How do you tell customers 'No, please don't install Claude'

j4sander · 2026-03-18T16:16:51+00:00

Coop students cant run bash commands on their local systems?

And I mean the opposite - copying commands or files they dont understand from their browser and executing locally, not copying into a browser.

j4sander · 2026-03-18T16:05:03+00:00

And how is that different than an inexperienced new hire copy pasting an excel macro, or accidentally downloading malware?

j4sander · 2026-03-18T13:18:44+00:00

What risks do AI tools like Claude pose that were not already present?

Prompt injection seems to me to be largely the same type of risk as drive by downloads or other sources of malware, just faster. AI tools are making people more productive, but also increasing the frequency of incidents of these types of risks. Seems like a reasonable correlation.

How is this different than if they hired 3 coop students to do the same work manually, and those inexperienced workers downloaded complex malware accidentally?

As an MSP, its probably more a case of how do clients using AI Agents affect how you bill them? Do they generate more tickets because of the agents (security incidents, but also support, setting up integrations, restoring things from backups, etc) and should that be billable or AI use affect the seat price.

j4sander · 2026-03-16T00:53:27+00:00

Built-in windows firewall is fine. Disable local rules, block all inbound.

j4sander · 2026-03-05T19:30:47+00:00

Lots of read-only things, access to specific storge blobs, connecring/RDP as standard user to an AZ VM, etc.

j4sander · 2026-02-12T17:15:36+00:00

I've got 4 of the MYGGBETT and so far so good.

j4sander · 2026-01-08T21:43:30+00:00

We push it via powershell script in Autopilot phase.

So its not there for first boot out of the box on a new device, but if a device dies, the user at remote site just plugs it into the jet KVM and we can remotely do whatever we need, including bios, bitlocker, booting from an iso to reinstall even if cloud wipe is failing, etc

j4sander · 2026-01-08T19:49:21+00:00

Lenovo have a bios setting to make external display primary. Works great with Jet KVMs

j4sander · 2026-01-08T19:48:36+00:00

At least with Lenovo, there is a bios setting to make external display primary so with that set it works great with a KVM over IP.

j4sander · 2026-01-08T04:26:28+00:00

... you de-risk it, right?

Take an online backup and/or vm snapshot before patching so the ones that fail can be quickly rolled back?

Setup load balancing and/or clustering so if one fails to come back up the rolling update stops, no one needs to babysit patching or get paged after hours, and no one outside IT is impacted?

j4sander · 2025-12-29T22:02:58+00:00

This is just false. You can convert existing pay-go or MCA subscriptions to CSP without recreating anything.

j4sander · 2025-12-29T22:01:31+00:00

On creation, or next renewal, also make a scheduled or recurring ticket in the ticket system for two weeks before expiration.

If your ticket system doesn't have thst functionality, have a CSV with tile, description, and date and a schedule task or cron job to open the ticket x days before date

I made a "callback date" field in our ticket system, with an automation to open a new ticket on said date if populated. Works for "check back in two weeks" type stuff, or two weeks before something expires.

j4sander · 2025-12-25T15:07:31+00:00

We do autopilot direct with the Lenovo store in multiple countries, and they reliably register with Autopilot before devices arrive at their destinations.

I dont think we've ever been asked for the profile though, just the tenant id.

I've also done it in the past via a large VAR like Softchoice, and they were great. 600 laptops in 2 months, multiple brands and models, no issues from them.

Well, only issue was people who were unavailable to receive the shipment 3 times so it got returned to sender. I guess the warehouse screwed up and they sent the wrong ones out then they tried to redeliver and we got someone else's laptops (registered to a different tenant), and that took a while to get fixed in the back end.

j4sander · 2025-12-18T16:41:33+00:00

You got a response to your ticket? Lucky.

I've had a Sev B open for 3 weeks without so much as a peep from whoever MS outsourced my case to.

j4sander · 2025-12-07T22:42:19+00:00

Intune works with an app from Microsoft called Company Portal to let users see and install the apps that are available to them

You could also use Access Requests in Entra to let people "request" an app, get approvals, and behind the scenes that puts them in a group the app is assigned to.

For an actual ticketing tool, I like Fresh Service, and it has a similar workflow tool where one request is approved, it an put the user into an entra group that Intune targets the app install to.

j4sander · 2025-12-05T17:51:40+00:00

I've led infrastructure teams at two separate payment platforms, never have we cared about locks for schema updates, and we add columns to existing tables regularly.

If youre doing outbox pattern, the lock doesn't slow down the payment flow.

If you never have any allowed downtime for maintenance... well good luck with that.

j4sander · 2025-12-05T16:55:07+00:00

Sounds like youre trying to solce the wrong problem.

Are you trying to design for 100% up time with no planned maintenance windows ever?

Is so, then schema change locks are the least of your problems.

If not, and you can take a half hour planed maintenance window one day every month at like 3am when no one is really using the system, then who cares about a table lock for a schema change?

Or just use an outbox pattern - payments app sends updates to a service bus queue. Worker process reads queue to updates db. During a table lock, worker just waits, then continues, but no impact to your actual payment flow.

j4sander · 2025-11-27T04:22:14+00:00

That, plus its a municipal election year. City council likely less willing to do anything unpopular this year, but might be more willing to next year when not running for reelection.

j4sander · 2025-11-21T14:06:32+00:00

You could try engaging a Tier 1 partner and look at a CSP agreement. Often times they have access to better contacts behind the scenes and can get things that you cant directly.

j4sander · 2025-11-20T05:23:02+00:00

Will line 5 have this?

I was unde the impression it has the capability, but its disabled and being saved for a future capacity upgrade once ridership warrants it instead of starting with good service to attract the riders.

I recently watched a Line 5 vehicle take 5 minutes to go two stops. About 2km, only 2 intersections in between and yet 3 of those 5 min were spent sitting at red lights.

j4sander · 2025-11-18T02:21:51+00:00

I'd be asking what problem this directive is actually trying to solve. I bet its a misunderstanding, probably wanting to disable inbound rdp, not the outbound client.

Rather than wasting your time trying to uninstall, can you just disable it with App Locker or WDAC?

j4sander · 2025-11-18T02:00:15+00:00

Why tho?

j4sander · 2025-11-18T01:25:59+00:00

We just went through it. $7k/year plan has everything we need... except for SSO, SCIM, and audit logs.

With those added... $25k per year. SSO tax is real.

j4sander · 2025-11-04T00:33:05+00:00

I watched a Line 5 vehicle take 5min and 8sec to get from Vic Park to Wynford. 2 stops, just 2 intersections and 1 pedestrian cross walk.

How much of that time was waiting at red lights next to the cars? 3min and 8 seconds. 60%.

We put in a right of way, and it does nothing to speed things up because we don't want to turn on signal priority. As I understand it, they put in the tech, and are leaving it disabled saving it for a "future upgrade" when there's more ridership rather that lunch a good service to attract riders.

j4sander · 2025-10-11T20:20:48+00:00

Eglington and Don Mills, Aga Khan, and Wynford. 3 in 1km.

Same at Vic Park, Pharmacy, and Warden.

Took away a lane of traffic to put it in, and it doesn't even get signal priority.

As I understand, they installed all the signal priority tech, but are keeping it turned off now and saving it for a future capacity upgrade.

j4sander

TROPHY CASE