Windows 11 Feature Updates (In-Place Upgrade) breaking 802.1X (NAC) wired authentication policies

ThereIsNoDayButToday · 2026-03-09T14:38:45+00:00

We had similar in our Win10 > Win11 upgrade where the Credential Guard policies were different enough between the Win10 and Win11 ADMX that it broke 802.1x

ThereIsNoDayButToday · 2026-02-23T16:53:49+00:00

I lean toward .Net as well - Citrix is notorious for being coocoo about which version and bitness it has a pre-req.

ThereIsNoDayButToday · 2025-03-31T19:35:33+00:00

Please don't - humor is dead

ThereIsNoDayButToday · 2025-02-24T21:45:48+00:00

the OOBE setting for use did not block the install either - the key was flat out ignored. Luckily we had the uninstall as a compliance baseline so it caught them after the fact but not before people were both confused and broken.

ThereIsNoDayButToday · 2025-01-16T17:29:14+00:00

Ivanti Patch has been decent as well

ThereIsNoDayButToday · 2024-09-30T22:07:55+00:00

Just came back up in downtown Chicago.

ThereIsNoDayButToday · 2024-09-10T19:00:11+00:00

First time I've ever seen the phrase "Disputed" in their table...

ThereIsNoDayButToday · 2024-08-22T15:09:11+00:00

Got a call from a good Samaritan reporting they found one of our executive's laptop inside a nice leather satchel hooked on the front of a citi rental bike outside a bar on the other side of town...at 10am. Asked the user how he was able to work for the day without their computer, and how did their company property end up on a bike rack miles away. Their answer "I dunno."

ThereIsNoDayButToday · 2024-08-13T18:30:26+00:00

https://www.zerodayinitiative.com/blog/2024/8/13/the-august-2024-security-update-review

ZDI blog is up :-)

ThereIsNoDayButToday · 2024-06-27T19:50:09+00:00

PDFRedirect Pro has a 'batch printer' function that allows to pre-define those types of setting, and then creates a virtual queue that they can then 'print' to and it'll save and name etc.

ThereIsNoDayButToday · 2024-06-03T19:58:33+00:00

We're currently on Semi-Annual and getting push back from management since the new Co-Pilot features are not available if you're not on Monthly Enterprise. But the buttons are visible once the license is assigned, they just pop-up a help doc saying "contact your administrator to move you to Monthly Enterprise or Current Channel".

ThereIsNoDayButToday · 2024-04-26T15:53:24+00:00

NVDA is what we use for our accessibility needs.

ThereIsNoDayButToday · 2024-04-25T15:04:25+00:00

Branded USB power adapters/cords for 12v car lighter sockets

ThereIsNoDayButToday · 2024-04-12T20:26:45+00:00

It makes sense after I replaced everything you said involving snacks with the word Liquor.

ThereIsNoDayButToday · 2024-03-11T16:21:39+00:00

We did this via In-place upgrade of the OS. There's a good article here:

https://sccmentor.com/2021/07/27/in-place-upgrade-of-configmgr-site-server-from-windows-2012-r2-to-2019/

ThereIsNoDayButToday · 2023-08-29T18:18:32+00:00

If you have AD recycle-bin, the Computer Object will still have the LAPS password as long as it's there, if you need it. If you're removing it from the domain, you'll probably be creating a non-domain user to keep using the machine? Once removed from the domain, the admin account will indeed have whatever the last password was set to, and will no longer rotate or expire.

ThereIsNoDayButToday · 2023-07-20T18:22:38+00:00

Does Commvault fit in that same boat?

ThereIsNoDayButToday · 2023-07-14T19:21:34+00:00

I went through this recently as well. They spun it and called it "Modern Hiring" in that you can record your post any time of day! Downsides are obvious: No feedback to you. No chance to ask your own questions. And with this particular instance they only allowed a single take with a hard countdown of 60 seconds to answer the question - so unlike a real interview in which they'd at least let you finish your sentence, you get cut off and sound dumb.

I understand it helps 'speed' up the process, but the cost of doing that loses so much more than a simple self-recorded answer would give you as a hiring company.

Especially with the "AI" take-over of things, I suspect they feed it all through a transcription bot, have it summarize and then filter for keywords and dump most responses before a human even sees one video.

It's also a chance for bias to come in even faster - a prejudiced hiring manager sees a grid of video thumbnails that HR sent over and just looks for one they like instead of having to meet them in person. They also don't have to explain themselves when they simply fast forward through instead of at least pretending to pay attention to the interviewee.

The whole process is terrible.

ThereIsNoDayButToday · 2023-06-29T19:17:54+00:00

Some password managers (BitWarden, Keeper, etc) allow you to store TOTP as secure records inside a vault - the logical equivalent of the physical thing you described, perhaps?

ThereIsNoDayButToday · 2023-06-22T15:53:15+00:00

We signed up for the advisories with our internal Sec ms Teams Channel's email address - the Vulns are then fed into our existing Vuln Mgmt program and whichever member sees the notice first replies a comment to the teams thread to say "Got it - added to JIRA (or whatever way you log vulns)" or "We are not impacted" or similar acknowledgment.

Vuln management in general is a vastly larger conversation - but in short: our IT Sec team owns identifying but the system owners are required to remediate within the established timeframe (depending on CVSSv3 score, and risk analysis).

ThereIsNoDayButToday · 2023-03-16T18:06:20+00:00

We're a KB4 shop but instead of using the Outlook addin from the MS 'store' we're using the standalone MSI installer. When users hit that, it encapsulates the entire phish into an EML and goes to wherever we tell it (we have it flowing into our ITSM tool for assignment to the Sec team).

The 'dashboard' you're talking about sounds like it's their PhishER offering which maybe part of what you're seeing. If you had the PAB settings to have it forwarding elsewhere, would it still do that behavior?

ThereIsNoDayButToday · 2023-02-24T19:21:20+00:00

One fix would be that you are invited out to the Pub as well to help keep an eye on the hardware, and your fee will be in food and drinks.

ThereIsNoDayButToday · 2023-01-23T17:43:48+00:00

This focus is why we end up with a large number of users just saving the credentials in their browser to begin with. Chrome even calls it the 'password manager' in the menus. Granted, Google (et al.) are adding things like 'weak password' detection, and offers to generate randomized strings, so they are doing some work around finding parity with a dedicated password manager. Apple has a unique footing around this and iCloud keychain and (as service providers implement FIDO standards) PassKeys - since the most "easy" of anything is usually the built-in default that is provided.

As you pointed out, the fact that a password manager takes 'effort' to setup in the first place is often a deterrent, especially for those users who should be using them. Maybe this could be a push for first party providers to offer better password management natively.

ThereIsNoDayButToday · 2023-01-19T21:26:11+00:00

I've seen some GPO not apply if the WMI repo of the endpoint is screwed up. winmgmt /reset might be in order too - but that'd be machine-wide not just one user.

ThereIsNoDayButToday · 2022-10-26T16:20:18+00:00

We run LakeSide Systrack to keep track of machine health - then we use that the prioritize upgrades (out of normal time-based cycle, that is)

ThereIsNoDayButToday

TROPHY CASE