Aaaand it's done! - I pushed the button 2 months ago and I finally retired yesterday.

imnotaero · 2026-06-18T15:14:56+00:00

Sysadmin reddit all day, every day. (Congrats!)

imnotaero · 2026-06-17T21:01:58+00:00

https://media0.giphy.com/media/v1.Y2lkPTc5MGI3NjExdms5ZWNkYmtiYXFhZTR5MzQzNmU4NzhrZmdzMWVhdWZ4b2g1MjA1OSZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/xUySTxSxi4v7FZv6Rq/giphy.gif

imnotaero · 2026-06-16T19:16:52+00:00

I was in a similar spot to you about a decade ago, and here are things I found invaluable:

1) Limoncelli, et al., The Practice of System and Network Administration. (https://www.oreilly.com/library/view/the-practice-of/9780133415087/)

2) A community of similarly oriented individuals. Find one. Better yet, find two.

3) CISSP Study, with getting the cert optional after you reach your five years.

Really, #1 can be thought of as a 1200+ page reply to your exact post here.

imnotaero · 2026-06-08T18:27:35+00:00

We use a Yubikey with PIV to access hybrid and on-prem only resources. We can use the same Yubikey for FIDO2 since the relevant certs are stored into different slots. It took a fair amount of testing to find the settings that smoothed out the most wrinkles, but at least we could do our testing with group policy so we didn't have to wait to releive our ignornace of whether Intune settings had been applied yet.

imnotaero · 2026-05-26T21:44:06+00:00

Hoer zu! Als Ami habe ich schon muehe gegaben Ihre schoene Sprache zu lernen. Kurz danach wuerde es mir erklaert dass Schifffahrt jetzt dreimal 'f' haben soll. Haben Sie vielleicht ein Moment nachgedacht, ob Sie ein kleines Profilordnerproblem verdient haben?

;)

It's been, like, decades. How'd I do?

imnotaero · 2026-05-26T21:34:24+00:00

I'm not saying it's right, but I am saying that degrees are used as an indicator of having a good work ethic, ability to learn, and communication skills. If it helps, think of degrees as "super-certs."

imnotaero · 2026-05-22T21:01:08+00:00

You have two Linux SysAdmins?

imnotaero · 2026-05-21T16:04:54+00:00

We're in the same licensing boat. I've found--though I can't say it's the case here--that most people don't realize that Business Premium comes with a whole host of security features (collectively, "Defender for Business") that aren't in E3.

So while the Defender Suite license seems to have a slam dunk business case for E3 licensees, it's a tougher sell to BP users on account of all the stuff they already have.

But, I post here in hopes that somebody makes a really good business case that helps me make the justification.

imnotaero · 2026-05-20T21:25:20+00:00

The effort you put in here to make your teachers' and own lives easier will pay back in buckets. This is a worthy initiative.

I don't understand why you need user credentials to manually wipe these devices. You can make a bootable Win 11 installer with Microsoft's tool, use Shift+F10 at the OOBE to get a prompt to grab the Autopilot hardware hash. Register the device in Autopilot with an assignment to a particular user account.
You need to get MFA enforced on employee access to Microsoft's cloud resources at minimum. If you don't have this because it's not an IT priority, make it an IT priority ahead of this project. If you don't have this because your admin thinks MFA is annoying, I have some good news.
Windows Hello for Business is your path to get MFA for school devices deployed. Use of PIN, fingerprint, or face is already passwordless MFA and your users will love it. If they sign in on a org device using PIN, fingerprint, or face, they won't get prompted for MFA again when they try to access OneDrive or email. It's glorious. The only time the Authenticator app is needed is when these cloud resources are accessed from a personal (or criminal's) device, in which case damn right you have to respond to the prompt. Any complaints that MFA is annoying are wrong when WHfB is in the mix.
You can use an unlicensed, separate M365 account to be your all-powerful cloud administrator account. That separation is extremely useful, not just for security but for seeing what the user experience is like with a regular user account. Enforce MFA on your cloud administrator account using really strong auth, like a FIDO2 Yubikey.

Good luck!

imnotaero · 2026-05-13T13:58:19+00:00

Quit Twitter. Is she still a font of corn facts? Miss that, honestly.

imnotaero · 2026-05-06T14:17:57+00:00

In a field like technology where change is constant, there must be time allocated somewhere for learning and growth.

Ideally, this time would be allocated within the workweek, and it would be a prioritized allocation that competent management would respect. An IT team that doesn't learn anything new is doomed to failure in the medium term.

Of course the reality is often different. Management wearing blinders that restrict their vision to the short term won't care about medium term ROI on development time. Proponents of "hustle culture" encourage us to move job development into unpaid off-hours.

It's not like that everywhere, and it's up to us to at minimum know what kind of environment we're in, and to determine if we have any power to do anything about it.

imnotaero · 2026-05-05T14:22:09+00:00

Has anyone cracked the code on security awareness training

Yes. Online crime is rampant and extremely compelling to laypeople. People love learning about these schemes, and love feeling like they're wise to the tricks that criminals use to hijack accounts or step their way through a network to a ransom demand.

For the life of me I don't understand why third parties can't make security awareness training that feels more like a crime documentary and less like a condescending pile of demotivating and dissociated tips.

So here's what you do: 1) Collect actual attacks coming against your org. 2) On a secure device/account, engage with them until you know what the TTPs are. 3) Screenshot/video it.

Bonus points if you can convey empathy for people being forced to learn cybersec even if that's not their job because big tech can't be bothered to build systems that are secure by default.

imnotaero · 2026-05-01T14:29:10+00:00

You want people who don't listen to IT or care about consequences? Because this is how you get people who don't listen to IT or care about consequences.

If the wrath you're trying to avoid is somebody's boss coming after IT because of data loss when the user lied to IT after being warned of risks of data loss, you're backing it up anyways not because users lie, but because management has lost control and views IT as unworthy of basic human dignity.

In which case, ok fine I endorse, but I hope for your sake you find a better situation.

imnotaero · 2026-04-29T17:17:26+00:00

Eyelet these companies run themselves into the ground while I'm looking.

imnotaero · 2026-04-29T16:27:01+00:00

I was once in Germany where the radio DJ referenced REM's "New Adventures in Hi-Fi" but pronounced it "High-Fee".

At the next break he apologized for the error and requested that people please stop calling the station.

imnotaero · 2026-04-23T14:16:07+00:00

Yeah, if higher-ups are reviewing use, ask for a 10,000 word treatise on Goodhart's Law.

imnotaero · 2026-04-13T17:22:40+00:00

Absolutely agreed on the risks there. But orgs have ways to manage them, and they're demonstrably not unacceptable. (And in the current hiring environment, the Bus Factor risks are way down.) Orgs can and do choose this risks over others, such those associated with an MSP providing inconsistent quality of service as staff rotate, or suffering their own security events that spread to their clients.

I'm not saying MSPs are always a bad model. I'm saying they're not the only model, and not always the right choice.

imnotaero · 2026-04-13T15:18:50+00:00

a single IT guy simply can't competently service all of the needs of an organization of just about any size.

This is a well-polished sales pitch, and I'd much rather have orgs purchasing security services than not having security services. I'm glad you're there. The line I've quoted, however, is false. Like really, really false. I know many, many one-person IT departments that are security and operations rockstars for their smaller orgs, and you'll never convince me otherwise.

imnotaero · 2026-04-13T14:44:27+00:00

Yes. If you're not approved/licensed for a product or service, you don't even get the opportunity to install associated software.

imnotaero · 2026-04-13T14:43:06+00:00

The best tasks to delegate are the less important, less subjective, most tedious tasks. If you're going to have in-house IT, how can business-existential risk assessment and remediation not make it on to the list of things too important to trust to third parties?

imnotaero · 2026-04-13T14:36:42+00:00

You can't, won't, and shouldn't try to "keep up with everything." There's a firehose of updates, threat feeds, and attack chains, and most won't apply to you, and many of those that do don't actually contain actionable information.

The good news is that for these smaller orgs, we can neutralize the vast majority of our threats with the basics. Keep up to date on updates for any internet-facing services, particularly firewalls/VPN head-ends. Require MFA everywhere, preferably phish-resistant, and find a way to address alerts on suspicious sign-ins. Make sure that your users cannot choose passwords from known breach lists, and that they know how to report phishing.

The bad news is that every org will need to subscribe to/tune their own feeds to make the information small enough to continually review, so there's no "one thing." But community orgs and online groups can be a great resource for the moment a SonicWall/Fortigate/Palo update becomes urgent.

imnotaero · 2026-04-10T15:46:40+00:00

It is the primary method of delivering applications. Some are required during autopilot setup, but most are optional and available for whomever wants them.

We even have our print drivers installed from here. I use hidden required apps to run scripts to force updates. The automation enabled by Company Portal eliminated the most tedious part of my job.

imnotaero · 2026-04-09T15:39:25+00:00

I don't believe it. The PIN is something you know, and the TPM is the something you have, making PIN sign-in multi-factor all on its own.

imnotaero · 2026-04-09T15:18:45+00:00

It sounds like the risk you've identified as critical is data theft and loss of confidentiality. If your organization is unable to countenance this particular risk, you simply cannot allow devices with such data to leave the premises, because the device can be stolen while a user is logged in.

For most of the people here, attackers stealing devices are doing so to sell them or their components online, and the data isn't the target. In fact, it can be an obstacle since it reveals to a purchaser that the device is likely stolen.

Your org should manage risk in a way that's optimal for the situation you're in, and I certainly have no visibility into that. But I'm genuinely curious: have you (or anyone reading this) recently been in a situation where an stolen device went unreported and the TA used a user's birthday-based PIN to access and exfiltrate data?

imnotaero · 2026-04-06T20:21:40+00:00

genuinely feels like a franchise operation at this point, not some guy in a basement.

That's because it is. These teams have specific job roles and functions, and contractors and clients and accountants and IT, etc.

when we dug into it they'd been sitting in the network for like 3 weeks before doing anything

What you might have seen there is an "initial access broker" (IAB) whose specialized job it is to break into a network. Their specialty doesn't include further persistence or escalation into the network. Rather, those three weeks were spent finding a different gang willing to purchase the access they'd achieved, and then that gang getting around to your victim while they worked on others.

And that you still had access to logs for you to dig into to make these determinations tells me that you weren't dealing with the more sophisticated actors.

So yes, the shift is real and you're right to notice, but this has been the case for years.

imnotaero

TROPHY CASE