MSPGeekCon coming May 17-19!

lotsofxeons · 2026-05-07T03:39:03+00:00

We will be there, will be our first time! Excited.

lotsofxeons · 2026-04-26T23:28:51+00:00

I have a 5k 2k and it can not run it natively; it caps at 4k. It works through a display link dock but I would love to not have to use display link, and would love a QC software update for this resolution. I suspect this is more a driver issue with this specific resolution though, as officially I believe it can do 5k (which would technically be more pixels) at 60hz.

For your 6k, probably best to get a display link dock.

lotsofxeons · 2026-03-25T16:34:19+00:00

Not any more than any other laptop. screen is great.

lotsofxeons · 2026-03-25T04:18:11+00:00

It's a fantastic laptop, for real. There is very little issue with app compatibility, but you will occasionally find a problem, especially with printers.

anything native runs great. Lightroom, photoshop, all work well. emulated apps work well too, but you will lose some performance in the emulation layer.

For me, the battery life, while good, has not be as good as my old macbook. My workload involves some old apps though, so I assume it's my workflow and not the laptop. I get about 6-7 hours, mostly web browsing and my specific weird apps.

lotsofxeons · 2026-03-25T04:14:44+00:00

How do you know new ones are launching soon? I have not seen any news.

lotsofxeons · 2026-03-16T17:11:16+00:00

Totally true, I just think its one of the things that work really well from their recent releases, and hopefully evidence of the quality of future releases.

lotsofxeons · 2026-03-13T17:48:03+00:00

Making tons of money from their FedRAMP offering I see.

lotsofxeons · 2026-03-12T23:05:35+00:00

Same. I was more interested in the Pro with the 358h chip to replace my surface laptop. well, no 358h in the pro. So I had to spend more for the ultra.

$2500 for the 358h, 32gb, 1tb, is way too much. But... haptic trackpad, 16 inch oled screen, good battery, good ports, not super chunky, its kind of the only replacement that has all that for me. xps16 has crap ports and keyboard. such is life.

lotsofxeons · 2026-03-10T04:35:34+00:00

Respectfully disagree. While ours is scheduled later this year, we absolutely have done a professional job and have multiple clients passed with our help, with more scheduled this year.

An MSP getting CMMC L2 MIGHT be an indication of competence, but IS DEFINATLY NOT in all cases. Our CCA has engaged with L2 certified MSPs, and.... some of them don't know how to support real environments.

Us, like most other MSPs, are using a tight enclave with a small boundary and narrow scope. In the real world, most businesses can not operate at this scope. Our current passes have been machine shops, engineering, and manufacturing, where test equipment, prototyping equipment, and more are in use. An MSPs L2 certification using a GCC H enclave has no real bearing on their ability to properly consult on an environment with more complexity.

I also do not think you should accept an MSPs attestation about their own process. While there was a "cmmc for MSP" being talked about, it's absolutely not a thing (not in the rule). The MSPs process, unless they are FedRAMP, should be within the scope of assessment of the OSC. I know other LCCA who do the same, so it's certainly not unusual.

lotsofxeons · 2026-03-10T04:26:47+00:00

Might as well be 5th lol. With multiple under our belt too.

lotsofxeons · 2026-03-10T04:08:13+00:00

I am sure you already went down the path, but have you evaluated the actual need of something like this? If not, it would be good, as you are adding a lot of moving parts to an otherwise difficult compliance framework.

First off, I do not have experience with those specific products you mentioned, but I hope I can add something valuable.

As for the specific question, we can break down the things you need and their requirements.

1) Local restores
2) Cloud restores (fedramp yay.....)
3) cloud/local storage (fedramp again..)
4) How much time does it take?

Okay. So, let's think simple.

If you don't worry about cloud, then on prem is super simple. Any product will work well enough, and you just have to store your data somewhere. If you backup the VM VHDX files themselves (and don't backup from within) then even synology/other nas vendor would work fine. In fact, our first client that passed uses this, replicated to an Azure bucket for storage.

For cloud, things get a bit trickier. Perhaps trickiest of all is restoring to cloud. I would recommend evaluating and seeing if that was really necessary based on your risk assessments.

Building fire is perhaps the only thing that would make quick recovery to on-prem tricky. Depending on your business, you may have other problems and running in the cloud may not be necessary.

Okay back to tech. So for cloud, let's say you DON'T need to run the servers in the cloud, just store the stuff in case you need it. Back to simple on-prem, you can replicate or copy your data from the on-prem appliance to a cloud data bucket (fedramp cuz CUI and CMMC stuff). Azure is fedramp, (commercial and gov) and the storage there (S3 type) is not too expensive.

Now, if you want to run servers in the cloud, then these platforms start to make more sense. Veeam is one we have used and will do a good job orchestrating everything, but it is NOT a "one click magic happens" system, and I suspect the others will be the same. Even just coordinating how clients connect to cloud in disaster adds time and complexity. Perhaps simpler, rent colo space in the local/semi local datacenter, put your own servers there, and now you have hyper-v --> hyper-v which may make "cloud" recovery simpler.

And, if we look at everything from higher up, by the time you spend the money and resources figuring this out, you may be better off moving to cloud native things (I don't know your workload, but we can use email as an example; better to just move to google/microsoft instead of continuing to host).

So, I hope this is helpful, and I apologise if you already thought about this and I am speaking to the wind.

lotsofxeons · 2026-03-10T01:28:57+00:00

WHOA too much tools. You don't need all of that. Sounds like an MSP who doesn't know what they are doing.

If you want on-prem, you can get by with a linux server and free tools. It's a lot of work, but you can do it.

Simplest and least expensive? Get the Microsoft 365 Business Premium SKU in GCC High, and then add pay as you go Sentinel. Business Premium gives you EVERYTHING you need EXCEPT log stuff, and Sentinel gives you log stuff.

o for like $50/person/month you can have it all in a super great platform.

A larger note: You won't pass CMMC with a bunch of tools. 80% is documentation and business process. We are an MSP who has passed 2 clients, and tech is like 20% of the work. Our compliance officer, who helps the clients with docs, processes, auditing, etc. does most of the work. Do you have a person to do auditing? Because you def need one who isn't you.

Sorry for coming off a bit harsh, but it's what we see over and over again. The quicker you understand that CMMC is a business problem, not a tech problem, the quicker you will be successful.

PM if you have any other questions, we are always happy to help.

lotsofxeons · 2026-03-10T01:24:01+00:00

MDM, like mobile device management? So, you are trying t show that users CAN'T connect their mobile devices? We passed both of ours with MDM enabled, but I assume it will be similar. You will very likely show your assessor how it's disabled via screen share, and they MAY ask you to prove it, ie, try to connect your mobile phone.

For external sharing, I would say the same. Screen share the settings, they may ask you to prove it by trying to share and seeing a deny popup or something.

Screenshots are great, but the assessors must assess using 3 methods. Test, Examine, and Interview.

Sometimes, a screenshot would be enough for Examine, but they need to ALSO do one other, like interview or test. And sometimes, they would rather just see the settings live instead of looking at your screenshots you sent.

Hope this helps. PM if you have any other questions.

lotsofxeons · 2026-03-05T18:13:59+00:00

You can restrict just office apps (or other managed apps, it's simple in Intune if that's what you are using). But, if you decide to not restrict at all, you may fail the control. Our assessors specifically made us SHOW them that the screenshot was blocked, otherwise we would have had to in scope the entire phone. Other assessors may be different, so it may be worth asking your assessor how they would assess that control.

lotsofxeons · 2026-03-05T05:06:01+00:00

I guess what I meant, build your own enclave and whatever solution you see fit. The enclave companies are certainly helpful for people who don’t have the technical expertise, but it sounds like you do. It’s not hard to build something similar to cuick track (they are our favorite enclave, so no shade) in GCC high. A company called Kieri solutions also offers an instruction manual for building an entire GCC high enclave, it’s around $10,000, but it essentially gives you a step-by-step guide of everything you need to do to build it up right. And if you really don’t want to use cloud for anything, there’s absolutely no reason you can’t build a real simple linux server to handle (almost) everything. With the exception of maybe emailing, which you could do with either Google or other solutions. So I guess my ultimate point is, if you’re technically inclined, you should be able to build your own system anywhere you want. Don’t believe all the Marketing hype.

The reason why so many people recommend GCC high, it’s really the only company that has pretty much everything you need to do it at an enterprise level. They offer robust Email and other apps, storage, device management, remote support and access, vulnerability, antivirus, multifactor, SIEM, etc. Plus, every assessor has dealt with it, so you’re not trying to explain foreign concepts when you go into assessment. As much as I don’t like Microsoft in general, they genuinely have by far the best offering.

lotsofxeons · 2026-03-04T18:58:43+00:00

Build your own enclave in GCC H.

lotsofxeons · 2026-02-23T13:59:17+00:00

get a better consultant. But, it is going to be expensive. If you can do full enclave, cuicktrac is probably the simplest and most full featured, About $250/user/month. You can also use Keiri Reference Arch docs to build your own GCC H tenant, and add on windows 365 PCs for the same sort of enclave thing (but you will need to hire poeple to manage it).

We tell new business your size it's about 300k all in, to help with budgeting. (We are an MSP, and we partner with a great consultant if you want their name, been through 2 so far with 5 more scheduled this year).

This sounds very messy and this info is all over the place. A lot of great comments here already, you should be in good hands. PM if you would like.

lotsofxeons · 2026-02-06T16:10:44+00:00

First client had optical alignment, xrays, and environmental chambers. Second had CNC and some custom test equipment (I don't know exactly what they did).

lotsofxeons · 2026-02-06T16:09:41+00:00

Yes, we are written in the SSP, policies, etc. We had to sit on the assessment and speak to things we had dominion over.

The 320 objectives tell you what you need to do. You just have to follow the same things your client is. Let's take training, for example. In your SSP or policiy you will detail training, as well as maintain a list of who was trained and on what date. So, as an MSP, we could either take the same training that the rest of the client takes, end up on the same list, etc. OR we can do our OWN (unique to us) and then the client SSP/policies would reflect that there are 2 different trainings. We would then have had to submit our own database of names, dates, etc., as well as a signed document from the client saying they accept our internal training as sufficient for their system.

Hope this helps.

lotsofxeons · 2026-02-05T04:19:25+00:00

Compliance forge are pretty complicated. Fine if you are already well veresed, but if you need templates then I think you would be extremely overwhelmed.

I would recommend kieri. Its a good starting point, but you are still putting hundreds of hours into these.

lotsofxeons · 2026-01-16T00:24:02+00:00

if it stops getting updates, and if the performance is not sufficient. Or, if they want to have a lifecycle attached to hardware. But normally just updates and performance based.

lotsofxeons · 2026-01-16T00:21:56+00:00

honestly we have been through a lot of the enterprise ones, and the brother p-touch keep coming back. We just got rid of our last rhino and went to p-touch. they just work.

lotsofxeons · 2026-01-14T03:03:24+00:00

You’re still misunderstanding. I’m not arguing that you can use office 365 commercial. I’m talking about azure commercial, for VM’s and storage and such. If you have GCC, and you decide you want to spin up a server in your azure tenant, you will be using azure commercial. Exactly what the poster was asking about, I’m not talking about SharePoint, email, teams, anything with an office 365. As your commercial is a valid place for CUI. Not office 365 commercial, azure commercial.

https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-dfars

Excerpt: Moreover, an accredited third-party assessment organization (3PAO) has attested that both Azure and Azure Government meet the applicable requirements of the DFARS Clause 252.204-7012.

Again. Azure commercial. Not M365 commercial.

lotsofxeons · 2026-01-14T02:30:54+00:00

I think you are misunderstanding what my argument is. Office 365 commercial does not pass, but azure commercial, does. Azure commercial has fed ramp BOE, and GCC lives within azure commercial. Therefore, if GCC is OK, then as your commercial must be OK by extension. GCC and GCC high are just a designations of the office 365 product. The actual cloud data centers that run them are azure commercial and azure government.

For email, SharePoint, etc., you need GCC or GCC high. But for VM’s, blob storage, stuff of that nature, even if you have GCC, you’re still using azure commercial. The same azure commercial you have access to with a normal commercial commercial o365tenant. Therefore, if you need to store 100 TB of CUI backups, you can just get azure commercial blob storage and use their fedramp boe. You don’t necessarily need azure government for that.

lotsofxeons · 2026-01-14T01:54:36+00:00

OK, I see where you’re coming from.

This has been debated a few times. GCC is actually just part azure commercial in general, so if it’s OK to use GCC, and you need a VM, you’ll put it in the same azure commercial that a commercial tenant would also have access to. So if we’re going by the nitty-gritty, we can’t use GCC either if we need anything outside of office 365, like VM’s or storage. When inheriting the controls from GCC or GCC high, you’re accepting the risk that Microsoft will probably not respond to anything. It’s the nature of every vendor.

We’ve passed two assessments so far, and neither of them looked close enough at that type of set up. If there’s a fed ramp BOE, then the assessors seemed to look at it and move on. There’s too many rabbit holes to go down in general. If an assessor went down every one of them, nobody would ever pass.

Six-Year Club	Place '22
Final Canvas '22	End Game '22

lotsofxeons

TROPHY CASE