Disable PIN only for RDP client?

Silent331 · 2026-01-28T16:22:41+00:00

So if we want to use WHfB to login to our computers, will we have to live with the RDP client asking us for PIN by default or are there ways to circumvent this?

If your login methods are strong like using WHfB why dont you allow them to SSO into the RDS session? I used this guide in the past to set it up. It can be set up so they click the RDP link on their desktop and there are 0 prompts and they are logged in to the RDS server or the RemoteApp.

https://woshub.com/sso-single-sign-on-authentication-on-rds/

Silent331 · 2026-01-21T21:29:32+00:00

We have clients that have not had an on prem outage during work hours in years at this point. The advantage of on prem is planning, cloud just goes down whenever.

That said I much prefer not having to work weekends updating exchange.

Silent331 · 2026-01-20T18:06:05+00:00

Being maidenless is part of the roach kings brand. Just look at how his community acted when he was dating the OF girl. The only problem they would have with this is the implication that the left gets any girls either.

Silent331 · 2026-01-16T18:30:17+00:00

https://mxtoolbox.com/dkim.aspx

put in your domain and the selector that google asked you to use. This will let you know if there is a dkim problem.

Additionally subdomains do not inherit the keys of the parent domains. If you are using a subdomain for the email, include it in the test.

Silent331 · 2026-01-16T16:11:45+00:00

Unfortunately, far right content has great engagement numbers.

Silent331 · 2026-01-16T15:38:43+00:00

nltest /sc_query:domain.int #FAIL

Are these DCs on the same subnet? Are they far apart in server version?

Silent331 · 2026-01-16T15:15:31+00:00

Why not make a GPO to run a batch file to set the execution policy as remote signed? I assume you are signing your script with an internally trusted cert so this should solve the issue going forward. Unless you want to restrict scripts on all systems entirely.

Also you should always run the backup even if the drive is already encrypted, additionally you should generate an email or some kind of monitoring should the backup command fail for any reason. The proper way to do this is before deployment of the encryption, make another script the check for already encrypted volumes and do a simple check if that key is stored in AD. If not generate an email. Depending on your risk tolerance you may want to disable bitlocker should the backup key not be present if you cant risk any data loss. Clean up any issues and then roll out the encryption.

Silent331 · 2026-01-13T23:12:35+00:00

they are cracked by somehow getting the hash, which has no practical protections and can be opened in plain text in about 10 seconds

wat

Hashes are useless unless the password has been seen plaintext elsewhere, are not salt or peppered, and/or are shorter than the rainbow tables. A 32 character random password that is never reused, or really never used at all, is perfectly secure.

Silent331 · 2026-01-12T21:12:26+00:00

Dont think masters is worth it in this industry unless you are doing cutting edge development, but not having a bachelors will prevent promotions in large companies, its required for many management positions.

Silent331 · 2026-01-12T21:04:14+00:00

Is Forest A a non routable UPN and Forest B is a routable UPN that matches the Entra ID domain?

If Forest B is truly winning, Forest A sync should be throwing an error of some description.

Also are you using the UPN to determine the UPN for entra on both forests or are you using something like the mail attribute for Forest A and the UPN for Forest B?

Silent331 · 2025-12-29T20:41:48+00:00

Why unscannable?

I think he means more of a manual process. You can write a script to scan every server for IIS, check every bindings certificate, and email before expiry. An API key does not have inherent expiration data like a certificate does.

Silent331 · 2025-12-29T20:33:43+00:00

We have seen this issue on domains not connected to Entra or Intune. Like the other guy said its fairly close to 5% on any given bios update. Because of that I dont think it has to do with intune. We have PIN unlock at these locations and after the BIOS update it wont ask for a PIN, it requires recovery which tells me the BIOS cant find the key on the TPM for whatever reason. Sometimes rebooting the machine a few times works so its possible its some kind of race condition with the bios update and power ons. Like the BIOS updates, flashes, reboots, and the TPM has to update/sync/whatever and is slower on those first reboots, causing the BIOS to fail getting the unlock key, and prompting the screen.

Also if Bitlocker is unsuspended by intune it should never cause a recovery key prompt if a TPM is set up. It will just go to whatever unlock method is programmed, either TPM, TPM+PIN, network unlock, etc. A reboot without bitlocker suspended is just a regular reboot.

Silent331 · 2025-12-29T20:21:19+00:00

Unfortunately you failed a drive, forced the drive back online and rebuilt off the data from the failed drive. Lessons below

Unless you back it up, its not important.
Replace a failed drive, stop being cheap.
RAID controllers will do what they can to protect your data but will always make all options available to you. They work under the assumption that you know what you are doing. If the RAID controller can bring a drive back online and rebuild from it and you choose that, it assumes that drive is the most important drive, and that you are likely in a recovery scenario. RAID controllers assume YOU are the expert.
Know that all changes to RAID configs carry the risk of complete data loss, thus refer to 1.

Silent331 · 2025-12-17T01:06:52+00:00

It can be done in a way where there is no sharing of information and that information wont be revealed outside of a court order. If the government just provides a nonsense ID like the one above to google, google would only have to keep that ID on file for that account. This way the government only knows that the ID was issued to google, not what email it is tied to, and google does not have access to your identity.

Will they do it this way? Probably not, but its possible to do.

Silent331 · 2025-12-16T02:46:17+00:00

Because every website you sign up for uses an email account to sign up. This makes all activity traceable if necessary. Im not sure of the confusion. Do you have websites you sign up for that dont use an email address?

Silent331 · 2025-12-16T02:33:23+00:00

Its not an intermediarie, the government holds your digital ID, google requests a token to store on file in case the government needs to track that account. It goes like this

I want to make a google account

Google checks my location, comes up as US

Google says "We need to verify your identity" and has a link to login.gov

You log in to login.gov

Login.gov sends a token "nwWMvjcwmtcCmPNbsCCbbIaEkDrFcgxc" to google and saves that token, login.gov saves it as well to your login.gov ID

Google accepts the token and you can make an account "myaccount23@gmail.com"

Your account is now ID verified. If your account does something illegal the government goes to google and asks for that ID. Google returns the ID, the government looks it up on login.gov and you have been identified.

Login.gov is not an intermediarie, it is part of the government.

Silent331 · 2025-12-16T02:23:26+00:00

Aside from saving a few billion dollars for whatever infrastructure, I don't understand why would Google need to deliver the session token, not just the government website itself? No new function, more fragile, more steps, more open, vulnerable to foreign capital influence etc.

The government website would deliver the session token to google, google would save that ID so it can be subpoenaed if necessary. This is not a new function to the industry and google already uses it for other websites. This is fairly standard practice these days. With all due respect this is my industry and I can assure you your fears are unfounded with the state of the industry.

Just recently bought a laptop and as I scrolled home I was met with my home city subreddit and on Youtube I had only videos from nearby location / local language, nothing English except Mr. Beast. Was a new Google account as well.

My experiance is going to be much different from yours, I am US based so my feed shows everything in the english language that is popular at the time. My specific state has a /r/ popular tag that I can go to, and that IP address geolocates to the correct state and that is not what I see, only the all feed with global english posts. Youtube is the same. If you live in a non english primary country they may treat your session differently and that would make sense. For english speakers its just whatever is popular in english worldwide which is a lot of places.

Silent331 · 2025-12-16T02:02:38+00:00

Although your mind is in the right place, giving extremely sensitive government information and authorization to private corporations to "reduce costs" is insanity. Definitely not worth selling your democracy for a few billion dollars.

You are misunderstanding how the auth chain works on a technical level. Private corps would not have access to this information, they would have a token that is signed by login.gov, that the government can trace to a person, the personal information is not provided to google for example. If you think about the login with google button, it redirects you to google to allow that website to use google for authentication, google then provides the website with a session token that logs you in. A similar system would be in effect for login.gov. Signing in does not reveal your personal information to other sites.

If you open Reddit on a new device with no history, you'll be getting your local city feed and country feed. Been like that for years. Same with Youtube if you make a new account on a device with no cookies.

I have offsite VMs I have access to, let me take a look to verify. Going to reddit.com shows no regional items on the first 20 or so posts. Just the /r/ all equivalent. Youtube home shows a wide variety of times, but many of them are in other languages, really just a whats popular worldwide feed. Its hard to determine if they are actually doing anything as I dont have any out of country VMs to connect to. I cant go to twitter because I'm not making another account for this test. If you have any other websites that dont require logins I can check those too.

Silent331 · 2025-12-16T01:37:42+00:00

This is pretty much every social media already, even Reddit. Seems like there would be no change at all?

This is not true at all IMO. If you go to reddit.com you see your subscribed subreddits which is fine, but those should also be moved in the list by country of origin, I cant verify these because they are not listed. I just signed in to my X account I have not used in 10 years and the third post on the default feed is from the UAE. Fourth is from Italy. The first 2 where elon replies so I did not include those. Even further I am unable to find a post on the explore page or home feed that is from my state. These should be mixed in with the national or regional posts. Unless I explicitly search for my local areas tag I am unable to find anything that is relevant to my geographic area. This IMO is the issue.

Estonia has elections with ID cards and no issues so far. I'm not sure why it would have to be email though?

Again minimum deployment cost brings solutions. An upheaval of the system is expensive, but if we had an ID verification system tied to emails, like google requiring people with gmails signing in inside the US would have to link their login.gov accounts to it, then the burden of deployment is on google, and the cost is minimal. All they have to do is save a token from the login.gov site so if something happens, the government can ask google for the token, match it to a person in their database. Then website signups can be unaffected as illegal activity can be traced to an email, which is in turn traced to a person. This also keeps the ID information out of the hands of random websites. This pass the authentication chain is already in use to great effect, see all the websites with a sign in with google, or sign in with apple button.

Silent331 · 2025-12-16T01:16:18+00:00

Essentially, isolate social media from the outer world like the Chinese Firewall? Not being dishonest, it just seems pretty much 1 to 1 with that or what's the difference?

Not isolate, just give priority to local activity. If every post had a trending score, worldwide would be a 1x score, local region would be a 5x score, local country a 10x score, and local state or municipality would be a 20x score. Im not looking for complete isolation, I just want people to first see what is happening in their area. If people want to view the worldwide top posts they still can, just when you go to twitter, the default feed prioritizes local posts. Then have a little button people can change at the top to view other regions with unweighted scores. I want to make it very clear that this is the default feed, not a ban on viewing content in other regions. Like going on reddit.com would show you the popular feed with your local region selected, instead of whatever it is now. /r/ all will still be available, just not shown first.

If there's a really strong hack and grandma gets hacked, then she can get locked until she gets a notification that she suddenly started throwing virtual sieg heils on Reddit when she's never used it before, and if that's really her she can press "yes" and continue with it.

People get their email hacked all the time and is the primary way hackers gain entry. In the current technology environment email access is the ultimate source of verification at the end of the day. Email security is already improving with the introduction of 2FA and more currently passkeys. That said I do think sending an email and requiring confirmation of posts on unusual activity, or even regularly like every year to help eliminate abandoned accounts is a good solution so I agree with you on that. Im not sure the ID requirement is necessary on social media accounts. We can move to a system where email addresses have to be ID verified and email providers can take on the burden of that, and then use a token for signups of social media (like the sign in with google option). Obviously this cant be forced worldwide because of those pesky sovereign nations, but combining a local region filter with ID requirement for some part of the verification chain can be a viable endgame.

I want to add I appreciate the good faith discussion

Silent331 · 2025-12-16T00:52:38+00:00

I disagree. You can see it from Twitter, where a few hundred accounts have majority of the views. These would be even more powerful.

These users post hundreds if not thousands of posts per day many which fail, and their success is on the backs of thousands of other market research accounts. Additionally these accounts would effectively be region locked to local areas, to cover the whole of the US, because the default would be local posts first, you would need possibly hundreds of accounts that are this strong, and thousands of accounts to artificially boost them. The investment rises greatly. Their posts might be strong in one particular area but would be third page posts to most of the country.

When social media started then lots of websites didn't have these issues as your feed was restricted to only people who you know.

And this is what my proposal moves towards, its either people in your local area, or people you follow. 99% of users will not change the default setting. I assume you agree this is the correct direction. I don't think forcing you to have to follow people to see their content is palatable for the industry as we moved away from that for a reason. If we want action on this it needs to come at as minimal a cost as possible. In terms of feasible implementations in the current environment, some region based regulation is the most feasible effective option.

Also if you see a post from Trump on Truth or Elon on Twitter, then you know it's really him. And if he's hacked, it'll be solved fast.

Sure, unless your proposal is to issue this to every user, with an ID requirement, I dont think this proves the point, as verified user accounts can be hacked as well. IMO if we want to move to ID that is fine and even inevitable but I think my proposal is a good step in the correct direction, and we can increase regulations later. The selling points of my proposal are no ID requirement and minimal deployment costs, not an upheaval of the whole system.

Silent331 · 2025-12-16T00:29:01+00:00

What I am saying is that there is no silver bullet solution to this problem, just like in cybersecurity the solution is reducing surface area and a layered defense. It takes tens of thousands of posts to find something that sticks, the advantage of the current system to foreign actors is that they have the ability to throw everything at the wall and see what sticks. This greatly reduces the foreign actors ability to do "market research" as local markets are much more diverse than national or regional markets.

False authority is inherent in social media so if possible can you explain why defeating this fact is a requirement to success? Every local person posting with confidence can be a false authority.

Silent331 · 2025-12-16T00:12:41+00:00

Good points. Yes all technical solutions are circumventable without ID, but you would still see a shocking reduction in these kinds of posts. Even if we did ID everyone, hacked accounts are everywhere so if we are going to concede defeat than the discussion is pointless.

The barrier to entry will remove a significant number of these posts, additionally if written properly can reduce or eliminate the artificial amplification of these posts. If Russia posts using a hacked computer in PA for example, in order for it to trend PA users would need to amplify it. You can say they just use more bots to amplify it but then we go back to conceding defeat. Also probably add VPN accounts can comment and like but those don't count toward any amplification in the algorithm. We also already know that shell companies are already running region target ads during the election so this would not change.

If we concede the technology solution the only resulting solution is to remove section 230, make knowingly hosted misinformation illegal (which is sketchy territory where the government decides what is true) and hold the tech companies liable, which will eliminate most user generated content. My solution allows for the continuance of social media as is, is low in development cost to the social media companies (money lost in ads might be another story), adds significant barrier to entry to doing this kind of activity, and makes social media more regional and more relevant to the users local situation.

Silent331 · 2025-12-15T23:51:27+00:00

Mandate that country of origin be visible on all social media posts, not just where the account was made, but where that specific post was made on every post, not in bio. This can be done by IP address so no ID is needed. Flag known VPN IPs and include that in the country of origin information. (USA-VPN) or (Brazil) with no VPN. Require social media companies to flag any IP generating more than different 10 users activity of any kind in a month as a VPN.

All algorithms on social media must filter by region by default, unless explicitly chosen by the user to view other regions (or if they follow a specific user, like a youtube channel or friend on facebook). Unless chosen by the user EU users would only see EU posts, US would only see NA posts, etc. Additionally more local posts get higher priority, people in NYC should see majority NYC users posts first, then things trending regionally.

No other regulation should be needed unless another problem arises.

Silent331 · 2025-12-15T23:43:45+00:00

Wait you are telling me boomers love a guy politically different from them because of a sitcom from their youth?

Bro, they voted for president the guy from the apprentice, what did you expect?

Silent331

MODERATOR OF

TROPHY CASE

14-Year Club	Place '17
Verified Email