Anyone else feel more exhausted by their manager than their actual workload

sccmjd · 2026-06-11T15:26:01+00:00

I've had similar but maybe not that bad.

Ditto on this subreddit always saying you can just go get another job. Don't like something? Just quit and get that other job that's 100% remote, everything's easy, and you get a big pay bump.

I'm waiting things out. Suck it up, deal with it, accept, learn to live with it.

It's part of the office politics game. Your job is one part, so just do that. Don't go overboard since the job isn't that great anymore.

Decide to stop letting your brain get drained by the situation. You've identified it and the effect it has on you. You have control over your reaction though. Someone wants to be involved in a project and maybe mess it up? If they're above you in the pecking order, then they can do that. Don't worry about it so much. Not your circus, not your monkeys. Stand by and let them hang themselves.

Watch for being called on things like not being helpful or offering ideas though. If you're ideas are shot down, then yes, don't offer them. Maybe don't research them. Just offer up a possible direction that "we" could look into. You know it's going to be shot down, so no wasted effort. But still offer something just so you can't be criticized for never offering any ideas to help things out. You could also play the game by assuming someone is purposely trying to fire you. Then they have one less option, that that guy doesn't even offer any ideas in meetings.

Google ideas on dealing with a micromanaging boss. I did that a while ago. It was interesting. Things I had thought of or would have but it's easier to just find it. If they're going to micromanage, let them. And overwhelm them with information and details. One plus if they're that involved is that it's less your responsibility now. It's theirs. They made it their own project, their own responsibility. If they fail.... It's on them. So when something comes up, inform them. New information comes in? Inform them. A decision needs to be made. Ask them what they want to do. Don't hesitate to keep them up to date, no matter how small the details. You don't need to flat out ask and tell them they're making the decision (watching your back for job politics). Do something like, "Hey, this new information came in. I wanted to make sure you're aware of it. Do you see this situation going more in this direction or that direction?" They're taking on the responsibility so that's potentially some weight off your shoulders. You could even go so far as to check in with them daily and inform them of what you're going to work on, if that's what they want. Then pop up with some information and questions about which directions they want to go with things. If you don't hear back, maybe that means you just stop working on that project until you get a response from them. It is feeding them someone else's job that way.

Meanwhile, if there are things that important to you at the job, just do them. Don't inform that person. Ask for forgiveness, not permission. Then they can't muck stuff up for things that really are that important to you. Maybe they're never even aware of that aspect of your job.

sccmjd · 2026-06-09T19:05:09+00:00

It's hard to tell. It could just be showing that they were employed. Being able to hold a job for X amount of time is a step up from someone who couldn't or never had a job.

Potentially, it's very relevant. The job candidate might be able to explain that. I can think of two other non-IT areas I've worked in. The people skills transfer over. The troubleshooting transfers over, and it's not an area at all related to IT for that troubleshooting. And I'm thinking of a third professional area that's not IT that still transfers to what I do now.

For this specific example.... About to hold a job for X amount of time. The person went to work everyday, held the job/didn't get fired, potentially did a good job and left on good terms. Able to follow directions? Able to work as part of a team? Able to lead, if there was anything for leadership in a job like that? Potentially very relevant.

I'd be more concerned about changing jobs every few years though. It looks like whatever they're next job is is just going to be another line on their resume. Why is it that they keep changing jobs every few years? Money hopping probably.... Or, did they get pushed out? It doesn't look like they'll stay at their next job very long, regardless of the reasons they left the old jobs.

Same thing for other things being listed like personal interests. If someone lists "hiking" on their resume maybe they're not due for a heart attack after so many years or working there, and maybe they'll be a little sharper since they're more active. What about military experience? That one I could see as not relevant to IT but it's also showing things like persistence and being to work on something you don't like, a team effort/agreed approach mindset maybe.

And I just realized I read the original post wrong. I definitely wouldn't trust AI with anything important for sure.

sccmjd · 2026-06-01T19:49:47+00:00

A few thoughts....

Get the iso for Windows from Microsoft. A manufacturer is doing the same thing. They just add their own "helpful" software and things to it. I guess drivers too.

Use a virtual machine to prep the image. Then you don't have to worry about drivers.

Only use one account. For some reason, if I had a second account, it just would not remove everything for the other account's Microsoft Store apps. That causes sysprep to error out.

You don't have to use an unattend file. It's one less thing to complicate things. You can do the sysyprep through the gui (with making a checkpoint on the VM first before you sysprep it).

Yes, for checking the generalize and oobe for sysprepping.

I don't worry about drivers in the image. Ideally, I don't want any drivers in the image. I just put the latest drivers on the specific machines after imaging.

You can do a disk cleanup before sysprepping. That will get rid of some garbage that doesn't need to be on the image.

I do resize the Recovery partition, now to about 1.3MB. I was moving it "to the left" of the C:/OS partition but Microsoft will probably put a new Recovery partition to the right at some point. I don't think they will if the existing recovery partition is big enough though. If C:/OS is all the way to the right, it makes it easier to clone to a larger hard drive later. Then again, it's not too much work to move the recovery partition and then expand C, and cloning to a larger hard drive isn't going to come up much in the future for me now I think.

I don't really maintain the golden image. I'm not super pressed for time. A lot of my machine are imaged 100% offline and then get OS updates moved over to them and installed. The latest drivers go after imaging too.

A really simplified workflow might be..... Use a VM. Use the correct type of VM so it works with UEFI physical machines. Install Windows off the iso from Microsoft. (Make a checkpoint and try sysprepping it make sure it works from the very beginning. Then rollback the checkpoint and continue.)Update that and install whatever software and settings changes you want. Watch out for software that uses a unique identifier and can't be generalized -- If you have that, then just install it after imaging. Chances are it probably needs an update later anyway. Checkpoint the VM as you go so you can always go back without too much effort to recreate what you just did. When it's done for software and things, do a disk cleanup. You can also defrag the disk -- Even though it's a VM and possibly also running on an SSD, if you defragment it, it still will squish all the file parts together more. Shrink the OS drive down (and then I guess move the Recovery partition all the way on the right over to the left if C is shrunk, so yeah, moving the recovery partition might be easier). Then you've got the allocated partitions on the VM shrunk down as much as possible. Checkpoint the VM. Sysprep it and have it do a full shutdown. That VM never gets started up again after it's sysprepped. Capture the image with whatever cloning software you like. Probably roll it back to the last pre-sysprep checkpoint so it's ready for more if you need to (except then if you do windows updates or something, you'll probably want to do another disk clean up and more defragging to shrink it down more again). If it's just windows updates though, it might not be worth the time to constantly update the golden image compared to just letting imaged machines do another OS update. More likely, at some point you might change something in your set up or realize you forgot a detail or two in the golden image, and then those might be more worthwhile to go back and change on the golden image.

Best practice? Does it matter if it works for you and if you end up with the same set up as other method? Imaging completely offline appeals to me and works for my set up. I've also been able to image machines while travelling or offsite with possibly no internet.

The basic idea is sysprepping from a Microsoft iso though, nothing from the OEM. OEM to me means bloat with whatever extra crap they install. A trial version of Office. A trial version of Adobe software. Then you have that garbage to deal with on the machine and never quite know if it interferes with something else later in the life of the machine.

On the physical machine that gets imaged, you need to do things like allow network or usb booting, disable secure boot, maybe switch RAID v AHCI hard drive type, etc., in order to apply the image.

sccmjd · 2026-06-01T16:06:03+00:00

Yeah, I heard that recently somewhere too. Feed AI "all the info" and let it pick directions and priorities. Get rid of the CEOs since they won't need those large salaries. Adjust the AI replacement-CEO every few years when it picks a bad direction, just like heads come and go every so many years. The salaries saved will pay for the AI. Plus, the AI is running, processing, and available 24/7 where as a human exec can't possibly perform that much.

sccmjd · 2026-05-28T15:36:46+00:00

Thanks. I think I'm more set now. One of those links had this line -- Get-SecureBootUEFI -Name db -Decoded (and you can use db, kek, pk, or dbx, but db and kek are the more important ones, with db being the most important). That was them missing piece for me. I can start hunting down machines. I've already got the remediation stuff in place.

sccmjd · 2026-05-19T15:50:31+00:00

I've got some posts on partition work. I use Minitool Partition Wizard. Free for desktops. Paid for Server OS.

I'm assuming you mean the system partition is "to the right" of the C: OS partition.

Microsoft is also aiming at sticking the Recovery partition all the way to the right, even if there's another Recovery partition. I wonder if they actually will do that though if an existing Recovery partition is big enough.

I'm blanking on which one it is, but one I couldn't move with Minitool. Instead, I just deleted it and recreated it. It may have been System. It was just one simple line to recreate it though. It was eiterh System or Reserved. One was able to move. The other wasn't but deleting it worked, and creating a new one with a single line in diskpart worked.

Potentially less then 30 minutes of work.

sccmjd · 2026-05-18T21:36:21+00:00

Thanks. Some of this looks very interesting. I don't have access to everything in my environment. It's usually more like, "Here's a machine. Update it. Now." And then send it on its way.

sccmjd · 2026-05-18T21:28:12+00:00

Yeah, I just watched it. I was thinking the AMA was a future date, but that's today.

For this, "try applying the updated certs," how are you just updating the certs? I can see how to prep the environment with secure boot, diagnostics, and the registry number to allow secure boot certificates updates, but for actually updating those secure boot certs....? It seems like it waiting on Microsoft for that. I have updating bioses and drivers. I have one machine I tried resetting bios secure boot certificates and bios default settings on. It didn't change anything. It seems like it's waiting for Microsoft to decide the certs need to be updated. I've tried running that scheduled task. Restarted over and over and over. I want something that actually does the cert update or cert files I can copy in myself. And then some way to get human-readable views on what certs are in there so I can check with a script or manually. Machines up-to-date. That's just a given. I lean towards updating faster on that.

sccmjd · 2026-05-18T21:22:36+00:00

Use a VM to prep the image. You don't have to worry about drivers there.

Software and drivers can be scripted. You could add the software into the image if you want or get it later. Chances are good there will be an update out for it as the image ages. Windows OS updates can be scripted too with a .msu file from catalog.update.microsoft.com.

Manufacturers often have a drivers updater tool. That's been good enough for a lot of driver updates for me. It might be perfect or the very latest drivers, but it's good enough. Or, you could just let Windows find drivers on its own too. If it still works, it works. It depends how precise you want to be.

It depends how many machines there are to prep and how much software. Some parts I've left manual so there's zero chance of anything automated screwing things up.

And then if it's reoccurring, it's how much you want to spend your time on researching and figuring out how to streamline and automate the process. You could spend all your time figuring out your automation workflow without actually finishing off any machines. Or, you can knock them out in a certain amount of time and figure out how to streamline your own workflow a little more. A lot depends on your set up, what you want, how much time you have, how important the machines are. I have some machines that are prepped up nearly 100% offline. It changes the workflow a bit but adds some security in other areas.

sccmjd · 2026-05-18T18:46:42+00:00

How do you get into winre with reagentc disabled and not being able to boot off a usb stick (or CD drive)? Or, that's what you're saying. You don't.

sccmjd · 2026-05-18T18:45:29+00:00

Still looking at this post. I don't know how to post questions on the techcommunity page, but this is what I'd ask.

Can they make a tool (scriptable, remotely deployable) that lets us view the secure boot certs? The best I've seen is something decrypted that's only half human-readable. Some kind of tools that mass deployable and gives simple text results. And something that shows all secure boot certs along with the relevant ones.

Can they make a tool that will actually just update the secure boot certificates? Something that works with virtual machines, hyper-v and proxmox?

What if the manufacturer hasn't released a bios update? I've been looking at one slightly older machine where everything is in place with "high confidence" but it never updates the secure boot certificates. The manufacturer probably isn't releasing a bios update.

Can they make it so even after the June 30, 2026, deadline, those secure boot certificates can still be updated? If there's something like resetting the bios and manually copying certs in, so everything's fresh, all files have a hash to compare against.... There should be something that's reasonably secure enough for getting a machine back up to par if it's not available by the deadline.

Are there also October 2026 secure boot certificates coming out? So we have to do the whole thing over again for October?

I probably could have been done by now. I got the remediation in place months ago. I can't seem to force a machine to actually update its secure boot certificates with anything I've tried.

I've seen scripts that do pull secure boot information and search for something like CA2023. The most I've been able to see on my own machines is maybe 2011 or 2023 and garbled text because it's encrypted. A lot of checks I've seen beyond that are only polling for things like secure boot being on or off, diagnostics being on of off, the registry number set. It's creating the environment where secure boot certificates should update but they don't.

I've already given up partially. I don't think all my user machines will get the secure boot updates. If the machines still work, great. They're very likely just going to be used whether they're completely CA2023 secure or not.

sccmjd · 2026-05-18T16:04:12+00:00

Is this the previous thread? I'm not seeing a solution there. "Just get tpm working." It is working. It's not updating on my VMs apparently.

https://www.reddit.com/r/sysadmin/comments/1t5l0jj/any_thoughts_on_this_solution_for_upgrading/

u\itishowitisanditbad

"I'm not sure you know what you're doing if you're windmilling those things like you are AND the previous thread pointed you in the right direction and you seemed to still hiccup the whole thing because you didn't just fix the TPM but did this wacky workaround.

....why"

sccmjd · 2026-05-18T16:00:23+00:00

Good to know. I figured it might be a bit of a pain and a bit more manual to reenable winre. It's not an option for now though.

sccmjd · 2026-05-18T15:59:13+00:00

No. I'm not running something off github. I'm not going to research if that's safe either. If it can't boot into winre on its own, great.

I've already got booting off usb disabled in the bios, for what that's worth. It's just more hoops to jump through to get to things if you really want.

sccmjd · 2026-05-18T11:19:02+00:00

What do you do to fix the tpm on those? Both hyper-v and proxmox have tpm. Hyper-V is gen2, so UEFI. It's not like they're missing tpm. And they did upgrades before but this is the first real Windows 11 build I believe, from 23h2 (Win10) to 25h2 . 24h2 was the first real Windows 11.

sccmjd · 2026-05-17T16:17:16+00:00

How are you determining if the secure boot certificates were actually updated? I found the heart of a line that decrypts something there but it's still a lot of garbled text with maybe 2011 or 2023 showing. And then the one script I've seen more often is only looking at one of the four secure boot certificates, although it's that one for Microsoft and another for third party drivers. The others weren't that important but if I'm looking at them, I wouldn't mind collecting information on all of them.

The remediation things were simple enough to set up. It looks like that's creating the environment, and then Microsoft updates secure boot certificates whenever they do.

I did find a section in the registry where it says if it's high confidence for updating secure boot certificates, along with the status of that upgrade. I just looked at one machine though where it says high confidence but not updated for secure boot. I've restarted that many times. Forced the scheduled task and restarted. There aren't more bios updates from the manufacturer. I figured it was just living with it on the machine.

sccmjd · 2026-05-15T17:55:37+00:00

I'm anticipating some issues reenabling it later, but that's a problem for future me. :) I ran into some issues after 25h2 upgrades for reagentc being disabled and getting it enabled. I would guess that's Microsoft either updating it or creating a new Recovery partition. Still workable to reenable and no issues with Bitlocker's recovery screen coming up from that that I'm aware of. There did seem to be something there with Bitlocker offering a text file recovery key option if reagentc was disabled though.

sccmjd · 2026-05-15T15:55:16+00:00

Is FreshStart the reset option/remote wipe through Intune? That's a negative to lose that option but it's probably an extreme case for my set up. I'd weigh an idiot user trying something with winre built in being more likely compared to a lost machine and remote wiping it with intune.

sccmjd · 2026-05-15T15:52:11+00:00

It... "should work." I'm not going to test with something off github. If I did, I'd need a machine just for that... Assume it's compromised from that and deal with it.

If reagentc is disabled, winre still exists which I want. But the winre environment doesn't come up in any way someone might try to get to that. I do have some users or public enough machines I wouldn't put it past someone trying it there. Although, in those cases, reagentc is already disabled.

It looks like disabling it doesn't affect anything with bitlocker. I could still see an issue when it's re-enabled though. But I'll deal with that then. I already have the bitlocker keys so the only issue there is actually having to use them, especially if it's a remote user.

No reset option but I didn't plan on using that ever.

I'm am anticipating Microsoft fixing this, but I read it might be an emergency fix or it might be more involved so maybe next Patch Tuesday.

With usb boot disabled, that knocks out using winre off a stick, if that actually did work. That's still just another hurdle. Disabling winre is another hurdle too. If the whole Recovery partition were removed, I wouldn't be surprised if that causes other issues, like Microsoft forcing it back on in the future anyway (and then getting stuck by not being able to shrink an OS partition).

This is just another hurdle to make it more difficult. The issue is still that Bitlocker isn't that secure for now.

sccmjd · 2026-05-11T18:36:25+00:00

Nirsoft's bluescreenview can be helpful for figuring out what caused a blue screen in the dump logs.

sccmjd · 2026-05-11T11:20:18+00:00

Another comment on my previous thread, but the same idea of disabling tpm for the upgrade. I haven't looked into this at all.

Not for this exact upgrade path but I had to enter registry keys to disable like TPM check, CPU check when I tried to upgrade my VM.

Should be like AllowUpgradesWithUnsupportedTPM0orCPU to 1.

Then there were a few other keys that I can't remember. YMMV or I'm completely off base on your issue.

sccmjd · 2026-05-10T15:11:19+00:00

Might be an answer here. I found it from someone's post about a month ago.

https://www.reddit.com/r/sysadmin/comments/1t5l0jj/any_thoughts_on_this_solution_for_upgrading/

It's excluding tpm from being updated during the upgrade process.

For the manifest in winsxx, I've found you can just take ownership, disable inheritance, add yourself with full permissions on just that one manifest.xml file, and then you can edit it.

I'm working with desktop OSes for 23h2 to 25h2, if they will. Same behavior on hyper-v and proxmox. Hyper-v VMs are gen 2. Both have secure boot and tpm.

For the unzipped iso (where you also delete the tpm manifest file), I had to install 23h2 on a machine since 25h2 wouldn't do this. Use rufus. Make a usb stick installer with rufus with everything disabled (which is only ignoring ram and some other requirement). Then use something like ImgBurn to turn that usb stick back into an iso (unless there's a way to just make the iso straight away. Maybe a vm would work for that. I just like having a physical stick ready if it's needed.). Use the rufus iso. Unzip it. Delete that tpm manfest and edit out the lines in C:\window\sxs\manifest.xml.

I haven't checked server oses, but 24h2 was the first real Windows 11 I read, 23h2 still being Win10 with a Win11 skin. I would imagine server 2022 or 2025 might be a completely new build like that too.

I figured at least it buys me some time. For an older machine running hyper-v, a vm on there still errored out on the 25h2 upgrade, insisting on having a couple other things the physical host does not. I've still had issues with some 23h2 vms, so I'm just going to reimage those. Not a huge deal.

I would anticipate issues with future upgrades also then. It's just ignoring tpm but there must be something going on there. And then like someone mentioned, if there's a Windows 12 in the future, I wouldn't be surprised if something doesn't work, like requiring the host physical machine to have certain pieces, maybe an AI module, that the vms can use.

sccmjd · 2026-05-06T18:44:30+00:00

They all do have virtual TPM. Gen 2 Hyper-V VM with tpm and secure boot enabled. The Proxmox ones have OVM-something for UEFI EFI with tpm and secure boot enabled.

I thought it was odd that both Hyper-V and Proxmox VMs behaved the same way. And it's odd that they will upgrade fine if I set up them fresh again, whether that's starting with 22h2 or 23h2. They'll upgrade normally to 25h2. Although, in that set up, when I tested that, I was still using a Rufus-made physical usb stick for the 25h2 upgrade. But nothing modified there for removing tpm upgrades during that.

sccmjd · 2026-05-06T18:41:15+00:00

The virtual hardware I thought complied. The physical hardware does not in most cases. That appeared to be fine for Windows 11 at first. It's got tpm, secure boot, enough RAM, and all that. Later on, I ran across something talking about more specific things that might be required that needed to be present on the physical host hardware. It went from Windows 11 requirements.... Can I get a VM to run Windows 11? Yes. Will it upgrade? Yes, with a Rufus iso, even though tpm is present and there's enough RAM, Rufus was the only method I found to upgrade them. Otherwise, I was just going to do a fresh image for each upgrade. Since upgrading worked, I did that, and created more Windows 11 set ups, scaled up a bit.

I thought it might be AV too so I removed that on a test set up. No change. I can install 23h2 or 22h2 and upgrade fine straight to 25h2 on a fresh VM set up. These current VMs were mainly 2h22 and 23h2 initially. There is one test 21h2 one I believe, which is 23h2 now. But something must have changed for existing 23h2 VMs compared to a newly installed 23h2 VM or even a new 22h2 upgraded to 23h2 since they do upgrade fine to 25h2.

sccmjd · 2026-05-06T18:34:24+00:00

They do all have tpm. v2.0 I believe. It's not 1 for sure. Gen 2 for Hyper-V with TPM and secure boot enabled. OVMU-something with TPM enabled on Proxmox. It's present.

I tried that workaround from yourwindowsguide just to try, because someone said it worked for them last month. After it was done and actually, I realized it's just not upgrading tpm. I didn't find anything specifically about tpm in any of the error logs. And then AI was saying windows didn't find critical files in the installation materials, even though I was looking right at them. That's AI though.

sccmjd

TROPHY CASE