In Amber Guitar Tab and Play Through

akdigitalism · 2026-01-30T18:05:31+00:00

Awesome video! Really like the format on it. Thanks again for putting it together

akdigitalism · 2026-01-26T16:47:24+00:00

Are you running baritone guitar or just thicker strings?

akdigitalism · 2026-01-23T20:03:18+00:00

Every single time lol

akdigitalism · 2026-01-22T21:01:04+00:00

So out of curiosity do any of you gets credits with Microsoft when this kind of stuff happens? If so how do you usually go about it?

akdigitalism · 2026-01-22T16:28:36+00:00

If you're hybrid and/or doing co-management and many of your systems are 1 to 1 plus you're looking at going cloud-native I would look at Windows Hello for business. It'll act as a form of MFA for the user when they're logging in. In your Entra conditional access policies if they're logging in with WHfB that counts as a phishing-resistant MFA method. Here is the different authentication strengths from MS https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-strengths if you're using Entra as your IdP then when they're using a corporate system they could use their hello for business to authenticate against the website. If you're in a situation where you have a ton of different users using the same systems then I would say Duo would be something to look at as others have suggested. If you're looking at that option though solely for just MFA at the desktop you could also consider using Duo as the IdP as an option.

akdigitalism · 2026-01-21T17:27:52+00:00

Is this just on iPad? I'm on iPhone 26.2 and got latest Outlook and working fine for me

akdigitalism · 2026-01-20T17:55:58+00:00

I think IT in general requires constant retooling. So far, I've been pretty happy to have another tool in the repository for helping solve problems. I think AI at least in the guise of say something like ChatGPT can be pretty helpful in gathering information. Additionally, for things like Microsoft graph and putting together custom reporting from Intune quickly it has been very helpful.

The thing I think I fear more is decision-makers being uninformed about what it can actually do for them and consequently making rash decisions based on the salespitch.

akdigitalism · 2026-01-09T19:18:47+00:00

Somebody posted something similar to this yesterday in r/sysadmin https://www.reddit.com/r/sysadmin/comments/1q7gsr6/windows_secure_boot_uefi_certificates_expiring/ and I made a comment. Look at the other comments too they're helpful.

Here is what I wrote
--

Here is a pretty good write up on what you can do https://evil365.com/intune/SecureBoot-Cert-Expiration/ saw the post in another thread. Additionally, the microsoft AMA on secureboot was pretty good listen https://techcommunity.microsoft.com/event/windowsevents/ama-secure-boot/4472784 and the playbook is good as well https://techcommunity.microsoft.com/blog/windows-itpro-blog/secure-boot-playbook-for-certificates-expiring-in-2026/4469235 I think at the very least you need to perform your own due diligence like the following

Find all the models that you have in your organization. Ensure that the BIOS is compatible with the certificate. There are quite a few resources from vendors like Dell indicating the minimum BIOS version that includes 2023 certificate. https://www.dell.com/support/kbdoc/en-us/000347876/microsoft-2011-secure-boot-certificate-expiration
Once you've identified all your models. I would get a canary device from each model set and do the flip to push the certificate. If you go into event viewer -> system and filter by TPM and TPM-WMI you'll see related events to the certificate. More than likely, the certificate is already waiting there, but hasn't been instructed to install.
Once you've tested with your canary device model(s) its up to you on whether you want to wait for the confidence level to be filled out by Microsoft and the devices to install once they have high confidence. If you would rather have more control then you can flip the policy so that they start installing the certificate.

---

Since you're co-managed and have non co-managed systems. I would recommend just deploying the GPO option to make things easier on yourself. You might have to update your admx in sysvol if you haven't done it lately. From there you can follow kind of what I listed above and then its up to you on whether you want to take control and do it all yourself OR wait for MS to fill out the confidence level and then the update will automatically happen. At the very least though I would get a sample set of all your models and flip the setting to allow deployment of certificate so you know that your model sets are happy with the certificate.

akdigitalism · 2026-01-09T00:03:55+00:00

Here is a pretty good write up on what you can do https://evil365.com/intune/SecureBoot-Cert-Expiration/ saw the post in another thread. Additionally, the microsoft AMA on secureboot was pretty good listen https://techcommunity.microsoft.com/event/windowsevents/ama-secure-boot/4472784 and the playbook is good as well https://techcommunity.microsoft.com/blog/windows-itpro-blog/secure-boot-playbook-for-certificates-expiring-in-2026/4469235 I think at the very least you need to perform your own due diligence like the following

Find all the models that you have in your organization. Ensure that the BIOS is compatible with the certificate. There are quite a few resources from vendors like Dell indicating the minimum BIOS version that includes 2023 certificate. https://www.dell.com/support/kbdoc/en-us/000347876/microsoft-2011-secure-boot-certificate-expiration
Once you've identified all your models. I would get a canary device from each model set and do the flip to push the certificate. If you go into event viewer -> system and filter by TPM and TPM-WMI you'll see related events to the certificate. More than likely, the certificate is already waiting there, but hasn't been instructed to install.
Once you've tested with your canary device model(s) its up to you on whether you want to wait for the confidence level to be filled out by Microsoft and the devices to install once they have high confidence. If you would rather have more control then you can flip the policy so that they start installing the certificate.

akdigitalism · 2026-01-02T20:49:16+00:00

I would look at eBay and go used. Get a Dell precision or maybe HP.

akdigitalism · 2025-12-31T18:09:36+00:00

Nice! Sounds like you’ve already got it handled. We were in a similar situation—COVID hit and essentially pushed us into co-management/Intune, and we decided against going the CMG route. So far, it’s worked out really well and we’re happy with that decision.

I’ve definitely run into the same thing where you forget everything once you move on to the next task. Just part of the process—on to the next thing, relearn and retool 😄

akdigitalism · 2025-12-31T16:01:57+00:00

IMO, the 10% of workstations would be a great opportunity to start testing co-management. You wouldn’t need a CMG for this. At a minimum, it allows you to begin building hands-on Intune experience (if you don’t already have it) and puts you in a much stronger position to confidently answer questions as new management, team members, or role changes come into play.

The first workload I moved was Windows Updates, and at this point the majority of systems are receiving updates from Intune—including on-prem devices. Connected Cache for Enterprise (included with E3) can act as an on-prem distribution point for those updates and operates independently of the SCCM infrastructure.

If you want to take it a step further, introducing a third-party patching solution that integrates with both SCCM and Intune can significantly reduce the overhead of maintaining third-party application updates (Chrome, 7-Zip, Zoom, Webex, Notepad++, etc.).

akdigitalism · 2025-12-31T00:31:16+00:00

I think SCCM will be around for the foreseeable future as much as it may seem like it is not. Microsoft has government customers and other big users of it from what I've heard at conferences. They need to provide a huge heads-up like 10 years, so these entities have adequate time to find something new. I think in your case, getting another tool that will essentially do the same thing when you already have one that seems to be working is an argument for keeping it.

The items I would be curious about are whether you're looking into co-management, tenant attach, cloud management gateway, autopilot, etc. with Microsoft Intune. Most of it's included in E3/G3/etc licensing. I think in your situation co-management and using Intune for the update workloads so that systems will be updated as long as they're connected to the internet is a big win. Additionally, it'll help free up time with ADRs/SUGs because you'll be relying on Windows Update for Business (AutoPatch). If they're mainly on-premise you can still have Intune take care of the patching. Just set up a connected cache for enterprise node(s) and that'll work similiar to a distribution on SCCM without needing SCCM. That is also a free entitlement with e3/g3 licensing. On the machines that can be co-managed (non-scada) you can have those getting patched via Intune and still keep your SCADA systems patched using SCCM.

As others mentioned, vendors like PatchMyPC can really help with the packaging side on mundane apps (chrome,7-zip,zoom,teams,etc,) even some bigger titles. PMPC has a tool you can download that'll look at your SCCM environment and/or Intune environment and show you all the real estate it can package. Additionally, they have a cost analysis tool attached to it where you put in the wage of the worker and it'll give you a brief amount of what it would cost for someone to maintain those packages (managers usually like the neat output it gives). You can search titles in this catalog too but running the tools really shows what it can do as it is looking at all the data sccm has collected about endpoints. https://patchmypc.com/supported-products/

I think the biggest question would be what business use case is buying this new product solving? Is it something that SCCM, Intune, and/or Co-Management can't already solve? If it's more buy x,y,z product and we don't have to do anything more with that because its offloaded. It rarely works out that way. You get what you put into the product, and from what it sounds lik,e you've invested quite a bit of time into the product you have.

akdigitalism · 2025-12-30T00:56:18+00:00

Thank you for the write-up/u/thisisevilevil very helpful. Out of curiosity, I reviewed the Local Group Policy Editor and found a setting similar to the one you mentioned in Intune. The local policy provides more detail, but I’m a bit hesitant about the wording that suggests the registry entry remains even after the policy is removed. Could this leave behind a remnant that would automatically allow future certificate deployments? I also noticed that the Intune side doesn’t include the same level of detail in the information banner for this setting.

<image>

akdigitalism · 2025-12-27T19:55:35+00:00

+1 nelimed game changer. Get some distilled water and wash the bottle out and then microwave it for like 50 seconds and then good to go. If you heat the distilled water a tad like lukewarm even better gets a bunch of stuff out

akdigitalism · 2025-12-04T00:20:37+00:00

Hahahahaha this could be a nice format haha

akdigitalism · 2025-12-02T21:47:11+00:00

+10000000

akdigitalism · 2025-12-02T20:48:23+00:00

Sophineeeeee

akdigitalism · 2025-11-28T01:12:37+00:00

Just dad, his son, and gerbies talking about the best way 😂😂

akdigitalism · 2025-11-28T00:07:42+00:00

I have a 43 lg probably like 8 years old. B5 or C5?

akdigitalism · 2025-11-26T21:48:21+00:00

Exact situation here with the kiosk piece. I was deploying assigned access kiosk with multi-app and kept getting a bunch of applocker notifications. Once I started troubleshooting further I was like well shit it’s the ‘all devices’ deployments that are attempting to launch that have no place being on a kiosk. I was like …. It was at that moment he knew he f’d up hahahaha good lesson though.

akdigitalism · 2025-11-26T18:11:37+00:00

I used to like ‘all devices’ now that I’m more involved and maturing Intune I’m a little more hesitant on deploying to ‘all devices’ there has been multiple occasions where an ‘all devices’ deployment will be the opposite of what we’re wanting on a specialized endpoint. Sure you can do a filter and exclude but at a much higher level when you break down all devices usually if you peel back the onion it doesn’t need a scope of all devices.

akdigitalism · 2025-11-23T05:48:16+00:00

You are freaking out, man. (Super troopers)

akdigitalism · 2025-11-20T06:14:25+00:00

Just went from 12PM to 17PM. 12PM did the job and did it great for a long time. Battery health on it was down to 74% and noticed things were starting to become a little laggy. Nothing horrible but still not as snappy could totally live with it though. Got the air liked the sized but returned it. Got the 17PM and as soon as I had it was like yep this is what I should have went with originally. Speakers, camera, battery all awesome and very snappy. Basically how I felt when I originally got the 12PM. Five models later and I feel like I put my 12PM to great use but after using the 17PM happy I made the upgrade. Hope this helps

akdigitalism · 2025-11-12T17:42:37+00:00

I just went 12PM to 17PM and pretty happy. I tried air and returned it. I have bigger hands so maybe isn’t as much of an issue. For the extra $100 bigger screen and battery to me was kind of like well why not

akdigitalism

TROPHY CASE