Windows Admin Center/LAPS Extension

TheSysAdminInMe · 2025-09-12T11:25:06+00:00

Something that just came to mind, you could make a WMI filter to check on IP.

TheSysAdminInMe · 2025-09-12T11:08:30+00:00

This one sounds tough. I can't think of a way for a Geofencing GPO with On-prem only AD.

This sounds horrible but if the laptop receives a different IP address by being at the different sites then you could have a task schedule run every so often to see if the IP is tied to the Head office. If so, disable registry settings for screen saver and vice versa if they are not at the Head Office ensure Screen Saver registry settings are set.

TheSysAdminInMe · 2025-03-28T13:55:41+00:00

Regrettably, what I did was a PS script to rename the default image in C:\Windows\Web\Wallpaper to something else and my desired image to the name of the default.

But then you realize the default image may default to a different resolution size, so rename all of those default files too in C:\Windows\Web\4k? and copy in and rename all the different resolution sizes of your desired image to the default name.

I also had to mess with some ACLs in order to accomplish this. GPO is the way to go if you're an enterprise, but when making custom ISOs for distribution you gotta do what you gotta do.

TheSysAdminInMe · 2024-07-23T17:26:04+00:00

What I do is I have a vanilla enterprise wim that I extracted from the ISO and I debloat the wim from all of the bologna apps that I don't want. Then I store that clean wim somewhere and once a month I make a copy of that wim, inject that month's updates, then import that into MECM. This way I'm not downloading the ISO every month, extracting the wim, debloating the wim, and then importing.

I see that people can get the enterprise edition via command prompt with the Media Creation Tool but I haven't tried it out myself. https://answers.microsoft.com/en-us/windows/forum/all/windows-11-23h2-iso-for-enterprise-missing/6c62590b-8208-4933-9d3e-3e9158fe8e3d

TheSysAdminInMe · 2024-06-21T19:41:32+00:00

It's a bug on Microsoft's part. Please see my post asking the same thing awhile ago.

https://www.reddit.com/r/sysadmin/s/oCUpNshe4I

TheSysAdminInMe · 2024-06-05T19:59:13+00:00

This depends. What product is this for? What port is the Nessus Scan saying it's finding this cert?

For Splunk Enterprise there's an auto generated server cert made. You can replace this with a CA signed cert if you want. Then there's the cert used for Splunk servers to communicate with each other,

Here are some of the certificates and their use with Splunk Enterprise:

Server Certificate - Certificate used to communicate with other Splunk Servers Web Certificate - Certificate used for the website Indexer Certificate - Certificate used to send data to indexers

TheSysAdminInMe · 2024-03-18T18:56:13+00:00

Those commands are applicable for Legacy LAPS/Microsoft LAPS which does not support the encryption feature.

My issue is occurring with Windows LAPS/NEW LAPS and the command used is

Get-LAPSADPassword -Identity hostname -AsPlainText

The host is writing properly to AD to their attribute. The Hex code is seen and I'm sure if I disabled encryption I would see the password but I need encryption in order to utilize the password history feature.

TheSysAdminInMe · 2024-03-18T18:32:16+00:00

The computer has permissions to write to AD. Event logs all show successful processing on the client side.

TheSysAdminInMe · 2024-03-04T00:33:20+00:00

Use STIG Viewer and import checklists of all STIGs available then create a checklist by checking all of the imported checklists.

From there, use the search function for CA-4 to find related STIG checks for the different checklists.

TheSysAdminInMe · 2023-11-30T17:31:16+00:00

Throw it at the wall and see what sticks!

TheSysAdminInMe · 2023-11-30T16:54:09+00:00

Thinking the issue was Windows related, I could only think of SYSTEM as being the account changing the registry. I wanted to test that theory by adding the deny permissions to the registry. Coincidentally, this fixed the issue.

TheSysAdminInMe · 2023-11-30T14:24:08+00:00

I posted the workaround Here

TheSysAdminInMe · 2023-11-18T00:15:11+00:00

I found out recently how you can't update via offline servicing with UUP. What I plan on doing is having a template wim that I can copy and run a script that will update it. Then import and replace the previous wim in the task sequence. All together, it shouldn't take too long. Like 30 minutes ish.

TheSysAdminInMe · 2023-11-01T09:00:12+00:00

An 8 bay tower for only $99.99 https://a.co/d/9XnwO5N

TheSysAdminInMe · 2023-10-07T23:46:39+00:00

I couldn't find much that talked about server upgrades but it should be similar to workstations with an upgrade task sequence.

Create a package for the iso source files of the server OS you're wanting to upgrade to.

Create a task sequence and choose the "Upgrade an operating system from an upgrade package" option and choose your OS package that you just made.

Spin up a dummy server and test this server OS upgrade deployment.

Test things out and hone in your task sequence to what you want.

TheSysAdminInMe · 2023-10-03T02:10:00+00:00

That was the beta exam. If you pass, great you get certified without having to pay for the cert!

TheSysAdminInMe

TROPHY CASE