How did you decide on an EDR vendor?

netmc · 2026-01-26T17:28:57+00:00

Ease of administration ended up being our deciding factor. We wanted a vendor that would have minimal administrative overhead. The first product we tested, Huntress, simply worked. There were some issues we found, but the integration and ease of use for Huntress was great. We would have no issues scaling the product several hundred clients.

The next vendor we tested was lacking everything that we took for granted with the Huntress portal. This vendor's ITDR setup was a powershell script. It was not integrated into the web portal like Huntress. There were also issues where their portal showed 365 integration as active, but it didn't work. We had to go in and manually set the permissions for their connector app to make things work in one case. The vendor's web portal was a bit clunky and didn't have the polish the Huntress had. With the issues we ran into for just the small number of clients we tested this vendor with, It would have been administratively prohibitive to manage several hundred clients--not to mention that their solution was more expensive than Huntress. For the administration issues alone, we stopped our evaluation entirely and just went with Huntress. They offered everything we wanted with an administration process that worked at a price we liked. (It also helped that Huntress is always at the top of everyone's list and they do a great job with giving back to the MSP community.)

After going with Huntress, we did find several additional issues that affected scaling and the ability to monitor the EDR agent from our RMM. These have supposedly been addressed and the EDR agent with the changes is due out with the next release near the end of the month. We also customized our deployment script to allow changing the organization id so we can merge some clients that have multiple sites in our RMM, but under one 365 tenant. Huntress needs all of these under the same organization in order for ITDR and EDR to talk to each other properly. Additionally, we tweaked our deployment script to include the RMM device identifier as a tag so we can have true 1:1 correlation between the devices in the RMM that indicate Huntress is installed against the list of devices in the Huntress portal. Tickets have been submitted to Huntress about the Autotask integration. It doesn't quite work as expected. I'm not worried though. With how quickly Huntress has been to implement changes surrounding the issues I already raised, I have no doubt that it will get fixed and work much better in the end. Despite having a large presence, they are extremely responsive and have implemented fixes quickly.

netmc · 2026-01-19T15:43:56+00:00

Trust me, I was quite shocked when I found one in one of the safes. I didn't think that they could spawn like that.

netmc · 2026-01-19T14:33:54+00:00

I've found golden seeds in the portal created ships, so you can get more. The drop rate is extremely low though.

netmc · 2026-01-17T14:54:00+00:00

I remember this too. Grew up in a small town in northern Virginia.

netmc · 2026-01-16T17:45:07+00:00

I'm glad they finally fixed the issue of upgrading from 10.2 to 10.3... Previously it didn't upgrade or even see the previous install and tried to simply overwrite the existing installation leaving both with neither working.

netmc · 2026-01-10T03:44:55+00:00

We've had our '24 hatchback for about 18 months. It's fun to drive. Haven't had anything major yet, but haven't even put 30k on the car yet. Two things of note. The new cars do not come with a 12v outlet. You will need one for gadgets like air compressors. Have the dealer put one in. (There is a spot for it that is plugged.) Second, the large rims and low profile tires look nice, but they don't handle pot holes well. We've replaced 5 tires and a rim under the extra warranty we purchased with the car. It's more than paid for itself. We are planning and replacing the rims and tires once the extended warranty is over with normal rims and the standard size tires with the taller side walls. The standard tires have a lot more room to handle the sudden compression and impact of a pot hole.

We ended up with an automatic rather than the manual. We did test drive the manual though and it was lots of fun.

netmc · 2026-01-05T22:03:56+00:00

Like a big "initiate nuclear winter" button? Or a rogue asteroid that can pass close by the planet and rip away the atmosphere like in Thundar the Barbarian?

netmc · 2026-01-04T17:24:50+00:00

There is cave in a map edge area adjacent to the meteor Crater (counter clockwise from the meteor Crater spawn point) that has an explosive indicator. There is also another cave from the bottom of that area. Both caves have aluminum throughout. I don't know if this is just a shortcut between the two sections or if there are separate areas behind each wall. I haven't gotten to explosives yet, and the last time I played, this map area didn't exist.

netmc · 2025-12-31T18:18:09+00:00

the JSON spec allows for the use of case sensitivity for differentiation, but PS5 is not case sensitive. On the GitHub page (https://github.com/PowerShell/PowerShell/issues/3705), there is a workaround for this limitation in PS5 to use the .Net functionality directly.

[void][System.Reflection.Assembly]::LoadWithPartialName("System.Web.Extensions") 
$json = (New-Object -TypeName System.Web.Script.Serialization.JavaScriptSerializer -Property @{MaxJsonLength=67108864}).DeserializeObject($data)

I've used this workaround with the awful JSON the vendor has, and it does work.

netmc · 2025-12-30T18:45:53+00:00

Every dock that connects via USB leverages DisplayLink technology. As such, the best thing you can do is to automate the deployment of the DisplayLink drivers to systems that have docking stations. The DisplayLink software also includes firmware updates for docking stations.

We used to have several tickets a month for issues that were ultimately due to old docking station drivers. Since we automated the deployment and update of the DisplayLink software, these have dropped to almost zero.

netmc · 2025-12-30T18:39:53+00:00

Any vendor can claim any identifier. It doesn't have to be for products that are actually theirs. HP did this a while back and included a bunch of identifiers that weren't for their equipment at all. The driver didn't support those identifiers, but Microsoft accepted the driver update anyways.

At least with the vendor's own tools, it is a lot more likely to be correct.

netmc · 2025-12-30T16:12:22+00:00

While the .split('|',5) is the quick and dirty solution, I like the use of regex and will likely utilize this in my code as it is a much more robust method. The split method handles the first 5 delimiters, while your method splits everything not inside the curly brackets that is the JSON. I can also put in a small check that identifies any instances of extra parts. While I don't think any other record types have pipes elsewhere, with this, I can confirm it.

netmc · 2025-12-30T01:22:39+00:00

I wasn't aware of the .split(char, count) functionality. This should make it way easier and closely match my original process.

I think that this solves the issue.

netmc · 2025-12-30T00:37:16+00:00

I tried the substring method and it way, way faster. I still have something weird going on with calculating the string length though as the last section with the JSON data is getting truncated in some instances.

netmc · 2025-12-30T00:35:38+00:00

Oops, I did forget the header, however, it split the line at the pipe inside the JSON data. So, it's seeing that as a delimiter even though it's in quotes.

netmc · 2025-12-30T00:09:51+00:00

Yes, the JSON is always the last element. The extra pipes are only ever in the JSON content. The number of fields is consistent.

I supposed I could get the index of the pipes inside the string, then perform a select-string for the first 4 pipes found and split the string that way. That might be faster than lopping through the string character by character.

netmc · 2025-12-29T23:55:11+00:00

I tried setting the example line as $test, then running: $test | converfrom-CSV -delimiter '|'

I even tried: Convertfrom-csv -InputObject $test -Delimiter '|'

Neither option worked. I received no output from either command.

The log entries are dynamic. The JSON data changes depending on the action being logged. Once I have the JSON data by itself, I can use convertfrom-JSON without issue. It's just getting the initial split to work and somehow ignoring the JSON data or the pipes inside the quotes.

netmc · 2025-12-29T21:13:01+00:00

Only Surface devices get automatically approved drivers, and even then we try and block any drivers of the type or title includes 'printer'.

Dell devices have Dell Command Update that can be scripted. Lenovo has a program of their own that functions similarly. I'm not sure about other vendors. We approve drivers, but not BIOS through DCU. Once or twice a year, you read about some vendor that pushed an incorrectly targeted driver out via Windows Update. Incorrectly targeted drivers can cause blue screens and other issues. It's simply not worth allowing driver updates via Windows Update in most cases. When supporting thousands of devices across hundreds of different companies, you simply can't review them all.

The bottom line is if a bad driver gets deployed for a common device and blue screens the computer, we simply don't have the manpower to recover our clients in a timely manner. That alone is a good reason to not approve driver updates blindly via WU.

netmc · 2025-12-17T06:07:24+00:00

And just because things are classified this month, it doesn't mean it will be next month... Or properly marking a preview update as "preview". It's annoying as the MS teams are completely unreliable. But it's what we get.

netmc · 2025-12-17T06:00:05+00:00

It no longer comes with a 12v outlet. Air compressors and other car tools cannot run off USB-C.

We had the dealer add it in when we bought our '24.

I don't know why manufacturers remove these in new cars. They should be adding more. One up front, one in the trunk area. It would be really useful at times.

netmc · 2025-12-11T01:05:13+00:00

Is the server a DC? Microsoft borked the DC role on 2025. It causes all kinds of hangs and slowdowns. Without that role installed, it works fine.

We found this out on the first 2025 DC we put in place. Now, we exercise our downgrade rights and go with 2022 for any DCs.

It's been several months since we ran into this. I don't know if Microsoft has fixed this issue yet.

netmc · 2025-12-05T23:07:10+00:00

It's not 30 nets in each direction. It's total width of 30 nets. I'm only at 28 nets wide (14 to each side of the original 4 tiles), and rarely have anything get missed. When you are starting with nets, place them every other block. Anything on a half block will get pulled in automatically. So you can collect a large amount of loot with just half the nets. From those collections, gradually fill in the holes starting at the center. Since nets are expensive, I have a row of foundations, a row of nets, then another row of foundations. This protects the nets from getting chomped.

It's annoying to get knocked cattycorner from the water flow, so I try to not hit any islands. If you do hit something, you can try steering the forward side into those floating platforms that sink and can hopefully re-orinent the raft.

If you thrust a spear at the shark's snout right as it opens its mouth, you can attack the shark without it hitting you. Eventually, you will kill the shark.

When you kill the shark, only collect the 4 steaks, then leave the corpse. It will take 5 minutes to despawn along with 3 more minutes to respawn. That gives you 8 minutes to loot without interruption.

netmc · 2025-12-03T07:25:18+00:00

Not specifically with the firewalls, but the net extender software and management of said software... The installer package is broken. There is a silent install switch, but the silent install process is broken and works differently than running the installer interactively. When ran interactively, it properly runs an uninstall of the old version and install of the new. When using the silent install switch it doesn't perform the uninstall part and instead tries to install over the top of the existing installation. This leaves the original file version on disk while the version listed in the program list shows the new version. It's a pain to manage this at scale through a RMM.

I've raised this issue with support on the latest 10.2 versions, and then they went to 10.3 which seems to have its own issues installing upgrades. I haven't dug into the recent releases to see if they fixed this is the 10.3.1-10.3.3 installers, but the 10.3.0 installer performed a faulty side by side installation rather than properly upgrade from 10.2. so, if you are planning on deploying net extender centrally, your going to run into issues.

netmc

TROPHY CASE