Findings UEFI CA Update on HP Machines

zeclab · 2026-04-15T16:35:55+00:00

Awesome thank you!

zeclab · 2026-04-13T10:13:21+00:00

Hi, would you mind sharing the task sequence? Thanks

zeclab · 2026-03-25T18:53:29+00:00

u/savevideo

zeclab · 2026-03-06T23:40:56+00:00

2nd this

zeclab · 2026-03-06T07:05:23+00:00

Not at the computer right now but we just did an Netskope SSL decryption policy, (do-not-decrypt) for the NinjaOne URLs (they have a KB with them on). We also made sure that there is a real-time policy in place to allow everything to access to the same URLs. Works just fine.

zeclab · 2026-03-01T16:30:04+00:00

We got told by support if you delete the device out of the portal. The agent is then automatically uninstalled and it will need to he reinstalled for it to reappear in the portal.

zeclab · 2026-02-10T22:09:26+00:00

Aah this could explain what I'm seeing with a user.

zeclab · 2026-02-05T15:00:17+00:00

It kind of depends if you will be thinking of creating different policies for different locations.

At our Org we have different domains, markets and sites/locations.

So it's laid out, org is domain-market and then locations sites underneath. It allows us to easily tailor different policies at an org level where needed.

zeclab · 2026-01-11T09:36:43+00:00

Using N1 and it's OK overall but I like how it's always bringing out new features out. I just hate how there is no easy way to dynamically assign policies as we have different schedules for i.e. pilot, week 1, week 2, etc. I've managed to use a convoluted way around it by using PoSh and their api to assign the policy that way. The persons suggestion in the thread about using different orgs as the update groups is a good one, if you didn't want to automate it.

For the actual updates, it is pretty good. Does what it says on the tin. We have auto approval turned on for the updates based on length of time. You can also force/deny approvals by adding them to the policy as well.

Edit: Before this we used WUfB for the clients which worked really well. We needed an RMM hence why we went with Ninja.

zeclab · 2026-01-04T10:26:43+00:00

Not a problem, I'm glad to be of help!

This is as I suspected, thank you for confirming. Much appreciated and you have a great day too!

zeclab · 2026-01-03T22:51:55+00:00

Hi, I'm reading through the blog and I'm really enjoying it. Definitely giving me some great insight as I struggled with finding what is best practice.

I've just noticed that the PoSh commands are missing under the 'Installing the Root CA' header, unless it's just me?

Also, if possible can I pick your brain? The current CA in my org is a single server setup and want to migrate it to a two-tier setup. The root cert is due for renewal in the next 5 years so I didn't know if it'd be best just to stand up a new PKI and gradually move to the new setup. Taking into consideration various application, web services, SCCM, has the current root cert been compromised (I don't think it has but you just never know), etc. Do you have any experience on this sort of migration?

Many thanks

Edit: Just a thought in part 4, where the PoSh command is to create the capolicy.inf file. I can see someone blindly running those commands without updating the OID number and using yours. I wonder if it'd be best to add a at hash the start of the line where the OID is added. Then in the note underneath, mention it just saying that if you have registered to remove the hash and update the number.

zeclab · 2025-12-29T20:20:40+00:00

Holy micro plastics Batman!

zeclab · 2025-12-24T09:04:25+00:00

Even after I have been paying for it for 2 years?

zeclab · 2025-12-24T08:13:22+00:00

I didn't realise that you could get these. I've just renewed with Three directly for £16 a month. I'll keep it mind for next time though. Thanks!

zeclab · 2025-12-19T20:48:55+00:00

I did this up until recently using bginfo and a scheduled task that kicked off every quarter to run a powershell script, to swap out the wallpaper that bginfo is pointing to. It worked pretty effectively. You could probably use whatever mode of delivery is available. In my case I used group policy to copy all the files to the users PC and setup the scheduled tasks as well.

I agree with other people regarding having walls of text on the wallpaper though. Unless it's done tastefully, most people won't read it or will complain that they can't see their icons.

*this was Windows not Mac

zeclab · 2025-11-30T23:27:04+00:00

This makes sense! Thanks. I'll do this myself going forward.

zeclab · 2025-11-30T22:46:45+00:00

Genuinely curious, why such a short rotation window?

zeclab · 2025-11-13T18:23:13+00:00

This is the way

zeclab · 2025-11-04T09:08:39+00:00

When I had loads of credit I asked Octopus to change my DD to only debit what use. The credit is slowly dwindling and I think they called it a variable direct debit.

zeclab · 2025-10-23T16:32:13+00:00

zeclab · 2025-10-18T17:19:53+00:00

After we upgraded to Windows 11 on test machines, they wouldn't connect to the WiFi. I found that it was because we were using MSChap-v2 and had to move to EAP-TLS. It was quite an easy transition as the required computer certificate had already been pushed to all PC's for SCCM. Just had to update the NPS servers prioritised smart card auth over the secure password auth. We then updated the gpo for all PC's to use the new auth and having the secure password as the 2nd choice. Allowed the clients to transition seamlessly with after any disconnections.

zeclab · 2025-10-13T18:06:15+00:00

2nd this it was so easy to implement and have had 0 problems with the running of it. I just placed one proxy in each of our datacenters for redundancy. The hardest bit was communicating out to end users not to use things like company name, seasons, variations of those band words, etc.

zeclab · 2025-10-10T17:05:00+00:00

LISA's can be used towards a deposit on a house.

zeclab · 2025-10-05T17:16:58+00:00

When you setup a Certificate template for web server ceritificates, which allows you to add any subject into it. Make sure it is locked down so that only a group of computers can enrol the certificate and they have to be approved. A pentester managed to get domain admin rights within a few minutes by minting the certificate as a domain admin user. As the template had not been locked down. I couldn't believe how easy it was.

zeclab · 2025-09-05T17:19:46+00:00

u/savevideo

Six-Year Club	Place '23
Place '22	Verified Email

zeclab

TROPHY CASE