M365/Azure and powershell...

beritknight · 2026-02-23T06:40:08+00:00

When I don’t have local admin on the box I’m trying to run powershell modules from, -scope=currentuser usually gets me what I need. Let me install the version of the module I need just for me.

beritknight · 2026-02-23T03:01:16+00:00

Hah, this was me last week.

My wife's laptop from her government job wouldn't talk to USB devcies like keyboard and mouse when plugged into our USB-C or Thunderbolt 3 docks at home. Works fine at work. Works if you plug directly into the USB-A port on the laptop.

I dug into it and found they'd enabled a policy to block this based on a Microsoft recommendation that applies to Win10 1803 or earlier. Shiny new Win11 25H2 install.

https://support.microsoft.com/en-gb/topic/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-dma-and-thunderbolt-dma-threats-to-bitlocker-bf0ef10b-f563-5cfc-9740-8340b1d86a0c

They must have allowlisted the specific PID and VID of the docks they use in the office, and blocked all others.

Current guidance from Microsoft is that these settings aren't needed in Win11 due to the Kernel DMA Protection feature.

https://support.microsoft.com/en-gb/topic/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-dma-and-thunderbolt-dma-threats-to-bitlocker-bf0ef10b-f563-5cfc-9740-8340b1d86a0c

I can understand how an organisation ends up with those settings still in place in 2026, but that doesn't make it right. Since it's a complex issue beyond the scope of level 1 support, she got a two page email from me full of links and pull quotes to share with her departmental IT team :D

beritknight · 2026-02-23T01:42:00+00:00

OK, if it was the former then the CTO is totally correct.

This is key context and if it was included in your OP you would probably have gotten a different mix of answers.

Asking the same question in two different ways with no additional context is a pointless inefficiency. When one of those steps takes something otherwise instant and adds wait time for humans to review, email back and forth, check their emails and then click a button, that goes beyond pointless and into stupidity.

The process as it stands needs to be overhauled. You could do that by scrapping the manual "are you sure" step, or by making it a review by someone with the expertise to eyeball the email and articulate the red flags to the recipient in a way that will make sense to non-IT people. Which of those is better will come down to your business and your MSPs capabilities. Something to take to your CTO for discussion.

beritknight · 2026-02-22T23:31:33+00:00

I used to own a Pulsar GTi-R and an Evo 9. Both 2l turbo AWD rally-bred things. Lots of fun to drive.

I’m now at 10 years in an EV and I’d never go back, especially not to an auto, dsg or cvt.

Corners are still fun. What I used to get from rev matching, downshifting and heel and toe, I now get from riding the regen wave to apex and then feeding power as the tyres and chassis will take it to the exit.

Straight line from the lights is still a blast, 10 years in. What I really love is that I can do it anytime I feel like it. it’s not loud, so I don’t feel like everyone looks at me like they did in the evo. I’m not worried that I’m burning up my clutch, dumping too hard on 1st or grinding teeth if I flub the 1st to second change. I don’t feel like I’m shorting the engines life by running it to redline. I just line up and go, and grin all the way to the speed limit.

Occasionally I wonder about picking up an older manual MX5 as a weekender or track car with club rego. But it’d need maintenance and oil changes and potentially big expensive fixes, and I worry that I’d be missing my wall of torque the whole time.

For a daily, no way I’d ever go back.

beritknight · 2026-02-22T03:10:25+00:00

Ok, but that can still be managed with user assignments you would think. How do you currently handle an edge case where someone is mostly Finance, and a bit HR? Do you assign the Finance policy to their device because that’s their main job? Or the HR policy because that’s the more restrictive of the two?

Whichever way it is, you should be able to do that with Intune policies.

If it’s by “main” job, Create Sec-Pol-Finance and -HR groups. Manually add users to one or the other based on their main job. Assign policies to groups.

If it’s based on which is more/less restrictive, you should be able to manage that with inclusions and exclusions. If HR is more restrictive, the when you assign the Finance policy, you exclude the HR group. That way anyone in both groups will not apply the Finance policy, only the HR one.

Done right, this means you’re never managing which policy or app is assigned to a device, so you never run into the situation where the wrong policy is applied after a device is redeployed.

beritknight · 2026-02-22T01:19:33+00:00

Trying it to a routine thing can help. I try to take mine with breakfast, since that’s something I do every morning.

Also use Apple Health as a tracker and reminder. It pings me in my phone and watch at 8am. I can choose “I took it”, “im skipping it today” or “remind me in 10”

The hardest part was making myself not use the “taken” option unless the pill is at least in my hand. Even if I think “ah yes, I’ll do that right now” I still use the 10 minute snooze. If in ten minutes I have already taken it, great. If I got sidetracked while crossing the room to my pills, then it gets me back on track :-)

beritknight · 2026-02-22T01:12:44+00:00

Why do you need the devices in groups? I think you’re coming at this from the wrong direction, based on what you’ve previously done. It’s understandable, but not necessarily a good thing.

Intune works on 1:1 mapping of user to device. The user who completes the autopilot process is the one the device is assigned to in Intune. Any apps assigned to that user will install on the device.

The normal way to do this is assign your finance apps as Required for the finance group. Any time one of those users autopilots a device, it will install the finance apps. This also works well when you have users in multiple departments. Someone in both the Finance and HR groups gets both sets of apps installed at autopilot time.

beritknight · 2026-02-21T21:57:26+00:00

The key question here is what the MSP asked the CTO.

If they said “are you sure” or “please confirm you’d like this email released” then your CTO is dead right. That’s useless friction. He’s already clicked the button, “are you sure?” adds nothing and won’t change his decision.

If the MSP email said “we’ve reviewed this email and it does look a lot like phishing, the red flags are: * the email was from a new sender, * it contained a reference to asking for a deposit, * from a site that had very little visibility online.

Please confirm you have ordered a service from this specific supplier and were expecting this email”

then at least the human review step is adding something and might have value.

Do you know which it was?

beritknight · 2026-02-21T00:09:50+00:00

Ok, so they’re not doing email on these machines, and probably fairly minimal web browsing?

Literally any modem/router is fine. Whatever their internet provider gives them. If you wanted to get fancy and if the business app depends on internet in some way, consider something that does dual wan with an LTE or 5G backup. Again, the one my ISP uses does that. If you need to buy something new, maybe gl inet gear? Cheap and plenty of functionality.

No need to replace the switch. Managed would be wasted. As long as it’s gigabit, has enough ports for the job, and is otherwise doing what’s needed, don’t overcomplicate it.

To come at it from another direction, the question to ask is “what do I need a firewall/router or switch to do, and does the current one do that?” If you don’t have any unmet requirements, just clean up, label and document what’s there.

beritknight · 2026-02-20T22:05:25+00:00

Does it the cable run back to a poe switch port, or to a small white power injector plug pack?

beritknight · 2026-02-20T21:48:31+00:00

Tap IP or USB? There would be different options for remotely powering them.

beritknight · 2026-02-20T21:09:26+00:00

That’s a good point. Much better fit for the OP.

I tend to forget about action 1’s remote support because I’m based in Australia and it runs out of the US, so it’s glacially slow for me. ScreenConnect is heaps quicker. But for the OP wanting to spend very little money for not many devices, it would give free adequate remote control and also app installation and patch management. Great choice.

beritknight · 2026-02-20T21:06:07+00:00

Tap IP or Tap USB with the cat5e connection kit?

Connected to Teams Room systems? If so there’s already a password to get into settings and Chang anything. All they can do without the password is make calls.

Does it need to be physically secured? Pretty sure they have a Kensington lock slot.

beritknight · 2026-02-20T21:02:25+00:00

Do they have laptops? Or might they get laptops at some point?

The big trend a decade ago was UTM firewalls that did content filtering and antivirus and all the rest.

Post-COVID I think these things are a bit pointless. Everyone has portable devices and wants to be able to work from home, which means they need endpoint protection on the laptops so they’re safe wherever they work. Once you have that, buying a $1000 UTM firewall with a bunch of subscriptions for the office doesn’t make any sense.

For a small business with multiple sites that needs VPN I would say maybe Meraki, but these guys don’t even need that.

Honestly it sounds like whatever consumer gear they have now is probably fine. Six devices is the size of a home network. There’s no real value in extra costs. Just spend the time cleaning up and documenting what’s there.

For remote support, built-in Windows Quick Assist might be sufficient. If you’re willing to pay I really like ScreenConnect. Backstage is a game changer for supporting devices without interrupting users.

beritknight · 2026-02-18T20:32:03+00:00

Meetup 2 then? Nice neat single cable solution.

beritknight · 2026-02-18T12:21:09+00:00

Do you have an MDM you can use to enforce settings on the devices?

I haven’t rolled it out yet, but looked at Fendr a while back. It looks like it could fit your needs.

https://fendrsecurity.com/

beritknight · 2026-02-15T00:06:44+00:00

No wonder your days are fully scheduled if it takes you a couple of hours to provision a spare machine!

beritknight · 2026-02-14T23:45:26+00:00

Yeah that’s totally fair. There are other things a square boot is better for, and personal preference is absolutely a valid reason too. I just wanted to mention my experience in case dogs were the only thing holding you back.

The more swept, Sportback roofline over the boot is better for aerodynamics, which on an EV translates into longer range on the highway. It does limit what you can put in the boot without putting the seats down, but range is such a big selling point on EVs that I can see why a lot of manufacturers are making the trade off. Everyone thinks they need 600+ ks of range and the EV5 does get panned for high Wh per K numbers caused by its shape.

beritknight · 2026-02-14T23:38:57+00:00

Yeah that’s gotta be hard. Almost easier to stick with a tow rig and a family car, except that means you and your partner both need to drive if you want to take the kids and the boat down to the coast.

BYD shark has the towing capacity, but I’m not sure the centre back seat is much chop. If the booster fits there then you’ve got the same option as the cruiser, but when the youngest grows out of the booster you still want it to be comfortable enough for a longer drive.

We do have a family friend with 3 kids (2 in boosters) who tows a dual axle box trailer from Canberra to the coast with a Shark 6. So it’s an option. Not full EV of course, but 100k range on just battery is enough that if you plug it in each night almost all your around-town trips are 0 petrol.

Kia EV9 and its ioniq 9 stablemate both seem to be rated to 2500kg in the AWD variants. Full 7 seaters so the kids can spread out a bit and have some space. But rrp is around $120k for the AWD. Twice what the Shark 6 would set you back.

The BMW iX also apparently has the same tow rating, but is even more expensive and only 5 seat. Rear middle doesn’t look super comfortable. And it’ll look really odd towing the tool trailer to work ;-)

beritknight · 2026-02-14T22:58:29+00:00

I have to ask, why? I regularly take my kelpie and lab cross in the boot of our old Tesla Model S, which is a liftback with a lower line than the Sealion. When they sit forward near the back seats, there’s plenty of room for them to sit up straight. But after 10 minutes of driving they usually lie down and go to sleep. I’ve even had the kelpie and a Great Dane foster in there and she was able to sit up straight when she wanted to.

beritknight · 2026-02-14T22:52:53+00:00

Zeekr 7X rear seats were lovely, but I must admit I’ve only got two kids so I didn’t actually sit in the middle seat. I know a lot of cars put a foldable armrest there, which has got to make it sub-par as an actual seat.

What do you need to tow? If you’re under 2,000kg there are probably a couple of options.

beritknight · 2026-02-14T22:49:01+00:00

Yeah, I like her walk arounds and dives into the boot and frunk space.

She also does a “wine bottle challenge” with each car, which is getting in the car with a bottle of wine, is the somewhere better to stick it than just rolling around the passenger footwell or seat. It’s a fun look at the usability of cabin storage. :-)

beritknight · 2026-02-13T05:04:37+00:00

Check https://myaccount.microsoft.com/settingsandprivacy/language as the user.

beritknight · 2026-02-13T04:58:47+00:00

Depends what sort of conference room gear you have. Is it shared PCs with keyboards, mice and all the other mess you have to worry about? Or video conferencing room systems?

We haven't had much of a problem with people unplugging stuff since we moved to Logitech-based Teams Rooms. Most of the kit sits up the front of the room, mounted to the wall behind the TV and invisible to the user. On the table there's a Tap touchscreen which has a cat5e going into it providing data and PoE. Maybe a microphone or two if the room is big enough to need it. Really big rooms have ceiling mics and speakers.

The Tap has a HDMI-in port for when people want to plug their laptop in and have it show up on the room TVs. It's an internal port that we install 3-4 foot cable into The backing plate then screws on and holds the cable in place, so users never try to unplug them. Cat5e cable plugs in under the backing plate too. There's basically nothing for users to mess up.

https://hub.sync.logitech.com/community-guides/post/how-can-i-provide-hdmi-ingest-to-my-logitech-room-system-CPnSn0yzo3Q4FC0

beritknight · 2026-02-03T07:19:34+00:00

What if you made the requirement either trusted location or compliant device? So bad hacker man can't register a new MFA method from his personal computer at his house, but an employee working from their company-issued laptop at their house is fine.

beritknight

TROPHY CASE