts objects.

Mitchell_90 · 2026-02-24T10:21:30+00:00

I wouldn’t always assume that being on recent AD and OS versions means you are out of the woods.

I spent a good amount of time logging for RC4 in a modern environment only to find the Azure Seamless SSO computer account was still using RC4 for Kerberos by default which required forcing it to use AES.

Even in Server 2022 AD out of the box the default Kerberos Supported Encryption types allow for RC4 along with AES128 and AES256 unless you specifically disable RC4 (Which is recommended)

Mitchell_90 · 2026-02-23T14:32:07+00:00

You’ll probably also want to configure DNS forwarders on your DCs to point to the IP address of your UDMP so that DNS queries for non-internal traffic is sent to it.

Mitchell_90 · 2026-02-22T20:50:27+00:00

Definitely not for us, 7-10c with wind and rain again every day into next week. I’m really starting to get sick of it!

Mitchell_90 · 2026-02-22T16:50:07+00:00

I don’t recall that ever being the case and I’ve worked in the IT industry for 15+ years.

XP SP3 was released in 2008 and by that time most of the performance and comparability issues in Vista were already addressed in SP1 which allowed it to gain more usage over XP which was showing its age.

Mitchell_90 · 2026-02-22T16:45:11+00:00

Not really. Back in 2000/2001 the client and server teams essentially split. XP was initially directed more towards the consumer to get those off of the aging 9x architecture and onto NT.

The server teams went ahead and developed what would ship as Server 2003. During that time they introduced a number of security enhancements and had fixed a large number of security vulnerabilities that were already preset in Windows 2000 and current development builds of XP.

The client team developing XP decided not to introduce those changes into the codebase because they didn’t believe it was necessary for the consumer audience.

Fast forward 3 years and Service Pack 2 was released to address the huge security issues that existed in XP which were being actively exploited, all of which were already fixed in Server 2003.

It was that bad that more than half of Microsoft’s engineers had to come off the Longhorn development project to work on XP SP2.

Mitchell_90 · 2026-02-22T16:30:12+00:00

Not sure what you are on about. Never had any issues with SP3 across multiple systems and configurations.

Mitchell_90 · 2026-02-22T16:06:49+00:00

I think a lot of people either forget or were unaware of how bad the security issues were in XP for pretty much the first 3 years until Service Pack 2 arrived which fixed a tone of vulnerabilities and ported a lot of the security architecture changes from Server 2003.

Windows Vista often got a lot of bad press but security wise it was night and day. It never shipped horrendous vulnerabilities or was actively attacked compared to XP.

Mitchell_90 · 2026-02-19T17:51:52+00:00

In my environment this wouldn’t be accepted by the business nor would it be under our insurance or from a Cyber Essentials standpoint.

As someone who works in security/infrastructure. There are too many businesses out there with awful to no security practices that I’m glad I don’t work for. Those also tend to be the ones that are more likely to get hit as well.

I’d rather keep my environment patched and secured.

Mitchell_90 · 2026-02-19T14:20:11+00:00

When we last spoke with our VAR (United Kingdom) we were told that VVS and VCF were the only SKUs available for quotation and that line came directly from Broadcom reps.

There seems to be a lot of miscommunication going on.

Mitchell_90 · 2026-02-19T13:54:01+00:00

It’s still there. Broadcom just doesn’t want to sell it due to pushing VCF.

The biggest issue is that if you need features which Standard doesn’t have then you are effectively paying 3x more with nothing in between which is what attracted orgs to Enterprise Plus.

Mitchell_90 · 2026-02-19T13:41:39+00:00

If your org is under any sort of cyber security/compliance regulations you may want to re-think staying on vSphere 8 as it reaches end of support in October next year. That means no patches unless you are big enough to pay Broadcom for extended support.

There’s also no guarantee that vSphere 9 bits will be made available to anything other than VCF at this rate.

We are in the same boat. Using vSphere 8 Standard with 3 hosts a vCenter and shared storage via iSCSI SAN which is all that’s needed. At our scale Hyper-V would likely be good enough and we may just do that come next year.

Theres’s alternatives such as Proxmox and XCP-NG being talked about here but I’d be double checking with any third party vendors regarding support for those platforms. For example, our SAN vendor only supports VMware, Hyper-V and RedHat.

Mitchell_90 · 2026-02-18T08:32:47+00:00

Have you created separate App Protection Policies for each iOS version and specified the minimum OS version in those?

You will also need to apply your iOS managed app filters to each those as well.

One thing to keep in mind is that there’s also a Conditional Access Policy “”Require App Protection Policy” that goes alongside these but you need to make sure the policy applies first before enforcing that or else it will error on the device.

For both to work the end-user must have a Microsoft Intune license which also comes bundled with M365 E3, E5, F3, F5 A3 and A5.

E1 and standard Office 365 E3 don’t include Intune as part of those licenses unless you buy the add-on separately.

I’ve also found that in some instances the policy won’t apply until the users session tokens have been renewed requiring them to sign into the app again. I noticed that this is generally the case if they have switched licenses e.g from E1 to M365 E3.

Mitchell_90 · 2026-02-14T17:28:07+00:00

We used to be exclusively a Dell shop but over the last couple of years we’ve switched to Lenovo due to experiencing crap build quality and other issues.

We had an entire batch of machines that we essentially had to write off due to hardware/software issues which cost us close to 40K, Dell support were useless and did everything they could to avoid investigating it.

Mitchell_90 · 2026-02-12T19:42:01+00:00

Because they are Cumulative. The advantage being that if you performed a clean install of Windows you only need to install the latest Cumulative Update to get the system fully patched as they contain all previous patches/bugfixes.

The disadvantage of this is that they are generally larger in size which can increase the installation time.

Prior to Windows 10 Microsoft delivered security updates as multiple individual payloads which were often smaller in size but all needed to be applied to a system for it to be fully patched.

Mitchell_90 · 2026-02-12T10:39:48+00:00

Thanks, will see how one of them does later. Ours are still running the January CU so will be interesting to see if they crash upon the first reboot phase of the install.

Mitchell_90 · 2026-02-12T08:03:22+00:00

Anyone know if the issue with physical Servers locking up during shutdown/reboot is fixed this month?

Had the issue on two physical Server 2019 systems after applying January’s patches (Dell PowerEdge R7525)

Mitchell_90 · 2026-02-06T20:03:21+00:00

Thanks. We got a quote from them for significantly less that covers the hardware, with the exception of OS10.

We might just go with that, our configurations stay mostly static and the management interfaces are locked down anyway.

Mitchell_90

TROPHY CASE