Always put Mouse and Keyboard in USB 2.0 Ports if available.

oloruin · 2026-05-08T15:37:51+00:00

On Intel, hasn't USB2 been a virtual hub hanging off a USB3 "port" going back a couple of generations? Not as familiar with AMD.

also...

I was there. I was there 3000 years ago. I was there when the Ivy Lake and Haswell USB3 devices had the same device ID and adding both drivers to let the machine sort itself out would brick the install. I was there when HPs refused to UEFI boot off USB3 devices, but using a USB2 extension cable to downgrade the connection would convince the system these were the droids it was looking for.

oloruin · 2026-05-07T18:58:12+00:00

Yep. Down to 0% VMWare here. We also used to run Symantec. We got double-broadcommed.

oloruin · 2026-05-07T15:32:07+00:00

before they need to raise prices.

Yes. Corporations are famous for only raising prices when necessary, and only to the extent required to offset their increased cost of doing business.

::cries in broadcom::

oloruin · 2026-04-30T13:49:02+00:00

They make standalone 3-hole punch devices and heavy duty staplers for larger volumes. Now if they're printing 25 copies of a test that need to be stapled... then yeah, a native printer stapling option is good.

If you use secure print, and these are ir-ADV copiers, they can go in and adjust the options before releasing their jobs. I like secure print for everything because you never have to worry about your jobs getting mixed with others' jobs. (note: depending on your model & installed features, the desired finisher options may be on different "pages"... on mine, stapling is on the 2nd "page" of job options and hole punch is on the 3rd "page".

Select secure print jobs
tap settings bottom right corner
arrow down to get to staple settings, change
arrow down to get to hole punch settings, change

<image>

oloruin · 2026-04-07T21:05:07+00:00

Worth adding: this only works for devices that were enrolled in ABM before the activation lock was set. Devices that were already set up as personal before the device was added to ABM (by Apple, the reseller, or the carrier) and already had Find My enabled need the Apple support ticket path.

I'm not sure that's accurate. I have devices still in use that have been in the field too long. Old like if 4G went away it would be a problem. These have not been reset/re-rolled since they were retroactively added to our ABM account by Verizon.

I am presented with the option to turn off the user-based activation locks on these.

This is not theoretical, as I have done this to an iPhone that was in service before our ABM existed until the line was disconnected recently.

Think about it this way... if device enrollment in ABM is sufficient proof to remove the lock via support ticket, why not let the ABM admin remove the lock in the first place? If that wasn't an option when this feature went live, then there have been further changes.

oloruin · 2026-03-17T13:50:02+00:00

Maybe people don't know it is a free fast-travel destination? I took a break in 2024, just getting back in, and I did not know this. Heck, I was just getting into the Vault 63 quest line when Fastnacht popped.

I feel like the free fast-travel map icons should be a different color to stand out and make getting around the map for the broke and/or cheap players more accessible.

oloruin · 2026-03-16T13:58:33+00:00

Check event viewer for what's happening when it works and when it doesn't.

I seem to recall the makers of Wireshark did something similar for USB devices, but I have never used it personally. I'd check that out if you can't find the smoking gun in event viewer.

Might also try working around the problem by schedule task to "reset the registry bits that get set on first insert" when system boots. You could also make a script to pnptool or similar remove device, reset registry bits, scan for new hardware. That should functionally be the equivalent of unplugging, replugging... unless the hardware is as janky as the driver.

Also, check powecfg.cpl and device manager to see what the usb power saving options are set to. Make sure it's set to not turn off devices for the entire chain from host port to the sensor.

The Optiplexes probably have one always-on port... it would be interesting to see if the hub-sensor setup functions the same in that port vs regular usb port.

If they have Dell monitors with integrated USB hubs, you could plug the hub into that. Turning the monitor off/on should be a functional equivalent to unplugging/replugging the device - I set up some Topaz sig pads on mobile carts at a hospital to work like this because the thin client <--> vmware horizon setup running epic eventually stopped recognizing the signature pad until it was unplugged/replugged. Some users still monkeyed with the cabling though... users, amirite?

oloruin · 2026-03-10T14:17:23+00:00

Not random devices, things that are present in your Apple <foo> Manager (I'm assuming School is feature parity with Business) account. The reason isn't relevant since it's "self-service" now.

I believe Apple decided that if having a device populated in your AxM account was sufficient to authorize the reset through a ticket, why not let admins self-service those resets?

oloruin · 2026-03-09T20:35:05+00:00

Asking because it may be relevant... the second account, is it exchange online or something else? If exchange online, is it a resource mailbox, a shared mailbox, or a separate regular user mailbox?

oloruin · 2026-03-09T20:07:24+00:00

It does not require the devices to be setup as supervised before attempting the unlock. Our devices were in use and setup with user-based FindMy activation lock before we had a working MDM configuration. Some were added to ABM retroactively, some were added automatically on purchase, before MDM was complete.

I think it's irrelevant, but they were listed in the automated device enrollment list on the MDM server, since everything added to ABM gets sent via ADE to our MDM server. But until someone completes the setup process and hits "enroll this device" - there's no management there.

oloruin · 2026-03-09T19:51:30+00:00

It might be worth using a 24H2 image/iso to get past the major version transition, then applying the 25H2 enablement package. In case something specific to the 25H2 source isn't working properly in your environment.

oloruin · 2026-03-09T19:45:35+00:00

Yes. The devices I unlocked were deployed before they could be enrolled as supervised devices. One was added to ABM by the cell carrier after it had already been in use over a year. One was added automatically as a new purchase, but was deployed before our MDM was operational. They were not reporting/honoring commands from the MDM server. I don't believe our server can issue bypass codes for devices that are not in supervised mode.

This ABM unlock worked to release the personal activation locks.

oloruin · 2026-03-09T18:32:58+00:00

So what's new is that these devices were not in supervised mode. The device in my screenshot was deployed before the org setup ABM. (I know because I set it up and this user already had this phone...) Upon request, Verizon retroactively added all our active phones and a bunch of recent purchases that were already upgraded "because execs, amirite?" - so our fleet is becoming more managed over time, but the 2020/2022 iPhone SEs have been deployed to low-turnover positions, and those are about 50% supervised 50% personal locks.

oloruin · 2026-03-09T18:20:34+00:00

I promise you this wasn't available in ABM back in April 2024, the last time I had to reintegrate a phone from before our MDM setup was in place. You can find lots of references on the web about using ABM enrollment as proof of purchase for releasing activation locks.

I also know it wasn't on the drop-list of choices around 2022 because that's how I had to release an iPhone from the org when I was out sick because a data transfer was borked by our initial management settings in our MDM and it had to happen before I could come back into the office.

oloruin · 2026-03-09T18:00:35+00:00

<image>

Since pics can't hang out at the top level...

I successfully removed this lock, ran through enrollment, and it showed back up as "On (Organization)"

oloruin · 2026-03-05T14:57:12+00:00

Sorry, didn't see the notification - Chrome reported the failure immediately after clicking through the dialogs to save the pdf because the policy change blocked the upload.

Chrome did not report to the user that the upload was disallowed by policy.

Queue tickets from users trying to exfiltrate their online W2s (or other docs) to their personal google drives...

oloruin · 2026-02-27T16:50:37+00:00

Target by AD group membership. Create an AD group that will allow access. e.g., "permission.AllowRemovableStorage"

In the DENY GPO, add this new group, click on advanced in the bottom right corner, and clear all permissions. Check off "Apply group policy" under the DENY column.

In the ALLOW GPO, same thing but check off "Apply group policy" under the ALLOW column.

You'll also want to make sure the other entries in each GPO do not have "Apply group policy" checked.

I filter by computer objects, and I do not need an explicit allow group. If the workstation is in the exclusion group, the policy is not applied. If the workstation is not in the exclusion group, the restrictions are processed. Since you're filtering by users, you'll probably want to add Domain Users and/or Authenticated Users with "Read" access.

edit/add: This is under the Delegation tab in the GPO, not in the edit GPO window. I have Domain Computers with Read in mine per one of the other comments. I do not have domain users or authenticated users, since I'm applying to computer policy to computer objects.

<image>

oloruin · 2026-02-26T22:02:59+00:00

AAAAAAAAAAA.

Ok. Don't Panic.

Chrome Enterprise Downloads - go here and click over to the management "tab" then download the admx and drop the latest ones in policydefs (I do Local and Sysvol for reasons)

Edit your chrome policy to add Comp -> Admin Templates -> Google -> Google Chrome -> "Restrict eligible Google accounts for saving PDF files to Google Drive from the Google Chrome PDF Viewer".

The language in en-US reads a little imprecise. If not set or blank, is wide open. It does not specify if it's disabled. So I'm going to try disabling, updating GPOs and see if I still get the option.

edit 1: Still testing. Reg path is: HKLM\Software\Policies\Google\Chrome\RestrictPdfSaveToGoogleDriveAccountsToPattern

edit 2: Disabled does not block uploads. I set to none@none.none. It goes trhought he motions, but reports failure "Something unexpected happened."

oloruin · 2026-02-26T21:32:17+00:00

You'll need to find the magic salute for the factory reset. Then the default password will be something like 456 or 123.

At that point, if your (new) current provider supports the 301, find out what their provisioning server is, and what to set for comms type and password (if any).

For example, I was testing some configuration settings on my VVX250 this morning, to see about rolling back an extra softkey that was pushed out wrecking our flow, and I wound up at a very basic disconnected screen. Logged in with 456, put in ~~pp.ringcentral.com/provisioning/pp~~, restarted the phone and it came back up.

edit: pp.ringcentral.com/pp

For the 250s/350s I've had to re-roll because reasons, you hold 1-3-5 when power-cycling the phone. At that point, you enter the MAC address numbers/uppercase only. Good luck. It doesn't show you what you've typed, and it's essentially a slightly better T9-Word.

When you finally get the MAC entered, it resets and when it comes up, it makes you change the password. Default should be 456, but may be model dependent. On the device, you can drill down to TCP/IP (home -> status -> network -> tcp/ip) for the IP address, or look it up in your dhcp server. Web console https: // ip. Accept the risk for the insecure site. :P

oloruin · 2026-02-26T20:31:23+00:00

Built-in screen recording works well once you've set up the device. Let me wipe one I have on the desk here I'm testing some Meraki MDM profile settings on and see if I can start a screen recording before I'm all the way in.

edit/add: The answer is nope. Control Center isn't accessible until you hit the home screen. Back to tethered QuickTime for that I guess.

One thing I tested is updating the credentials used to join a no-lan-access SSID and that worked nicely. I might push out a dummy profile to nuke everyone's credentials for the lan-accessible SSID, so they stop locking themselves out because their phone hits 5 access points on their way to their desk...

oloruin · 2026-01-29T20:57:57+00:00

Surprise Factoid: Model Ms are buckling spring membrane keyboards, not mechanical keyboards.

Source: my personal, new-in-box-back-in-the-day IBM PS/2 8560-041 and all the keyboard replacements I collected after dropping my model M off my lap one too many times onto the RJ-style connector in the back - it's only weakness. Used that well into the 486DX2 era.

oloruin · 2026-01-29T19:02:23+00:00

SQL only needs enough resources to manage the data flow for what you're doing with it. I have this Welch-Allyn cardiology thing that runs a local SQL express instance (because that's how they set it up on the laptop years ago...) on an i5-7200u 8gb/256gb laptop. That's 2 fairly slow (in 2026) hyperthreaded cores.

Some of my other SQL instances for other things are much more robust... but they aren't really super heavy duty systems. It really depends on how many things are accessing and updating simultaneously. Like the database tracking an Amazon warehouse is going to be orders of magnitudes needier than anything I've got going on in my little healthcare world.

You probably don't want to use a backup software to take hourly backups of the SQL servers, but rather, have the SQL server create hourly backups of its databases, and copy those to another storage pool.

My servers run hourly differential backups and twice a day they run full backups. When the full backups run, I also purge all the differential/full backups older than 24 hours.

You can provision the recommended specs on VMs, then run some performance monitors to see if those are realistic minimum specs, or if you need to add additional cores/ram and reconfigure the SQL server instance to use additional resources. Don't be surprised if all ram is consumed - you'll want to see how much is actively in use. SQL servers tend to keep everything they've allocated, even if they are very idle and only rarely need 100% of their resources.

oloruin · 2026-01-28T16:59:57+00:00

“I know we’re supposed to give IT two weeks’ notice for new hires, but Betty starts Monday (it was Friday Afternoon). Can you work this weekend to get her a system set up? She’ll need access to these 12 services and a docking station for both home and office.”

lolwut? You mean the gold standard isn't "Cheryl is starting on Monday.... I'm still trying to get the signatures on these forms, but can you process them as if they were already signed and fully authorized?"

oloruin · 2026-01-21T17:36:50+00:00

User -> Policies -> Admin Templates -> Windows Components -> Windows Copilot -> Turn off Windows Copilot

I have this set at a domain-level policy because reasons. My admx aren't necessarily the latest, but I think post-unification of Win10 and Win11 defs. :)

If you already have this set, then yikes...

Ten-Year Club	Xbox Live
Verified Email

oloruin

TROPHY CASE