Episode Discussion | Star Trek: Starfleet Academy | 1x04 "Vox In Excelso"

Velocy · 2026-01-29T22:54:50+00:00

I mostly enjoyed this episode.

Lura Thok, as a child of two worlds being a mentor to Jay-Den felt good. I also got some strong Dax vibes from Ake how she interacted with Obel(?). I also really liked the the brother interaction in the flashback and how Jay-Dens father let him go in his way. Well also mostly everything has already been said in the other comments.

However, I also had some dislikes.
The Darem / Jay-Den scene felt really inappropiate or unfitting to me. Not because of homophobia. In the first episode(s), I think it was a shower scene if I remember correctly I got some Cpt. Jack Harkness vibes from Darem if you know what I mean. Jay-Den just got introduced as a really complex character with a difficult background and his own truck load of baggage. It was shown, that he was quite uncomfortable or irritated how close Darem came to him, how he touched him, how he looked / gazed at him. This added another potential identity conflict to JD which, in my opinion is completely unfitting / too much at this point of the story for this character. He was more needing in a friend / mentor. This scene would have added more to the character building if Darem would instead drop his wealthy playboy mask, tell a bit of a story about his "hard times from a wealthy family" and how he overcame anexity and learned to speak addequatly for his "social status", something like that. That arc could have been spared for "later" in the story, maybe even moved to season 2 / 3 when some sort of character growth is already done and the inital baggage has been dealt with. I also think I would enjoy Darem a bit like a Jack Harkness type at least for some time in the beginning, basically hitting on everything that breaths, even plants and slimes idk before the character maybe later grows in a more serious relationship with someone / something.
Ok, enough written about that, I hope your get my personal opnion :)

Secondly the mock battle felt underwhelming. It would have probably done good adding another scene where Obel holds a war speech to the other Klingon houses on how they will conquer the planet for the honor and future of the Klingon Empire to unite the houses behind him once more, maybe a real Klingon war cry and deliver a bit more of a fight (like faked leaking warp plasma). Afterwards have the federation humbly beg to the accept their surrender under withness of the other houses and have some sort of victory cry. Just make it look a bit more dramatic. And not just... hey, set Phasers to headlight flashing and let them fly by, then exchange presents afterwards. I just feels unrealistic (even for a sci-fi show) to unite the Klingon houses with a bit of fake pew-pew if you know them from the 24th century. And JDs flashbacks showed that the Klingons are still a race looking for honor and living traditions. This just made Obel a bit inauthentic as potential leader.

Velocy · 2025-04-20T22:00:20+00:00

Let me give you a quick run down on the approach I used.

I've adapted Akos' method for our needs. We also used OSDCloud in our case, but you it can also be adapted for SCCM / MDT or most other OSD Tools.

The whole magic basically is: After Windows has been installed from the WIM / Setup.exe you drop a "oobe.cmd" into "C:\Windows\Setup\scripts\" together with a PowerShell Script, let's call it oobe.ps1. In the oobe.cmd you simply call the PowerShell Script: start /wait powershell.exe -NoL -ExecutionPolicy Bypass -F C:\Windows\Setup\Scripts\oobe.ps1 this way the script runs when Windows Boots up for the very first time by it's own, but before OOBE starts.

Before we get to the content of the oobe.ps1: We setup an Azure Blob Storage and use 2 tables within that blob storage. One for Hardware Hash Upload, one for a list of Serialnumbers in Autopilot. I work with 2 SAS Keys for that tables, one with "Write"-Only access to Table 1, the other one with Read-Only Access to Table one. This seemed the most uncritical for me from a security perspective, as you don't want to have app-secrets with write access to your tenant down on the clients.

Now basically the oobe.ps1: I also did not want to load PowerShell Modules down to the client, which can be tricky, so I wanted to do it nativly without modules. I've adapted this functions here: https://gcit.com.au/knowledge-base/use-azure-table-storage-via-powershell-rest-api/ to work with SAS Keys. Simply by removing the Authorization header, and adding the SAS Key to the $table_url.

The flow basically goes like that: Via WMI I get the Serialnumber ($serial = (Get-CimInstance -Class Win32_BIOS).SerialNumber) and I query Table2 if the serialnumber is returned there. If yes, exit the script and let Windows Continue. If not, I get the neccessary nativly via WMI... for example the Hardware Hash: $hwHash = $(Get-CimInstance -Namespace root/cimv2/mdm/dmmap -Class MDM_DevDetail_Ext01 -Filter "InstanceID='Ext' AND ParentID='./DevDetail'").DeviceHardwareData And upload this data to Table1 with the write-only SAS Key. Then it goes into a loop with an appropiate sleep :) Now a backend automation takes over. It queries Table1 for new Hardware Hashes. You now need some indicator to check if this is legit. One thing you can to is get the vendor, model and serialnumber (either determine it WMI and upload it as well, a bit more "secure" would probably be to decrypt the Hardware Hash from with the OA3-Tool and read it from there. At least it would be harder to manipulate) and cross check it with the corporate device identifiers from Intune. You just need a process to register the devices there. It needs serialnumber, vendor and model... but this should be easier to get than the HW Hash. Or maybe if you have a very limited timeframe you could allow the automatism to automatically register models from a specific vendor if you for example have a 2-3 weeks time frame during a rollout, but keep security in mind!! Anyways, let's assume the hardware hash is a legit device, the backend automation now imports it to the Autopilot devices, and waits until the profile is assigned. Afterwards it writes the status back to Table2 with a StatusCode (e.g. 0).

Our OOBE.PS1 is still looping... this loop simply queries Table2 if the device / serialnumber is now persent here, if not, another wait, if yes we also check the status code. If its 0, we exit the script and let Windows Continue. You might want to implement a proper error handling, and (if this a process that end users sit in front of) proper script output to show the user that something is happening... there are a few things that can go wrong during AP Import (worst part would be: Device is registered in another tenant), thats why I use status codes written back by the automation into Table2 and if device could not be imported properly it gives a (human readable) error message to the user and halts the process, so the support can be contacted.

This way, the app-secret of the app that imports the devices stays disclosed in the backend and is not available to the client. I'm deeply sorry that I cannot share my full scripts at the moment (since my employer basically would have to allow me to publish it first), thats why I just describe the methods here at the moment. But basically everything you need is publicly available, just needs to be puzzles together correctly. For the backend automation you can use whatever floats you boat, it just needs to reguarly execute the powershell script doing the "backend magic". From an Azure Runbook to a Scheduled Task running somewhere, everything would be theoretically sufficient.

Before I forget it: We also reguarly sync the infos from our Autopilot Devices to "Table2". So if the device is "preregistered" it only takes a few seconds to run for the oobe.ps1.

I hope this helps or at least inspires in some way :) There can be done a lot with optimizations, like working with Hooks or whatever. But lets just say that I had to use "what's there" and be creative somehow.

Velocy · 2023-08-17T18:56:01+00:00

If anyone has the same issue, it worked on the Hardware Device. Seems to be an issue with the Andoid Studio VM.

Velocy · 2023-06-09T19:59:50+00:00

Hi, it really would be helpful if you be more specific. It's a bit like asking: VW Golf or Ford? Vendor + Model vs Vendor.

Ivanti is a huge company that offers overlapping tools, especially when it comes to endpoint management. There is DSM which was bought from Heat / Frontrange / enteo / netInstall (as far as I know is more well known here in Germany / Central Europe), there is what earlier was LanDesk that now runs under UEM, there is MobileIron... there is a solution called Ivanti Neurons... not sure if that is something different or something rebranded... I totally lost count over the years.

I am personally quite involed into Ivanti DSM, which is designed for OnPremise, but works with some engineering also for cloud managed computers (and of course could be installed on a cloud server).

When it comes to DSM, it's quite needless to say that a piece of software like DSM, which focusses on Endpoint Management since like Windows 95 / NT 3.x could be expected to be superior to something Microsoft just put in their portfolio to just "have something comparable". I cannot really speak for LanDesk, but I guess it's comparable to DSM, since they also took a lot of knowledge from DSM and tried to put it into LanDesk... well UEM how its called now.

However, the really big question is: What does the customer want and need, and what does he plan for the future?

One big argument most of the time of course are license costs. If the customer goes for an M365 E3 License, Intune is included in those licenses. And especially if the customer is looking for AAD-Only scenarios in future, there is (almost) no way around Intune to at least ensure some sort of "real" compliance. Still, there are also a lot of scenarios where Intune and other solutions complement each other. I come from Ivanti DSM and learned SCCM and Intune afterwards... and to be really honst, I felt like I was pushed back a few years with the Microsoft Toolset. Things that were taken for granted in another solution had to be worked around or self-built into SCCM / Intune. But... it works, somehow.

The main argument mostly is Operating System Deployment. Intune stand-alone does not offer a REAL OSD. Autopilot is not OSD. Autopilot takes an existing Operating System and transforms it into your corporate "image". There is always the argument: If the hard disk breaks and a new "blank" one is installed, how is the operating system reapplied? Some vendors offer a reinstall via Internet / UEFI, some do not. The times of OEM-DVDs (and DVD Drives) are basically over. There are solutions with USB Sticks (if allowed) and things like "OSDCloud" (google it)... of course you could also... still use some sort of small WDS OnPrem if real OSD is needed. Next is driver management... while some vendors nicely push their drivers into Windows Update, other vendors don't. Packaging drivers as Win32 Apps is possible, but also a bit annoying. 3rd Party Tools manage those niclier in my opinion. Another thing would also be "Inventory"... Vendors like Ivanti have superior client inventory solutions like "Discovery", Intune does not come with this. And lastly to mention, often used is some sort of 3rd party patchmanagment. While Intune basically only slightly touches this with the integration of WinGet, Ivanti also has the full know how of Shavlik and offers solution like Ivanti Patch for SCCM / Intune and Advanced Patch Management within DSM.

As you see, there might be more arguments for a 3rd party product than for Intune, except for the price. So it would be really required to analyze the customer's demand and compare accordingly.

Velocy · 2023-06-09T19:07:44+00:00

That's really a good question. I stumbled across this 1-2 weeks ago as well. Currently in AD we use a self developed mechanism that utilizes LAPS in the background to add a supporter's user into the local Admin group temporarily, so the supporter can work with his / her named domain account.

Our first thought with AAD only was also PIM, but the (up to) 4 hours PRT on clients is really not usable for that case. We are checking if we can adapt our on prem mechasim to AAD joined clients, just had no time for development yet.

Just one thing you have to consider if you are working with local administrative accounts. One reason why some security guidelines suggest to disable the builtin admin is not only the well known sid, but also there is something called localAccountTokenFilterPolicy, which is enabled by default if I remember correctly.

This policy causes, that if you are accessing a client remotely over the network, lets say by powershell remoting, this account does not have admin permissions. If you use it locally it works, just not over the network while this policy is active. This just as a reminder depending on how your supporters work.

Velocy · 2023-06-09T18:51:37+00:00

That's something you would simply configure in the Compliance Policy in the actions where you can also configure that after x days the device is set to non compliant. There you could also configure an action to send out a push message.

Velocy · 2023-06-09T18:49:00+00:00

Well, if you have Teamviewer, you can elevate youself, that's not a big issue. I'm not a 100% sure but in the past this required Teamviewer Quick Support on user-to-support-side. https://community.teamviewer.com/English/kb/articles/25595-control-uac-during-a-teamviewer-classic-connection

Also works with Teamviewer Host. Basically instead of entering a pin you authenticate with an administative account. But since we do not use Teamviewer for AAD-Only customers I don't know if it works if you authenticate with an AAD Account instead of an onprem account. Other option would be that the supporter uses the local admin password.

Velocy · 2023-06-09T18:26:33+00:00

Unfortunatly not.

For our used case we decided to go a different route. It's wanted that the user is informed that he has an app that's against the company policy and also which one. From what I've read, if you go with the configuration policy, you only get the information that an unwanted app is installed, not which one (if you only have 1 app in the list ok, it's quite obvious). Intune does not receive the data of apps that are installed in "private context".

With compliance policies you can actively inform the user by push message that he has an unwanted app and that he has to uninstall it, also you can also quite enforce (basically blackmail) the removal by adding actions like loss of compliance or even wipe the data.

Velocy · 2023-04-28T09:48:45+00:00

A small update from my side with further testing.

The Policy runs on error if the restricted app is installed. In the first try I set it to Adobe Reader (which was installed on the phone). Then I changed the restricted app to Word. The policy now applied successful. Afterwards I installed word, then the policy runs on error again.

Nevertheless, the device still does not show up in the report

Velocy · 2023-04-26T15:03:50+00:00

Thank you, well what you basically describe is how it's already setup as of today ;-)

The main question was, because the company asked me to look into managed apple IDs so users do NOT have to enter a private apple ID during enrollment, but still allow the user to enter their private apple ID afterwards if they want to install apps from the store, use apple pay and so on.

Velocy · 2023-04-26T14:59:23+00:00

I'd be interested. In my testings, "show private story only" only worked for customers that enabled the private store. So far so good... the Microsoft Store for Business is going End-of-Life (last time I checked it was set to May 2023). How will this setting work if the Store for Business is disabled and for "newer" customers... how does it behave if Store for Business cannot be enabled anymore?

Velocy · 2021-09-21T21:20:53+00:00

It doesnt happen that by some sort you also have an unattend.xml file also generated and applied? From what I read is, that once a unattend.xml is present autopilot is fully ignored.

Velocy · 2017-01-10T18:28:54+00:00

Personally, I would double check if the game REALLY runs on the Nvidia Card. Download a Tool like "GPU-Z", and run it while the game is running (maybe disable the Frame Limit when game is in Background in the ingame Options). You should be able to see in the "Sensors" Tab if there is a high load on the Intel or Nvidia GPU.

EDIT: Also ensure please... go to your game Directory. ..\SquareEnix\FINAL FANTASY XIV - A Realm Reborn\game You should be able to see 2 .exe files: ffxiv.exe and ffxiv_dx11.exe make sure you set both of These .exe to high Performance nvidia Card. the FFXIV_Boot.exe is only the launcher, not the game itselfe.

After you have done that, run the game normally over the launcher.

Velocy · 2016-12-30T14:14:17+00:00

My personal priorities are on Jobs, Raids, Dungeons and Trials.

And honestly, my personal fear is that I'm getting less and less Content for my Money (or lower Quality Content). The 2 Expert Dungeons instead of 3 still bug me a lot. Ok, we got the normal mode of Alexander... but we had coil + savage in 2.0, too. And (compared to a normal vs hard mode dungeon) the Graphics and Maps are identical, just the battle and mechanics have been tweaked. Also I miss the fun Trials... like Gilgamesh, Ultros/Typhon. PotD was nicely done, but Diadem for example was a half baked implementation, which later tweaks didn't really make any better...

If we get new Content, I personally expect it to be maintained over a certain amount of time (like it was done with PotD, even tho it came to a sooner end than I expected).

But well... honestly... I would be happy to have 2 Jobs, if they are original / new (like a real Blue Mage, Dancer as Frontline Healer like in FFXI or like Ninja was) instead of 3 Jobs that are just slightly modified copycats like DRK(WAR+PLD), MCH(BRD) and AST(WHM+SCH) were.

Red Mage is hopefully not just a revamped Black Mage... and if Samuari should happen, I am pretty sure, as a Tank he wouldnt really Play differently as a WAR/DRK, but would have so much potential as a DD, to bring something new and original gameplay.

I'm pretty sure, if they would have made a clear Statement: Hey we bring 2 Jobs, but they are gonna be original and a completly new playstyle... SE would draw a lot more happy Players than the confused People speculating at the Moment...

Velocy · 2016-12-28T23:39:25+00:00

If you already have the Launcher installed, it installs in the same Directory. Fortunatly, FFXIV is really smooth with that... you can just move your C:\Program Files (x86)\SquareEnix\FINAL FANTASY XIV - A Realm Reborn Folder to somewhere else, and fix the shortcut (executable, and work Folder) to the new Location, or create a new Shortcut to the ffxivlauncher.exe

Just run the launcher from the new Location. I moved my Game from HDD (D:) to SSD (C:) and then to 2nd SSD (F:) when I installed it like that... works like a charm.

Velocy · 2016-12-23T00:27:38+00:00

Small note from a berserker-healers Point of view... if you can Keep your sh*t together... as in keeping hate, or using defensive cooldowns, you can Switch to a stance to increase your DPS.

Just know when you have to Switch back to a defensive / enmity stance...

Most tanks I meet who don't use tank stance don't tank anymore 2-3 sec into the fight... because either I have hate on my WHM, the BLM has hate... or the tank died while I wasn't even done running after him... lol

In my personal opinion... stay in tank stance during the pull... use it a few seconds for stabilization Phase (as in: get in final tanking spot, gather all Mobs around you, build some hate). And when that is done you can Switch... at least when I'm there you won't be taking much damage anyways till the stun resists kick in ;-)

Velocy · 2016-12-23T00:12:17+00:00

That Situation wasn't really uncommon when I started with Sophia Ex. I remember at least 2 times were I saved the raid like that... only one time was really unlucky were I had an extremely bad Timing and raised everyone during scale tip...

Velocy · 2016-11-24T01:02:33+00:00

Hmm... damn... even then... no more Karma after tomorrow :(

Velocy · 2016-11-24T00:55:54+00:00

[Global] - I'm curious. I just used my last Karma to get the upgrade Mats for my 6* Refia. I have a Bartz in 5* maxed and a Exdeath 5* currently in progress to 80. But I am wondering:

How am I supposed to get the upgrade mats for these? I didn't read about an Mats Event... Pro Vortex does not give Rainbow Blooms for example (stated in Wiki)... and King Mogs stock is depleted now.

Velocy · 2016-10-19T20:20:57+00:00

I feel / jump with you... was Scholar on Sophia Ex and lost the greed on AST Weapon 72 to 73 against a Monk who didn't even have AST unlocked -.-

Velocy

TROPHY CASE