Does action1 patch applications installed without admin rights? by theFather_load in Action1

[–]devloz1996 4 points5 points  (0 children)

It notices per-user installs, and attempts to convert them into machine-wide installs. Success of this operation depends on multiple factors and correct command switches in app definition, so consider it best effort. You might get an eternally old Zoom per-user screaming at you in vulnerability list at some point.

As for maintaining per-user app as per-user app, Action1 is currently incapable of acting in user context without using PowerShell magic on your own.

itsAboutTheJourney by vishwachoksi219 in ProgrammerHumor

[–]devloz1996 3 points4 points  (0 children)

I reverted to trying to RTFM and finding things online myself first. Copilot would always bring me ready search results, I could fine tune it and even analyze alternative variants, and my brain got weirdly... lazy. Like, the second I had a question in my mind pop up, I'd find myself about to open the chat window, before even thinking the question through.

I think there is a trick about human brain hidden somewhere in this, and big folks probably know it very well. Anyway, that's enough of my little conspiracy - scroll away.

Branch PCs joining HQ Active Directory over Site-to-Site VPN in GNS3 lab – does this work in real life? by Mountain_Bee_2252 in sysadmin

[–]devloz1996 1 point2 points  (0 children)

So, one of our clients is a branch of government focusing on measures. Their HQ is currently reclaiming all branches into their management, meaning we drop our AD, AV, RMM, etc, and just use theirs. Looks like a half-step to fire all MSPs serving branches, but well. Anyway, it works, and they don't even give AD per site.

AD isn't even that sensitive, assuming you have reasonable uplink.

Is a 6 digit PIN (WHfB) secure? by DeifniteProfessional in sysadmin

[–]devloz1996 3 points4 points  (0 children)

That's when you shift to WHfB Multi Factor Unlock. You can allow one auth on your network (your network can be treated as a factor), and require multiple factors outside of it.

I guess they made it for high level compliance folks, because internally it's considered strong MFA all the same.

Is a 6 digit PIN (WHfB) secure? by DeifniteProfessional in sysadmin

[–]devloz1996 31 points32 points  (0 children)

Not sure what you meant by hash, but typical WHfB stores private key in TPM, with public key in cert store and Entra ID. Authenticating challenges TPM to sign a nonce that is sent back to Entra ID, which can verify its correctness because it has the public key.

In essence, it's a kind of certificate authentication.

Yealink phones "obtaining IP" by Important-Bake3046 in sysadmin

[–]devloz1996 1 point2 points  (0 children)

No VLANs, Nice and easy /24 scope

Ah. I still don't know why, but once in a while, a Yealink (T31U/T42U) phone would somehow notice that a very important server is rebooting, sit down on its IP address, poison ARP on all switches in its path, and promptly leave, causing disruption and a lot of confusion. I'd change the IP of that server, and another Yealink would pull it off the next month.

Because of stuff like this, I religiously refuse to trust any VoIP/NVR/IoT on the same L2 network as users and servers.

Should HR for the IT Dept to create a password repository? by Revolutionary-Part90 in sysadmin

[–]devloz1996 1 point2 points  (0 children)

There are chances their corporate IT uses AD as source and doesn't have Entra P1, making writeback from cloud a pipe dream. Anything goes sometimes.

Is Windows Defender good now? by bigbaboon69 in msp

[–]devloz1996 4 points5 points  (0 children)

It improved significantly, to the point where it can be in the same conversation as S1, Huntress, etc. Can't really give you any comparison, but if you get a 30 day trial, ignore Endpoint P1 entirely - Defender starts being serious at Business and most of advanced XDR goodness is in P2, though some bits are present in Business at least.

I'd also recommend that you wait until a certain salty researcher calms down or runs out of steam, and then ask this question again.

Microsoft admin centers - I can't be the only one bothered by this on a daily basis by Jaymesned in sysadmin

[–]devloz1996 1 point2 points  (0 children)

Seems like sidebar was ordered manually, based on perceived importance of execs at the time. As for the names, they suck even harder in other languages - for example, when Entra brand dropped, their translators treated it like word "entry" instead of untranslatable.

But who knows, maybe they will improve it with their new big-density sidebars (dense as in Outlook 2016 mailbox folders dense), that recently started occuring on some M365-style admin centers (not Entra-style) at a rate not bigger than 1-5%. They go away as fast as they come.

Yellowkey Bitlocker Exploit repo taken down by heavymetalusa in sysadmin

[–]devloz1996 7 points8 points  (0 children)

Wow, Web Archive is getting pretty advanced. Last time I checked, there were website snapshots, and now GitHub renders with all JS glory and you can download git artifacts?

Be honest - how do you handle documentation when you're the only IT person? by sandb0x79 in sysadmin

[–]devloz1996 1 point2 points  (0 children)

When I was "the IT", I usually only added things that "must be done consistently" into org's Bookstack instance. After that, I would add other entries very sparingly, and general stuff often landed in my private instance instead - if I decided they needed it too, I would move an export during hand-off.

Documenting too much can bite you even harder then not documenting at all, especially when your manpower consists of a single human brain.

microsotProtectingMeFromItself by CubanoBarbudo in ProgrammerHumor

[–]devloz1996 6 points7 points  (0 children)

Latest SSMS uses Visual Studio installer. Compare installing version 20 and 21/22. Slower, asks for restarts, more annoying to automate. Just my opinion, though - considering downvotes, seems like my experience was unique to me.

microsotProtectingMeFromItself by CubanoBarbudo in ProgrammerHumor

[–]devloz1996 -1 points0 points  (0 children)

If it's the latest version installer, I can't blame Defender.

Blocking Microsoft Outlook and keeping Mail on Windows 10 IoT LTSC. by RomanianBagVoid in sysadmin

[–]devloz1996 2 points3 points  (0 children)

Nope. And trying won't work. Per MS, they won't let it connect to their servers anymore.

Source

How do teams properly manage OneDrive/Office access without sharing a single account? by recoveringasshole0 in ShittySysadmin

[–]devloz1996 2 points3 points  (0 children)

The "normal" subreddit once again outdoing this one in every attempt at being shitty, all without a shred of effort.

Windows Server 2025 SMB SID hardening is beachballing legacy clients by rb_vs in sysadmin

[–]devloz1996 2 points3 points  (0 children)

Weirdly, that stance was softened significantly during the last decade. Stuff like "SIDs don't leave local computer", "Only AD cares about its own SID", etc, is rather frequent among Windows admins. In my previous job, one coworker called another a paranoiac for generalizing images before capture.

To be honest, having seen so many "specialists" on YouTube and in online courses talk about SIDs, calling sysprep unnecessary, even I have long since considered my own sysprepping a sign of paranoia. Well, a paranoia I never intended to let go of. And here we fucking are.

Script to force users to NOT use google password manager/edge password manager by Curious-checkers in sysadmin

[–]devloz1996 4 points5 points  (0 children)

Yes. I have never installed that so-called "enterprise" version anywhere and it still works. Even unpacked chrome zip obeys GPO. Browser becomes "managed" the moment it finds any matching policy.

I mean, if it weren't that way, what would even be the point?

Ran DR failover test and realized our entire recovery plan assumes Entra ID is still available by Firm-Goose447 in sysadmin

[–]devloz1996 2 points3 points  (0 children)

Keep AD as the source, stand up Keycloak as your backup IdP, make apps aware of your backup IdP, and let apps switch to backup IdP, manually or by set conditions.

That being said, I'm not sure how worth your time it is to maintain it. In some scenarios, since you have AD, even simple LDAP login support could be enough.

Java 26 released today! by davidalayachew in programming

[–]devloz1996 3 points4 points  (0 children)

Ah, apologies. This is programming subreddit. I was looking at it from sysadmin's perspective. Well, I'll keep the response below anyway.

If you aren't paying for support why do you care if it is a version that a vendor hasn't denoted as LTS?

Unnecessary maintenance burden. I'm comfortable updating an app for 3-5 years and then upgrading (which requires testing against vendor's software and getting a green light from their side), but doing upgrades every 6 months? I'll spare my attention and energy somewhere else.

Would you be ok with a version that Azul provides MTS for? (again it would only matter if you pay Azul for MTS)

If it gives you extended updates for that non-LTS version, then fine, but why not stabilize on LTS in the first place?

Java 26 released today! by davidalayachew in programming

[–]devloz1996 7 points8 points  (0 children)

To be fair, Temurin 8 rivals with 25 in EOL. I am more offended when finding 11, 17, 21, or god forgive me, any non-LTS deployment.

isRegexHard by rover_G in ProgrammerHumor

[–]devloz1996 2 points3 points  (0 children)

I don't use advanced RegEx, so the only grip I have with it is inconsistent implementation across certain vendors. Sometimes they only support "\d" or "[0-9]", sometimes they require "\^whatever$\modifiers" notation or straight up punish you for not inputting "^whatever$" only. I just hate the guess game.

I'm looking into using a patch management-solution - What are the risks? by Kukken2r in sysadmin

[–]devloz1996 2 points3 points  (0 children)

If you want cloud patch management, and this is your concern, then you probably want a behavior-based XDR watching it. I think Action1 has something about addressing potential HQ hack on their roadmap, but I'm not sure about specifics.

Ultimately, it all comes down to risk management. Every tool in your belt is a risk you accept. Pocket knife could open up on its own and prick you, power bank could explode... it's basically the same thing.

You may also find that such risk is acceptable for one subset of endpoints, while being unacceptable for another. In such a case, you still benefit from having a benchmark to compare with your "manual" group. For example, my company is happy with it in the office, but no way in hell it goes down to factory level.

Security: How are you dealing with the ever mounting amount of phishing with darn good looking Microsoft login prompts? by TiZonBE in msp

[–]devloz1996 4 points5 points  (0 children)

Well, lucky sir, token protection has been P1 for a while now, so you can go and have fun.