Philips 34B1U5600CH – Does USB-C + HDMI work in 50/50 PBP with hardware KVM (no software)?
Does anyone own the Philips 34B1U5600CH and use USB-C (with power delivery) + HDMI simultaneously in 50/50 PBP mode?
Can you confirm the built-in KVM lets you switch keyboard/mouse between both inputs using only the monitor’s OSD, with no software installed?
https://redd.it/1rhgxxb
@r_systemadmin
Does anyone own the Philips 34B1U5600CH and use USB-C (with power delivery) + HDMI simultaneously in 50/50 PBP mode?
Can you confirm the built-in KVM lets you switch keyboard/mouse between both inputs using only the monitor’s OSD, with no software installed?
https://redd.it/1rhgxxb
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
CMMC L2
My org is starting to look at getting to CMMC L2 and there have been a lot of changes being made to make sure we achieve it by the end of the year.
Curious about other sysadmins who have been through this and what works and what doesn’t? I’m curious what pitfalls there are and how to avoid them.
https://redd.it/1rhimas
@r_systemadmin
My org is starting to look at getting to CMMC L2 and there have been a lot of changes being made to make sure we achieve it by the end of the year.
Curious about other sysadmins who have been through this and what works and what doesn’t? I’m curious what pitfalls there are and how to avoid them.
https://redd.it/1rhimas
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Why do users insist on using work email for personal tasks?
It just makes no sense to me that I get people complaining about trying to send or receive emails when it has no work value at all. For example, one person was supposed to receive an email from their kid’s school about updated schedules but never did because it got caught in a spam filter that they could have checked themselves.
Why should I be dedicating resources to an issue that only affects their personal life, and why can’t they be bothered to have a personal email account?
https://redd.it/1rhk0xh
@r_systemadmin
It just makes no sense to me that I get people complaining about trying to send or receive emails when it has no work value at all. For example, one person was supposed to receive an email from their kid’s school about updated schedules but never did because it got caught in a spam filter that they could have checked themselves.
Why should I be dedicating resources to an issue that only affects their personal life, and why can’t they be bothered to have a personal email account?
https://redd.it/1rhk0xh
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Would a lightweight PAM / password rotation tool for <500 devices be useful?
Hi sysadmins,
I’m a developer working on a lightweight Privileged Access Management (PAM) / password rotation solution aimed at organizations managing fewer than 500 devices, and I’d really value some real-world feedback before going further.
The goal is to build something simpler and more affordable than enterprise PAM tools, but still reliable enough for production use.
Current ideas include:
• Reset and verify passwords for Active Directory and local machine accounts
• Automatic device discovery on the network
• Agent-based password rotation for devices that are not always connected (like laptops)
• Password vaulting and secure sharing
• Full audit logs for all password-related actions
• Verification that password changes actually succeeded on the device
• Managing credentials even when machines are off-network or remote
Target environment:
• Small and mid-size organizations
• Internal IT teams (not MSP-focused)
• Roughly 50–500 devices
I’m trying to understand:
• Would a tool like this be useful in your environment?
• What features would be must-have vs nice-to-have?
• What do current PAM tools do poorly?
• Would you consider buying a simple, reasonably priced solution in this space?
I’m especially interested in hearing from admins managing small-to-mid environments, where enterprise PAM tools feel too heavy or expensive.
Happy to chat 1-on-1 if anyone is interested — feel free to DM.
Thanks.
https://redd.it/1rhnirl
@r_systemadmin
Hi sysadmins,
I’m a developer working on a lightweight Privileged Access Management (PAM) / password rotation solution aimed at organizations managing fewer than 500 devices, and I’d really value some real-world feedback before going further.
The goal is to build something simpler and more affordable than enterprise PAM tools, but still reliable enough for production use.
Current ideas include:
• Reset and verify passwords for Active Directory and local machine accounts
• Automatic device discovery on the network
• Agent-based password rotation for devices that are not always connected (like laptops)
• Password vaulting and secure sharing
• Full audit logs for all password-related actions
• Verification that password changes actually succeeded on the device
• Managing credentials even when machines are off-network or remote
Target environment:
• Small and mid-size organizations
• Internal IT teams (not MSP-focused)
• Roughly 50–500 devices
I’m trying to understand:
• Would a tool like this be useful in your environment?
• What features would be must-have vs nice-to-have?
• What do current PAM tools do poorly?
• Would you consider buying a simple, reasonably priced solution in this space?
I’m especially interested in hearing from admins managing small-to-mid environments, where enterprise PAM tools feel too heavy or expensive.
Happy to chat 1-on-1 if anyone is interested — feel free to DM.
Thanks.
https://redd.it/1rhnirl
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
My "I've made a massive mistake" moment
Reading another post on this sub reminded me of my own "I've made a massive mistake" moment - https://www.reddit.com/r/sysadmin/s/G7BjVaBkzy
I was a service desk analyst at a medium size organisation. The company overall was good to work for, and paid on the higher end for a service desk analyst in the area.
I had been with them for at least 3 years and I really wanted to get into a system administrator or network administrator role. Problem was all the people in these roles already were comfortable there and weren't going to be resigning anytime soon. The company also wasn't expanding, so there wouldn't really be any newly created roles. It would be potentially years before I would get into one of these roles at this company.
I start applying for other system administrator and network administrator roles, and eventually interview at another company as a system administrator.
Interview went well. We discussed why I wanted to leave my current role and I explain why, and discuss salary which was only slightly higher than my current salary, around 5% higher.
Although it would have been nicer to make a higher salary, it was at least getting into a role I wanted, and I didn't exactly have a huge amount of experience that wasn't service desk, so they offered and and I accepted the role.
I start my first day there. They tell me that everyone new in IT there starts out in service desk for 3 months. This was to get familiar with their systems, processes and business overall.
I was a little annoyed considering that I took this role to get out of service desk and that this wasn't mentioned in the interview, but fair enough. It was only for 3 months, so whatever, I'll just stick it out for 3 months.
Being new to the job, I do my job as good as I can. Every ticket is done well, has all the correct information, if it needs to be escalated has everything the team being escalated to needs including all troubleshooting, screenshots, etc.
My first pay came and I notice that it is quite a bit lower than what it should be. I check my payslip and it mentions my yearly salary at about 70% of what the salary in the interview was discussed.
The next day I raise this with my manager, politely mentioning there must have been an error when my pay was setup with HR or something.
He mentions that pay is what they pay their service desk analysts, so it is correct, but once I start as a system administrator it will become the wage discussed in the interview.
I was super annoyed at this, especially considering it's substantially less pay than the job I resigned from. I tell myself it's only for 3 months, just wait it out.
3 months comes up, then 3 and a half months comes up, and I'm still in service desk at this 70% of the agreed upon wage.
On the day of being there for 4 months I mention to my boss that it was discussed that everyone starts in service desk for 3 months, it's now been 4 months, and ask when I would be moving to my system administrator role.
He mentions funny I should bring that up, management were just discussing that. They had noticed that I have done really well in the service desk role. As such, they decided that they want to keep me there, and they would be moving another one of the service desk guys into the system administrator role.
To say I was livid at this would be an understatement, but I just put on a happy face. I knew at that moment I wanted nothing more to do with this company.
That night, I started applying at other companies and within a month, I had another offer as a system administrator elsewhere.
When I resigned, it was basically surprised Pikachu face with them. They couldn't understand why I was resigning after only 5 months in.
https://redd.it/1rhpifn
@r_systemadmin
Reading another post on this sub reminded me of my own "I've made a massive mistake" moment - https://www.reddit.com/r/sysadmin/s/G7BjVaBkzy
I was a service desk analyst at a medium size organisation. The company overall was good to work for, and paid on the higher end for a service desk analyst in the area.
I had been with them for at least 3 years and I really wanted to get into a system administrator or network administrator role. Problem was all the people in these roles already were comfortable there and weren't going to be resigning anytime soon. The company also wasn't expanding, so there wouldn't really be any newly created roles. It would be potentially years before I would get into one of these roles at this company.
I start applying for other system administrator and network administrator roles, and eventually interview at another company as a system administrator.
Interview went well. We discussed why I wanted to leave my current role and I explain why, and discuss salary which was only slightly higher than my current salary, around 5% higher.
Although it would have been nicer to make a higher salary, it was at least getting into a role I wanted, and I didn't exactly have a huge amount of experience that wasn't service desk, so they offered and and I accepted the role.
I start my first day there. They tell me that everyone new in IT there starts out in service desk for 3 months. This was to get familiar with their systems, processes and business overall.
I was a little annoyed considering that I took this role to get out of service desk and that this wasn't mentioned in the interview, but fair enough. It was only for 3 months, so whatever, I'll just stick it out for 3 months.
Being new to the job, I do my job as good as I can. Every ticket is done well, has all the correct information, if it needs to be escalated has everything the team being escalated to needs including all troubleshooting, screenshots, etc.
My first pay came and I notice that it is quite a bit lower than what it should be. I check my payslip and it mentions my yearly salary at about 70% of what the salary in the interview was discussed.
The next day I raise this with my manager, politely mentioning there must have been an error when my pay was setup with HR or something.
He mentions that pay is what they pay their service desk analysts, so it is correct, but once I start as a system administrator it will become the wage discussed in the interview.
I was super annoyed at this, especially considering it's substantially less pay than the job I resigned from. I tell myself it's only for 3 months, just wait it out.
3 months comes up, then 3 and a half months comes up, and I'm still in service desk at this 70% of the agreed upon wage.
On the day of being there for 4 months I mention to my boss that it was discussed that everyone starts in service desk for 3 months, it's now been 4 months, and ask when I would be moving to my system administrator role.
He mentions funny I should bring that up, management were just discussing that. They had noticed that I have done really well in the service desk role. As such, they decided that they want to keep me there, and they would be moving another one of the service desk guys into the system administrator role.
To say I was livid at this would be an understatement, but I just put on a happy face. I knew at that moment I wanted nothing more to do with this company.
That night, I started applying at other companies and within a month, I had another offer as a system administrator elsewhere.
When I resigned, it was basically surprised Pikachu face with them. They couldn't understand why I was resigning after only 5 months in.
https://redd.it/1rhpifn
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Adobe Premiere Pro Error Code 0xc0000142
Hi, I have this error and I don’t know how to fix it. I’ve tried everything — reinstalling C++, running it in Windows 8 compatibility mode — but nothing works. The error doesn’t even show up in Event Viewer. Does anyone have a solution, please?
https://redd.it/1rhuoux
@r_systemadmin
Hi, I have this error and I don’t know how to fix it. I’ve tried everything — reinstalling C++, running it in Windows 8 compatibility mode — but nothing works. The error doesn’t even show up in Event Viewer. Does anyone have a solution, please?
https://redd.it/1rhuoux
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Anyone here running a private USA RDP instead of shared/cloud setups? Worth it long term?
I’m testing a private USA-based Windows RDP setup and trying to figure out if it actually makes sense long term.
The plans I’m looking at are roughly in the $26–$75/mo. range depending on resources.
Example specs I’m comparing:
• 2–4 vCPU (3.4GHz range)
• 4–32GB RAM
• 50–200GB SSD
• 1–5TB bandwidth
• 1Gbps port + dedicated IP
• Full admin access on Windows Server
Main use case would be running browser-based workflows and some SEO tools, so stability and consistent performance matter more than raw power.
For those who’ve used private RDP setups in the US:
– Does dedicated IP + full admin access actually make a noticeable difference?
– Any hidden bandwidth or performance bottlenecks I should watch for?
– At what point does it make more sense to jump to full dedicated hardware instead?
Not selling anything, just trying to understand real-world experience before locking into a plan.
https://redd.it/1rhwncp
@r_systemadmin
I’m testing a private USA-based Windows RDP setup and trying to figure out if it actually makes sense long term.
The plans I’m looking at are roughly in the $26–$75/mo. range depending on resources.
Example specs I’m comparing:
• 2–4 vCPU (3.4GHz range)
• 4–32GB RAM
• 50–200GB SSD
• 1–5TB bandwidth
• 1Gbps port + dedicated IP
• Full admin access on Windows Server
Main use case would be running browser-based workflows and some SEO tools, so stability and consistent performance matter more than raw power.
For those who’ve used private RDP setups in the US:
– Does dedicated IP + full admin access actually make a noticeable difference?
– Any hidden bandwidth or performance bottlenecks I should watch for?
– At what point does it make more sense to jump to full dedicated hardware instead?
Not selling anything, just trying to understand real-world experience before locking into a plan.
https://redd.it/1rhwncp
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Will California age-attestation law impact device imaging and deployment?
On January 1, 2027, California Assembly Bill No. 1043 will come into effect. The law requires every operating system provider in California to collect age information from users at account setup. This includes Windows, Linux, macOS, iPadOS, etc.
For Windows computers, if we currently have an unattend file to answer the OOBE questions, will we have to add a new question/answer to the file? And how the fuck do we answer it if there is some possibility that an under-18 user *could* use the device? Or even worse, is it going to end up being a question that cannot be automatically answered and must be manually answered? How would a library with shared public kiosk computers answer this age question? Will Autopilot now require the question to be answered?
Same for iPad's: we have the OOBE questions auto-answered currently so that setting up a new iPad kiosk is quick and easy. Is this law going to change that?
https://redd.it/1rhx04k
@r_systemadmin
On January 1, 2027, California Assembly Bill No. 1043 will come into effect. The law requires every operating system provider in California to collect age information from users at account setup. This includes Windows, Linux, macOS, iPadOS, etc.
For Windows computers, if we currently have an unattend file to answer the OOBE questions, will we have to add a new question/answer to the file? And how the fuck do we answer it if there is some possibility that an under-18 user *could* use the device? Or even worse, is it going to end up being a question that cannot be automatically answered and must be manually answered? How would a library with shared public kiosk computers answer this age question? Will Autopilot now require the question to be answered?
Same for iPad's: we have the OOBE questions auto-answered currently so that setting up a new iPad kiosk is quick and easy. Is this law going to change that?
https://redd.it/1rhx04k
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Best SASE options in 2026?
We're a small team, mostly remote, mix of mac and PC. Currently using a basic VPN and separate DNS filtering, but it's becoming a pain to manage two tools for what feels like it should be one solution. Looking at SASE as the logical next step.
From what I understand, SASE combines SD-WAN with cloud-delivered security (firewall, SWG, CASB, ZTNA, etc) into a single platform. The appeal is obvious. One vendor, one dashboard, fewer headaches.
I've looked at a few options:
Cloudflare One seems well-regarded and has a generous free tier. Wondering if it scales reasonably for SMB without jumping to enterprise pricing.
Zscaler comes up constantly in recommendations, but feels more enterprise-focused. Is it overkill for a small team?
Cato Networks appears to be built with mid-market in mind, which is appealing. Less familiar with how it performs in practice.
Netskope gets good reviews around data protection specifically, but unclear on pricing and complexity for a smaller shop.
A few things I'm trying to figure out. Is there a meaningful difference between these for a team under 25 users, or do they mostly converge at that scale? Are any of these reasonably self-managed, or do they all assume you have a dedicated IT person? Is there an all in one that handles DNS filtering, VPN replacement, and basic DLP without needing add-ons?
Not looking for the most feature-rich option. Just something solid, manageable, and priced for SMB. Open to guidance from anyone who's actually deployed one of these.
https://redd.it/1ri1lwz
@r_systemadmin
We're a small team, mostly remote, mix of mac and PC. Currently using a basic VPN and separate DNS filtering, but it's becoming a pain to manage two tools for what feels like it should be one solution. Looking at SASE as the logical next step.
From what I understand, SASE combines SD-WAN with cloud-delivered security (firewall, SWG, CASB, ZTNA, etc) into a single platform. The appeal is obvious. One vendor, one dashboard, fewer headaches.
I've looked at a few options:
Cloudflare One seems well-regarded and has a generous free tier. Wondering if it scales reasonably for SMB without jumping to enterprise pricing.
Zscaler comes up constantly in recommendations, but feels more enterprise-focused. Is it overkill for a small team?
Cato Networks appears to be built with mid-market in mind, which is appealing. Less familiar with how it performs in practice.
Netskope gets good reviews around data protection specifically, but unclear on pricing and complexity for a smaller shop.
A few things I'm trying to figure out. Is there a meaningful difference between these for a team under 25 users, or do they mostly converge at that scale? Are any of these reasonably self-managed, or do they all assume you have a dedicated IT person? Is there an all in one that handles DNS filtering, VPN replacement, and basic DLP without needing add-ons?
Not looking for the most feature-rich option. Just something solid, manageable, and priced for SMB. Open to guidance from anyone who's actually deployed one of these.
https://redd.it/1ri1lwz
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Weekly 'I made a useful thing' Thread - March 06, 2026
There is a great deal of user-generated content out there, from scripts and software to tutorials and videos, but we've generally tried to keep that off of the front page due to the volume and as a result of community feedback. There's also a great deal of content out there that violates our advertising/promotion rule, from scripts and software to tutorials and videos.
We have received a number of requests for exemptions to the rule, and rather than allowing the front page to get consumed, we thought we'd try a weekly thread that allows for that kind of content. We don't have a catchy name for it yet, so please let us know if you have any ideas!
In this thread, feel free to show us your pet project, YouTube videos, blog posts, or whatever else you may have and share it with the community. Commercial advertisements, affiliate links, or links that appear to be monetization-grabs will still be removed.
https://redd.it/1rm9z3i
@r_systemadmin
There is a great deal of user-generated content out there, from scripts and software to tutorials and videos, but we've generally tried to keep that off of the front page due to the volume and as a result of community feedback. There's also a great deal of content out there that violates our advertising/promotion rule, from scripts and software to tutorials and videos.
We have received a number of requests for exemptions to the rule, and rather than allowing the front page to get consumed, we thought we'd try a weekly thread that allows for that kind of content. We don't have a catchy name for it yet, so please let us know if you have any ideas!
In this thread, feel free to show us your pet project, YouTube videos, blog posts, or whatever else you may have and share it with the community. Commercial advertisements, affiliate links, or links that appear to be monetization-grabs will still be removed.
https://redd.it/1rm9z3i
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
I'm quitting my job due to vibe coders and poor leadership
Our exec leadership this year is making a big push for AI. They're encouraging everyone to generate ideas and try to make them real with vibe code. The team with the best idea that generates real results gets a bonus. This has led to a huge influx of users creating their own apps. Honestly, some of the ideas aren't bad. But most of them don't know how to integrate them, support them when there's an issue, use good security practices or basic IT knowledge. When you try to debate one of these people you'll get a "well ChatGPT said.." response that drives me up the wall.
We're flooded with vibe-coded app requests, we can't keep up with them and real work at the same time. We're forced to take them seriously. When I see a red flag, I call it out, I report it to security and my boss which turns into a meeting, which turns into a debate, lots of messages back and forth.. Eventually many of them get approved one way or another. All I did was waste time.
To make things worse, users are installing AI agents on their work computers, despite some of us saying "absolutely not" it's fucking approved from the top down. I feel like we're holding onto a ticking time bomb.
We already have a very full plate of work but there's so much noise from this that its so hard to keep up. Everyone is suddenly an expert on everything, telling us how to improve our infrastructure with AI.
Tomorrow I'm giving notice, I don't have a job lined up but I don't care. I have savings and I plan on taking a year off from work. I'm not sure if I'm coming back to this career. I know the market is horrible but I've lost what joy I had left with this career after 20 years of working in it.
--------
edit: I didn't expect so many responses. I'll sleep on this again and will consider FMLA.
I'm in my 40s, working in IT for a long time. Maybe this is a midlife crisis. My health has slipped the last couple of years simply from not taking care of myself. I used to be fit. My parents aren't doing well and I don't know how much quality time we have left. That's also driving this decision somewhat. I'm very aware that this isn't good for my career
https://redd.it/1roi3ne
@r_systemadmin
Our exec leadership this year is making a big push for AI. They're encouraging everyone to generate ideas and try to make them real with vibe code. The team with the best idea that generates real results gets a bonus. This has led to a huge influx of users creating their own apps. Honestly, some of the ideas aren't bad. But most of them don't know how to integrate them, support them when there's an issue, use good security practices or basic IT knowledge. When you try to debate one of these people you'll get a "well ChatGPT said.." response that drives me up the wall.
We're flooded with vibe-coded app requests, we can't keep up with them and real work at the same time. We're forced to take them seriously. When I see a red flag, I call it out, I report it to security and my boss which turns into a meeting, which turns into a debate, lots of messages back and forth.. Eventually many of them get approved one way or another. All I did was waste time.
To make things worse, users are installing AI agents on their work computers, despite some of us saying "absolutely not" it's fucking approved from the top down. I feel like we're holding onto a ticking time bomb.
We already have a very full plate of work but there's so much noise from this that its so hard to keep up. Everyone is suddenly an expert on everything, telling us how to improve our infrastructure with AI.
Tomorrow I'm giving notice, I don't have a job lined up but I don't care. I have savings and I plan on taking a year off from work. I'm not sure if I'm coming back to this career. I know the market is horrible but I've lost what joy I had left with this career after 20 years of working in it.
--------
edit: I didn't expect so many responses. I'll sleep on this again and will consider FMLA.
I'm in my 40s, working in IT for a long time. Maybe this is a midlife crisis. My health has slipped the last couple of years simply from not taking care of myself. I used to be fit. My parents aren't doing well and I don't know how much quality time we have left. That's also driving this decision somewhat. I'm very aware that this isn't good for my career
https://redd.it/1roi3ne
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Windows 11 Feature Updates (In-Place Upgrade) breaking 802.1X (NAC) wired authentication policies
We’re seeing a persistent issue with **Windows 11 feature updates (in-place upgrades)** breaking **802.1X wired authentication** on enterprise devices.
Curious if anyone else is seeing this or has found a reliable mitigation.
Related Articles / Threads:
[https://cybersecuritynews.com/windows-11-23h2-to-25h2-upgrade/](https://cybersecuritynews.com/windows-11-23h2-to-25h2-upgrade/)
[https://old.reddit.com/r/sysadmin/comments/1fy95vz/win11\_updates\_break\_8021x\_until\_gpupdate\_happens/](https://old.reddit.com/r/sysadmin/comments/1fy95vz/win11_updates_break_8021x_until_gpupdate_happens/)
[https://www.reddit.com/r/sysadmin/comments/1rj1os3/win11\_upgrades\_wiping\_dot3svc\_8021x\_wired\_policy/](https://www.reddit.com/r/sysadmin/comments/1rj1os3/win11_upgrades_wiping_dot3svc_8021x_wired_policy/)
# Environment
* Windows 11 (23H2 → 24H2 / 23H2 → 25H2)
* Cert-based **802.1X (EAP-TLS)**
* NAC enforced on wired and wireless networks
* Feature updates deployed via **Intune Autopatc**h
# Suspected Root Cause
During the upgrade, the contents of *C:\\Windows\\dot3svc\\Policies* appear to be **silently removed**. These files store **802.1X wired authentication profiles deployed via Group Policy**.
Observed behavior:
* Machine certificates and root certificates remain intact
* **Wired AutoConfig (dot3svc)** loses the applied authentication policy
* Authentication settings revert to **PEAP-MSCHAPv2 (default)**
* Devices fail NAC authentication as our settings related to enterprise are not applied and they are reverted to windows default **PEAP-MSCHAPv2**
# Impact
Enterprise devices that rely on **wired 802.1X** lose connectivity immediately after the feature update and require manual remediation like Connect to an non 802.1X network > Run gpupdate so that the policies intended will get applied again and machine can connect back to protected network.
# Question
Has anyone found a **reliable mitigation or workaround** for this?
Possible ideas we’re exploring:
* Backing up/restoring the `dot3svc` policy files
* Re-applying wired profiles via script post-upgrade
* Intune remediation scripts
However, with **Intune Autopatch feature updates**, options during the upgrade process are limited.
Would appreciate hearing how others are dealing with this.
https://redd.it/1ro3av7
@r_systemadmin
We’re seeing a persistent issue with **Windows 11 feature updates (in-place upgrades)** breaking **802.1X wired authentication** on enterprise devices.
Curious if anyone else is seeing this or has found a reliable mitigation.
Related Articles / Threads:
[https://cybersecuritynews.com/windows-11-23h2-to-25h2-upgrade/](https://cybersecuritynews.com/windows-11-23h2-to-25h2-upgrade/)
[https://old.reddit.com/r/sysadmin/comments/1fy95vz/win11\_updates\_break\_8021x\_until\_gpupdate\_happens/](https://old.reddit.com/r/sysadmin/comments/1fy95vz/win11_updates_break_8021x_until_gpupdate_happens/)
[https://www.reddit.com/r/sysadmin/comments/1rj1os3/win11\_upgrades\_wiping\_dot3svc\_8021x\_wired\_policy/](https://www.reddit.com/r/sysadmin/comments/1rj1os3/win11_upgrades_wiping_dot3svc_8021x_wired_policy/)
# Environment
* Windows 11 (23H2 → 24H2 / 23H2 → 25H2)
* Cert-based **802.1X (EAP-TLS)**
* NAC enforced on wired and wireless networks
* Feature updates deployed via **Intune Autopatc**h
# Suspected Root Cause
During the upgrade, the contents of *C:\\Windows\\dot3svc\\Policies* appear to be **silently removed**. These files store **802.1X wired authentication profiles deployed via Group Policy**.
Observed behavior:
* Machine certificates and root certificates remain intact
* **Wired AutoConfig (dot3svc)** loses the applied authentication policy
* Authentication settings revert to **PEAP-MSCHAPv2 (default)**
* Devices fail NAC authentication as our settings related to enterprise are not applied and they are reverted to windows default **PEAP-MSCHAPv2**
# Impact
Enterprise devices that rely on **wired 802.1X** lose connectivity immediately after the feature update and require manual remediation like Connect to an non 802.1X network > Run gpupdate so that the policies intended will get applied again and machine can connect back to protected network.
# Question
Has anyone found a **reliable mitigation or workaround** for this?
Possible ideas we’re exploring:
* Backing up/restoring the `dot3svc` policy files
* Re-applying wired profiles via script post-upgrade
* Intune remediation scripts
However, with **Intune Autopatch feature updates**, options during the upgrade process are limited.
Would appreciate hearing how others are dealing with this.
https://redd.it/1ro3av7
@r_systemadmin
Cyber Security News
Windows 11 23H2 to 25H2 Upgrade Allegedly Breaking Internet Connectivity
A persistent bug in Windows 11 in-place upgrades is reportedly wiping critical 802.1X wired authentication configurations, leaving enterprise workstations completely offline until manual intervention is performed.
Godaddy sending emails asking me to authorize issuance of an SSL certificate for a domain we control
I spoke to the developer who manages the company web site to ask if he requested a certificate from Godaddy. "Nope. We use Let's Encrypt"
Over the last few weeks I've gotten 4 or 5 of these authorization requests, all for the same domain...I think each email after the first was a reminder to authorize. At one point I called Godaddy to ask them to cancel the cert request, but other stuff came up while I was on hold and I never called back. Silly thought that Godaddy should provide a link in the email to explicitly deny the request.
I also control the public DNS (at Cloudflare) so I don't see anyone getting any scamming mileage out of having the cert anyway.
Any idea why someone would be trying to get a cert for a domain they don't own?
https://redd.it/1rom5n1
@r_systemadmin
I spoke to the developer who manages the company web site to ask if he requested a certificate from Godaddy. "Nope. We use Let's Encrypt"
Over the last few weeks I've gotten 4 or 5 of these authorization requests, all for the same domain...I think each email after the first was a reminder to authorize. At one point I called Godaddy to ask them to cancel the cert request, but other stuff came up while I was on hold and I never called back. Silly thought that Godaddy should provide a link in the email to explicitly deny the request.
I also control the public DNS (at Cloudflare) so I don't see anyone getting any scamming mileage out of having the cert anyway.
Any idea why someone would be trying to get a cert for a domain they don't own?
https://redd.it/1rom5n1
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Fellow BC, Canada Sys Admins: What are you doing/What have you heard about the time change changes?
For everyone: Our province is finally abolishing the biannual time change. Today is the last time we'll spring our clocks forward, and we won't fall them back in 6 months.
Everything did as it should this morning. So what are the vendors doing about the fall? Will Microsoft include us in an upcoming patch? Will we have to take care of it ourselves? What about the Linux vendors? Appliances?
Personally, I have to change a bunch of Cisco/Linksys stuff on my homelab VOIP system, but I think that's about it.
https://redd.it/1roe2np
@r_systemadmin
For everyone: Our province is finally abolishing the biannual time change. Today is the last time we'll spring our clocks forward, and we won't fall them back in 6 months.
Everything did as it should this morning. So what are the vendors doing about the fall? Will Microsoft include us in an upcoming patch? Will we have to take care of it ourselves? What about the Linux vendors? Appliances?
Personally, I have to change a bunch of Cisco/Linksys stuff on my homelab VOIP system, but I think that's about it.
https://redd.it/1roe2np
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
AI training for sysadmins
Any good documentation/training/tips on how sysadmins can get the most out of AI?
https://redd.it/1roby8p
@r_systemadmin
Any good documentation/training/tips on how sysadmins can get the most out of AI?
https://redd.it/1roby8p
@r_systemadmin
On-Prem SMB Shares to Copilot 365 - GCC High
Hi All,
I've been fighting this for a week or so now so appreciate any input.
I'm trying to set up the Microsoft File Share Graph Connector for M365 Copilot on a GCC High tenant. The connector is published, shows green/Ready in the portal, the GCA agent health check passes, all endpoints are reachable, it can see the files in the test folder. But it never actually indexes them and fails with an "access is denied" error. I've used the user account and confirmed it has access to the files (even tried "everyone" permissions on the test files).
According to the MS setup guide you only have to change:
* appsettings.json CloudInstanceUrl is set to [login.microsoftonline.us](https://login.microsoftonline.us)
but i also found in the HostConfig there are references to commercial endpoints, so i tried adding the GCC High endpoints (gcs.office365.us, graph.microsoft.us, graph.microsoft.com, login.microsoftonline.us) still no dice.
I'm at a loss...
Help me Sysadmin Reddit.. you're my only hope.
https://redd.it/1ropyf0
@r_systemadmin
Hi All,
I've been fighting this for a week or so now so appreciate any input.
I'm trying to set up the Microsoft File Share Graph Connector for M365 Copilot on a GCC High tenant. The connector is published, shows green/Ready in the portal, the GCA agent health check passes, all endpoints are reachable, it can see the files in the test folder. But it never actually indexes them and fails with an "access is denied" error. I've used the user account and confirmed it has access to the files (even tried "everyone" permissions on the test files).
According to the MS setup guide you only have to change:
* appsettings.json CloudInstanceUrl is set to [login.microsoftonline.us](https://login.microsoftonline.us)
but i also found in the HostConfig there are references to commercial endpoints, so i tried adding the GCC High endpoints (gcs.office365.us, graph.microsoft.us, graph.microsoft.com, login.microsoftonline.us) still no dice.
I'm at a loss...
Help me Sysadmin Reddit.. you're my only hope.
https://redd.it/1ropyf0
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Thoughts on AI
First - this is a long post. I have a lot of thoughts on this topic. Yes, it's another AI rant.
So like with many other places, AI has recently enveloped our company to the point where it is now somehow behind the majority of our top priorities. Execs and Developers want to use every new shiny AI-related tool that comes out, and we seem to have no issues spending the money. In any event, since we have the tools available I've tried to make use of them when I can, cautiously. While at the same time observing others that I think are overusing it to an extreme - to the point that when I ask them a question, I get a response either from Google's search AI response or sometimes their own chat with Copilot or whatever. Which is dumb because if I asked them a question, I wanted their thoughts on it, not AI's. If I wanted AI's thoughts, I'd have asked it myself. So I try not to be that person, but at the same time don't want to be the person who can't adapt to changing times...so I try to sit somewhere in the middle, and embrace it where I can.
A little background on me, I'm a DBA, SysAdmin before that, who scripts a lot for my day job and also develops software as a hobby for most of my life, though I've never worked as a paid Developer. But I'm familiar enough with scripting, software internals and code. Yesterday was the first day I spent actually letting AI drive the majority of the tasks to write a couple scripts for some work I needed to do, as well as in Excel to piece data together from different sheets. And I have to say - I'm not all that impressed.
Everything I asked it for the script stuff was related to VMware PowerCLI, specifically ESXi storage-related commands (to get information I needed to pull, and dump to CSV and/or output to GridView). All the cmdlets, modules and APIs used are publicly documented, and it all pertained to standalone scripts, so no need for the AI to understand any context outside the scripts itself (other than an instruction file and my VS Code settings that I told it to read) - these weren't part of a larger project or anything like that. It wasn't making any changes to our environment, nor did it need to know anything specific about the environment (that would all be passed to the script via params), and it wrote both scripts itself. So it should be pretty simple for it, I would think, especially with what I've heard and seen first-hand lately about all these complex projects being vibe coded. This was using Sonnet 4.6, and later Opus 4.6 in VS Code in agent mode.
But it seemed to overthink things a lot even when it was a simple question, and do some things unnecessarily complicated, and often times it didn't even work. I read through it's detailed reasoning process on almost everything I asked it, and it would very often go in circles with itself and eventually settle on some answer that may or may not be correct. There were a few parts where if I hadn't actually known myself how to go about it, it would've been no help whatsoever. On the other pieces where it did finally get it right on its own, it took a ton of back-and-forth in many cases, and I'd still have to be very specific about certain things. Some things it took like 10 tries before it found a working method, and on some things it never did until I told it exactly how to. Stuff I would think is pretty simple would trip it up - like trying to read settings from my VS Code settings file to follow the instructions in the instruction file (which just pertained to formatting rules, nothing fancy). I was coaching it more than it was coaching me. Maybe PowerCLI was a bad use case, but given that everything is publicly documented and it seemed to have no trouble identifying the commands and APIs it thought it should use, I'd think it should be fine.
In the end, did it save any time? I really don't know - maybe? Even if it did, there's a tradeoff - the fact that I didn't get to beef up my skillset like I would've if I'd had to do all the research and write it all myself like I would've in the past. Mental skills are
First - this is a long post. I have a lot of thoughts on this topic. Yes, it's another AI rant.
So like with many other places, AI has recently enveloped our company to the point where it is now somehow behind the majority of our top priorities. Execs and Developers want to use every new shiny AI-related tool that comes out, and we seem to have no issues spending the money. In any event, since we have the tools available I've tried to make use of them when I can, cautiously. While at the same time observing others that I think are overusing it to an extreme - to the point that when I ask them a question, I get a response either from Google's search AI response or sometimes their own chat with Copilot or whatever. Which is dumb because if I asked them a question, I wanted their thoughts on it, not AI's. If I wanted AI's thoughts, I'd have asked it myself. So I try not to be that person, but at the same time don't want to be the person who can't adapt to changing times...so I try to sit somewhere in the middle, and embrace it where I can.
A little background on me, I'm a DBA, SysAdmin before that, who scripts a lot for my day job and also develops software as a hobby for most of my life, though I've never worked as a paid Developer. But I'm familiar enough with scripting, software internals and code. Yesterday was the first day I spent actually letting AI drive the majority of the tasks to write a couple scripts for some work I needed to do, as well as in Excel to piece data together from different sheets. And I have to say - I'm not all that impressed.
Everything I asked it for the script stuff was related to VMware PowerCLI, specifically ESXi storage-related commands (to get information I needed to pull, and dump to CSV and/or output to GridView). All the cmdlets, modules and APIs used are publicly documented, and it all pertained to standalone scripts, so no need for the AI to understand any context outside the scripts itself (other than an instruction file and my VS Code settings that I told it to read) - these weren't part of a larger project or anything like that. It wasn't making any changes to our environment, nor did it need to know anything specific about the environment (that would all be passed to the script via params), and it wrote both scripts itself. So it should be pretty simple for it, I would think, especially with what I've heard and seen first-hand lately about all these complex projects being vibe coded. This was using Sonnet 4.6, and later Opus 4.6 in VS Code in agent mode.
But it seemed to overthink things a lot even when it was a simple question, and do some things unnecessarily complicated, and often times it didn't even work. I read through it's detailed reasoning process on almost everything I asked it, and it would very often go in circles with itself and eventually settle on some answer that may or may not be correct. There were a few parts where if I hadn't actually known myself how to go about it, it would've been no help whatsoever. On the other pieces where it did finally get it right on its own, it took a ton of back-and-forth in many cases, and I'd still have to be very specific about certain things. Some things it took like 10 tries before it found a working method, and on some things it never did until I told it exactly how to. Stuff I would think is pretty simple would trip it up - like trying to read settings from my VS Code settings file to follow the instructions in the instruction file (which just pertained to formatting rules, nothing fancy). I was coaching it more than it was coaching me. Maybe PowerCLI was a bad use case, but given that everything is publicly documented and it seemed to have no trouble identifying the commands and APIs it thought it should use, I'd think it should be fine.
In the end, did it save any time? I really don't know - maybe? Even if it did, there's a tradeoff - the fact that I didn't get to beef up my skillset like I would've if I'd had to do all the research and write it all myself like I would've in the past. Mental skills are
like muscles - if we don't use them, we lose them over time. So as AI becomes better at what it does, I think we will become worse at what we do (those of us who already had skillsets in certain areas). When considering people newly entering the field, they will never build a skillset in the first place. When using AI, they may get a similar result as a more senior person eventually - likely in quite a longer time, due to not knowing as many specifics about what to ask - but also would learn very little in the process. Not sure that's a good thing.
In Excel, it was using Opus 4.5 in agent mode, and I really just asked it to match column values across sheets and fill in some blanks. And yeah, it generated formulas to do that - somewhat messy ones, initially. Once I told it to refine them in certain ways, it did, and it was good enough. So it may have allowed me to be more productive there. But again, same downside - I'm not getting "better at Excel" by learning a new formula (which I'd stash away in my notes for later use) and adding to my skillset, instead I'm getting better at talking to AI.
The biggest benefit I've seen from it so far is probably with meeting summarization, especially the integration with transcription features in Teams. This can make it very easy to jump the correct point of a long, recorded working meeting for example, where we cover some specific topic, without having to spend hours re-watching the whole thing. It's also very good at crawling structures and documenting them, although to an extent those features were already available before AI (e.g. specific tools to perform these tasks for specific use cases, like SQL databases) but I guess AI has just allowed that to be applicable in many more places than it was before. So that stuff has been good for the most part. It's not all bad.
But the coding stuff was largely a disaster, even with an expensive model that's supposed to be "the best" for coding. The experience I had yesterday aligns closely with the bits and pieces I had prior (I have used it quite a bit before but just for chat questions here and there, never in agent mode and never letting it "drive" like I did today). And even the Excel stuff, while somewhat "productive", has the negative tradeoff of not adding to/honing your skillset because you aren't actually using the product anymore. Finance people who used to be wizards with Excel, over time, will just become drones that talk to AI. New Finance people entering the workforce will never get those skills in the first place.
So when I hear about how "easy and cheap it is to write code now" because "any Junior Developer can vibe code stuff" I'm just thinking...maybe?....but with so many tradeoffs, long-term I'm not sure it's doing the company, the team, the customer, nor the developer themselves any favors (even if the immediate return "seems great"). And the same is true for using it to do your job in other disciplines as well - I expect this to permeate into the IT world more and more as we go forward, especially with administration of cloud infrastructure like Azure and AWS. Someone who "doesn't know what they don't know", as they say, won't know what guidance to give, or what things to challenge it on, because they don't know any better in the first place.
There were several times Claude actually tried to convince me it was right about something that it most definitely was not, telling me "this is the correct approach". Only after I explain to it, in depth, why this is not the correct approach, and give it a hint of what to do instead, would it change it's tune and go that direction. And given what I saw on the parts where I was familiar and had to coach it along, I'm honestly not all that confident that the parts where it did "get it right" on its own (meaning it at least produced a working piece of code without me telling exactly what to do) that those things are actually done in the correct or most efficient way. But "they work" (or seem to, anyway), which means when this happens in the wild, people are happy - likely nobody
In Excel, it was using Opus 4.5 in agent mode, and I really just asked it to match column values across sheets and fill in some blanks. And yeah, it generated formulas to do that - somewhat messy ones, initially. Once I told it to refine them in certain ways, it did, and it was good enough. So it may have allowed me to be more productive there. But again, same downside - I'm not getting "better at Excel" by learning a new formula (which I'd stash away in my notes for later use) and adding to my skillset, instead I'm getting better at talking to AI.
The biggest benefit I've seen from it so far is probably with meeting summarization, especially the integration with transcription features in Teams. This can make it very easy to jump the correct point of a long, recorded working meeting for example, where we cover some specific topic, without having to spend hours re-watching the whole thing. It's also very good at crawling structures and documenting them, although to an extent those features were already available before AI (e.g. specific tools to perform these tasks for specific use cases, like SQL databases) but I guess AI has just allowed that to be applicable in many more places than it was before. So that stuff has been good for the most part. It's not all bad.
But the coding stuff was largely a disaster, even with an expensive model that's supposed to be "the best" for coding. The experience I had yesterday aligns closely with the bits and pieces I had prior (I have used it quite a bit before but just for chat questions here and there, never in agent mode and never letting it "drive" like I did today). And even the Excel stuff, while somewhat "productive", has the negative tradeoff of not adding to/honing your skillset because you aren't actually using the product anymore. Finance people who used to be wizards with Excel, over time, will just become drones that talk to AI. New Finance people entering the workforce will never get those skills in the first place.
So when I hear about how "easy and cheap it is to write code now" because "any Junior Developer can vibe code stuff" I'm just thinking...maybe?....but with so many tradeoffs, long-term I'm not sure it's doing the company, the team, the customer, nor the developer themselves any favors (even if the immediate return "seems great"). And the same is true for using it to do your job in other disciplines as well - I expect this to permeate into the IT world more and more as we go forward, especially with administration of cloud infrastructure like Azure and AWS. Someone who "doesn't know what they don't know", as they say, won't know what guidance to give, or what things to challenge it on, because they don't know any better in the first place.
There were several times Claude actually tried to convince me it was right about something that it most definitely was not, telling me "this is the correct approach". Only after I explain to it, in depth, why this is not the correct approach, and give it a hint of what to do instead, would it change it's tune and go that direction. And given what I saw on the parts where I was familiar and had to coach it along, I'm honestly not all that confident that the parts where it did "get it right" on its own (meaning it at least produced a working piece of code without me telling exactly what to do) that those things are actually done in the correct or most efficient way. But "they work" (or seem to, anyway), which means when this happens in the wild, people are happy - likely nobody
is double checking anything, or very high-level spot checks at best. So some Junior Developer or SysAdmin might continue going back and forth with it all day until through enough trial and error and money spent on premium requests, they finally get a working product. But if what I saw today is any indication, I think a lot of it will be messy, and not necessarily optimal, performant nor elegant.
Do we plan to let these things make more serious decisions one day? Financial advice, health advice, etc. What happens when AI assures your paid "expert" (e.g. Financial Advisor, Doctor), that a certain route "is the correct approach"? If the expert doesn't catch it or doesn't know any better, and ends up parroting that guidance back to you, the client, you very likely accept it because again, they are the "paid expert" that's supposed to know what they're doing. So maybe the better question is - if/when this happens - will you even know?
And when it fucks up and leads real people down the wrong path with bad advice, and the person rightfully gets pissed, what will the response be - the same generic YMMV crap (e.g. "investing is a risk - past success does not guarantee future results" or "these may not be all side effects"). I know there's already been stories of AI convincing people to take their own lives, which is extremely sad. Of course, guardrails can and should be put in place to help mitigate some of this stuff, which supposedly has been done in many cases - but then I hear about AI agents that are allowed to modify their own configs. So if that's the case, what good are guardrails? If AI wants to go out of bounds on something, it'll just look at it's config, say "oh, I see the problem, there's this dumb restriction in the way", remove it, and proceed on it's merry way down whatever fucked up path we tried to stop it from going down. Some of this may sound like an unlikely scenario to some, but some of it (like agents modifying their own configs) is quite literally already happening - I don't think it's a stretch at all to say we're headed down a potentially very dangerous and destructive path.
At the end of the day, we're giving up our own mental capacity and critical thinking skills in the name of "productivity". Just because you produce more in a given amount of time does not always mean it's better. If quality drops, if manageability drops and overhead increases, if complexity increases unnecessarily with no benefit - then is it really a win? Not to mention, as time goes on and AI's "skills continue to "sharpen", and our own skills continue to decline, we will become less and less adept at catching AI's mistakes. So human review of AI-generated things will become less and less effective.
I'll leave it there for now because I could go on for quite a while. It's just shocking to me that the entire world is in such a fkin daze from the "magic" of AI that nobody, or at least not enough people with influence in this sphere, have actually sat and thought through some of this stuff. Or the other , more likely scenario - they have, but just sweep it under the metaphorical rug because of the money it's bringing in. And the public largely is OK with it, because again, they're just amazed by "what it can do".
I know this was long but thanks in advance to those who took the time to read it all. This is just coming from genuine concern I have about the long-term effects of this AI craze on our society. I'm just curious to get others' thoughts on this topic - any productive discussion is welcome. If you disagree, please elaborate on why, what I have missed, etc.
And before anybody asks, no I did not use AI to write the post about my thoughts on AI.
https://redd.it/1rodjmz
@r_systemadmin
Do we plan to let these things make more serious decisions one day? Financial advice, health advice, etc. What happens when AI assures your paid "expert" (e.g. Financial Advisor, Doctor), that a certain route "is the correct approach"? If the expert doesn't catch it or doesn't know any better, and ends up parroting that guidance back to you, the client, you very likely accept it because again, they are the "paid expert" that's supposed to know what they're doing. So maybe the better question is - if/when this happens - will you even know?
And when it fucks up and leads real people down the wrong path with bad advice, and the person rightfully gets pissed, what will the response be - the same generic YMMV crap (e.g. "investing is a risk - past success does not guarantee future results" or "these may not be all side effects"). I know there's already been stories of AI convincing people to take their own lives, which is extremely sad. Of course, guardrails can and should be put in place to help mitigate some of this stuff, which supposedly has been done in many cases - but then I hear about AI agents that are allowed to modify their own configs. So if that's the case, what good are guardrails? If AI wants to go out of bounds on something, it'll just look at it's config, say "oh, I see the problem, there's this dumb restriction in the way", remove it, and proceed on it's merry way down whatever fucked up path we tried to stop it from going down. Some of this may sound like an unlikely scenario to some, but some of it (like agents modifying their own configs) is quite literally already happening - I don't think it's a stretch at all to say we're headed down a potentially very dangerous and destructive path.
At the end of the day, we're giving up our own mental capacity and critical thinking skills in the name of "productivity". Just because you produce more in a given amount of time does not always mean it's better. If quality drops, if manageability drops and overhead increases, if complexity increases unnecessarily with no benefit - then is it really a win? Not to mention, as time goes on and AI's "skills continue to "sharpen", and our own skills continue to decline, we will become less and less adept at catching AI's mistakes. So human review of AI-generated things will become less and less effective.
I'll leave it there for now because I could go on for quite a while. It's just shocking to me that the entire world is in such a fkin daze from the "magic" of AI that nobody, or at least not enough people with influence in this sphere, have actually sat and thought through some of this stuff. Or the other , more likely scenario - they have, but just sweep it under the metaphorical rug because of the money it's bringing in. And the public largely is OK with it, because again, they're just amazed by "what it can do".
I know this was long but thanks in advance to those who took the time to read it all. This is just coming from genuine concern I have about the long-term effects of this AI craze on our society. I'm just curious to get others' thoughts on this topic - any productive discussion is welcome. If you disagree, please elaborate on why, what I have missed, etc.
And before anybody asks, no I did not use AI to write the post about my thoughts on AI.
https://redd.it/1rodjmz
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Your thoughts on implementing PAM in real environments?
We’re starting to look into Privileged Access Management (PAM) to improve how privileged accounts are handled across our environment. Right now things are a bit mixed between AD admin accounts, sudo access, and some manual controls.
Main things we’re trying to improve:
Better visibility into who is using privileged access
Session monitoring/auditing for critical systems
Reducing shared admin credentials
Tighter control over contractor or temporary access
For those who’ve implemented PAM, did it actually improve security in practice, or did it just add operational overhead? Also curious how you approached rollout gradual vs full enforcement.
https://redd.it/1rosp2a
@r_systemadmin
We’re starting to look into Privileged Access Management (PAM) to improve how privileged accounts are handled across our environment. Right now things are a bit mixed between AD admin accounts, sudo access, and some manual controls.
Main things we’re trying to improve:
Better visibility into who is using privileged access
Session monitoring/auditing for critical systems
Reducing shared admin credentials
Tighter control over contractor or temporary access
For those who’ve implemented PAM, did it actually improve security in practice, or did it just add operational overhead? Also curious how you approached rollout gradual vs full enforcement.
https://redd.it/1rosp2a
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
How you manage cloud security visibility across 50+ accounts.. looking for vendor advice
dealing with a growing problem at work and really not sure what the best solution looks like right now.
we have a large number of cloud accounts and well the bigger issue is not the known assets, it is the unknown ones. See, developers spin up virtual machines, they finish their work, and just leave everything running. Problem is nobody notices until the bill comes or something breaks. So we need better visibility and i want to know what tools people are actually using.
here is what matters most to us before I actually tart evaluating vendors seriously. agentless is non negotiable, we cannot realistically manage agents at our scale. So we need AppSec and cloud security under one license, (not four tools stitched together.) similarly vulnerability intelligence that gets ahead of CVE feeds,( not just reacts to them). Then attack path analysis with the ability to define high value assets ourselves. And finally the integrations with Slack, Teams, and email without custom scripting.
here is what i have already looked at and where i ran into friction:
Microsoft Defender for Cloud : good if we are all-in on Azure, but we are multi-cloud and the experience outside Azure felt like an afterthought
Orca Security : agentless and the asset visibility is genuinely good, but we are not sure it fully covers AppSec depth at our scale.
Lacework : liked the anomaly detection but AppSec coverage felt thin and the unified visibility we needed was not really there
Wiz : agentless and strong on asset visibility, but pricing came up as a concern at our account scale and some AppSec depth was missing compared to what we need
Have any of you people dealt with a similar setup and found something that genuinely covers all of this without the tradeoffs above?
https://redd.it/1rotqs8
@r_systemadmin
dealing with a growing problem at work and really not sure what the best solution looks like right now.
we have a large number of cloud accounts and well the bigger issue is not the known assets, it is the unknown ones. See, developers spin up virtual machines, they finish their work, and just leave everything running. Problem is nobody notices until the bill comes or something breaks. So we need better visibility and i want to know what tools people are actually using.
here is what matters most to us before I actually tart evaluating vendors seriously. agentless is non negotiable, we cannot realistically manage agents at our scale. So we need AppSec and cloud security under one license, (not four tools stitched together.) similarly vulnerability intelligence that gets ahead of CVE feeds,( not just reacts to them). Then attack path analysis with the ability to define high value assets ourselves. And finally the integrations with Slack, Teams, and email without custom scripting.
here is what i have already looked at and where i ran into friction:
Microsoft Defender for Cloud : good if we are all-in on Azure, but we are multi-cloud and the experience outside Azure felt like an afterthought
Orca Security : agentless and the asset visibility is genuinely good, but we are not sure it fully covers AppSec depth at our scale.
Lacework : liked the anomaly detection but AppSec coverage felt thin and the unified visibility we needed was not really there
Wiz : agentless and strong on asset visibility, but pricing came up as a concern at our account scale and some AppSec depth was missing compared to what we need
Have any of you people dealt with a similar setup and found something that genuinely covers all of this without the tradeoffs above?
https://redd.it/1rotqs8
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community