Startups Basic Info Security Tools

We are a 15 person startup with 10 of us being eningeers and 5 being other things like CEO, Chief Of Staff, Product, etc. About 3 of the engineers are remote but we are looking for a general device management/security solution. Right now we use SecureFrame and their basic agent to meet SOC2 but we want a real device management and security solution for our workers. What tools are light weight and more modern? I dont want to go back to the old like crowdstrike and others unless they truly are great for this size company and giving us the ability to make sure laptops are more secure, provide audit logs and general need you think an early stage startup needs.

https://redd.it/1nr7l0d
@r_systemadmin

Disabling IPv6 breaks mirrored networking for WSL2

Not sure if anyone is still doing this in 2025, but for anyone getting heaps of developers saying WSL2 won't work on the company network this might be why.

https://github.com/microsoft/WSL/issues/11002#issuecomment-1934119518


https://redd.it/1nr4v3w
@r_systemadmin

High Priority Tickets

Dear users, if you put in a Critical or High ticket, consider yourself chained to your desk or glued to the phone. If you put in a high ticket and ghost me, I don't care if the whole building is on fire and I can see it from my house, your ticket is now closed.

https://redd.it/1nrg6id
@r_systemadmin

Friend got replaced by a vCTO

I don't know if you remembered but I posted here a couple of months ago about my friend (1-man IT team) who doesn't want to just give the keys to the kingdom to the manager (limited IT knowledge) due to lack of competency from the manager which only meant 1 thing, they're preparing to replace him. Turned out his gut feel was correct. He just got laid off a day after sharing the final set of creds to this MSP offering vCTO services that the manager went with without much consulting my friend.

Don't really know how to feel about virtual CTOs but I'm thinking it's going to be a bumpy ride for them to learn how the whole system and apps work with each other without any knowledge transfer at all.

I'm thinking this incompetent manager made a boneheaded decision without as much foresight with what could go wrong. Sorry just ranting on behalf of my friend but also happy for him to get out of that toxic workplace.

https://redd.it/1nrhx0i
@r_systemadmin

New leadership chipping away at security

So we got new leadership late last year at our org, and this year they have started to issue functionally decrees in spite of strenuous objection from myself and my direct boss. They're overriding security policies for convenience, functionally, and at this point I'm getting nervous knowing that it's just a matter of time until something gets compromised.

I've provided lengthy and detailed objections including the technical concerns, the risks, and the potential fixes - some of my best writeups to be honest - and they're basically ignoring them and pushing for me to Nike it. A matter of just a few months and this has completely exhausted me.

Yes, I'm already looking at leaving, but how do you handle this kind of thing? I'm not really very good at "letting go" from a neurodiverse standpoint, so while I want to be like "Water off a duck's back" I can't. Pretty sure it'll bother me for a while even if I leave soon, just because we're the kind of org that can't afford to be compromised, so ethically this bothers me.

https://redd.it/1nrcd0r
@r_systemadmin

Creating a Super Restricted Windows User - Browser Profile + Printer Only Access

Hey everyone! I need to set up a Windows user account with very specific limitations and hoping someone has experience with this.
What I'm trying to achieve:

1.User can ONLY access one specific browser profile (Chrome)
2.User can ONLY use one specific invoice printer installed on that PC
3.User has NO access to anything else on the computer (no other apps, no file explorer, no settings, etc. and can't install anything new either)

Basically looking to create a "kiosk mode" type setup where the user is completely locked down except for these two specific functions. Does anyone have experience with that?

https://redd.it/1nrpscm
@r_systemadmin

Are there any windows 11 certification for IT Support role?

Are there any windows 11 certification for IT Support role?

I am looking to do a certification course for windows 11 but I can’t find any. Well are there no certification yet for windows?

Are there any certification for windows operating system? How do IT Support staff learn windows if there no certification for windows operating system?




https://redd.it/1nrz44a
@r_systemadmin

Confused about Microsoft Server License renewal

Hi Everyone,

Hope all is going well.

Hope all is going well. I’m assisting our management team with renewing our Microsoft server licenses for the first time, and I want to make sure we understand the licensing rules correctly.

From what I’ve read, and based on discussions with our sales representative (who seemed a bit unsure), here’s my understanding:



Microsoft server licenses are counted based on physical cores of the hosts.
For example, if we have 5 hosts, each with 20 physical cores, we need to license based on the number of cores per host.
There is a minimum license requirement of 16 cores per physical host.
The number of virtual machines running on those hosts does not directly affect licensing, as long as the physical hosts have the required core licenses.



So, theoretically, we could run 50 VMs on these hosts with Microsoft Server Standard license, as long as the physical cores are properly licensed.

I want to make sure this is accurate before presenting it to our vendor.

Does anyone have a proper Microsoft link or documentation confirming this?


Let me know your thoughts

https://redd.it/1ns05z9
@r_systemadmin

Not learning much at the internship

Finally, after applying for a few years I've gotten a job in IT. The role is a Student role as an IT support. Took me so long to finally land one role, had to go back to school, make projects, work on my resume so much.

Now, the problem is that I was already having the imposter syndrome and this job is gonna intensify that. We have like 4-5 people in the team, some taking care of tickets (including hardware & software issues), some doing lifecycle projects for devices and some managing assets etc. I think I'm supposed to do a lil bit of everything in the next 4 months of this internship/co op role. However, no one is training me for anything.

Everyone seems to be busy with their own work and not taking the responsibility to train me. The supervisor and manager are already not very nice (I sensed during the interview) and they're busy with meetings and high level stuff so I don't wanna bother them. I accepted the role because I wanted to get my foot in the door but there's no formal training of any sort.

One of the co workers just asked me to start looking at tickets and working on the easy ones but I have no related experience before and as a student I'm supposed to learn. There's no job shadowing or anything like that. They're not really giving me any other tasks.

Is this how internships are supposed to be or this company is just disorganized? They have hired students before so this isn't their first time but they are acting like they don't know how to train me or they don't care for it. They have given me very simple tasks related to imaging laptops but that's all they gave me in 2 weeks.

Am I thinking too much and should wait or there's something wrong? Am I supposed to learn everything on my own by doing it or I was supposed to get training for at least a week?

https://redd.it/1ns1fjv
@r_systemadmin

Looking for MDM solution for 200 Lenovo Android 15 tablets in a school environment

Hi everyone,

I work as IT support in a primary school. We are planning to introduce around 200 Lenovo Android 15 devices for student use in classrooms. I’m looking for a reliable MDM solution that can meet the following requirements:

Bulk app installation, with support for pushing custom APKs directly (not only through Google Play).
Lock down the status bar (so students cannot swipe down and change settings).
Force automatic WiFi connection, disallowing custom WiFi changes.
Customizable and locked home screen layout.
Real-time device monitoring (battery, volume, storage, etc.).
Remote power management (e.g., control battery use, remotely shut down devices).

# What I’ve tried so far:

1. Azure Intune
Covers most of the requirements.
Big problem: It doesn’t allow direct APK upload/push. For non-Play Store apps, you must use Google Play private app publishing.
Issue: If the app is available in other regions but not in the current Play Store region, uploading it as a private app will trigger Google Play’s package name conflict check. If the package name already exists anywhere in the global Play Store, the upload is rejected.
I’ve tried renaming/re-signing the APK to bypass this, but some apps have network auth and anti-tamper checks tied to the original package name. That breaks functionality.
So I’m stuck: keeping the original package name = can’t upload; changing it = app breaks.
Question: Am I missing something? Is there any way to push APKs directly with Intune?
2. Google Endpoint Management
Very basic compared to Intune.
Same limitation with Play Store private apps and package name conflicts.
3. Other commercial MDMs
Many look feature-rich but expensive.
Not sure which ones are truly worth considering for education use at this scale.
4. Open-source MDMs
Example: Headwind MDM.
Haven’t tested yet. Curious if anyone here has hands-on experience.
5. ADB + Intune hybrid
Idea: Use wireless/USB ADB to batch install APKs, then rely on Intune for policy enforcement.
Feels hacky and technical, but could be a backup plan.

Questions:

Has anyone deployed a similar setup (large scale, education, Android 15) and found a working MDM solution that supports direct APK distribution?
Are there any workarounds for Intune to bypass the Google Play package name conflict problem?
Is Headwind MDM (or any other open-source MDM) mature enough for production in a school with 200+ devices?
Any commercial MDMs you’d recommend that balance cost vs. functionality?

Thanks in advance for any advice or real-world experiences!

https://redd.it/1ns2ve7
@r_systemadmin

What’s the going hourly rate for a Jr. Technical Support / Help Desk role in California?

Hey folks,

I’m looking for some input from hiring managers and IT pros in California (Chino Hills/Carson area). Looking to fill a help desk role and want to make sure the compensation that was approved by leadership is competitive for the market.

Here’s a quick snapshot of the role:

* **Type:** Full-time, entry-level jr. role
* **Location:** California (initially in-office with possibility of hybrid once they are fully trained up), with frequent travel in a 50-mile radius, all travel expenses paid for, etc.
* **Responsibilities:**
* Primarily help desk and end-user support (Windows, M365, Intune, etc.)
* Hardware setup & troubleshooting (computers, printers, mobile devices)
* User provisioning and de-provisioning, workstation setup, etc.
* Occasional on-call rotation for after-hours support (one week every 2-3 months)
* **Experience:** 1–3 years, relevant IT certs a plus
* **Physical Requirements:** Valid DL, some lifting (up to 50 lbs.), frequent local travel

Given these details, **what’s the typical hourly rate (or annual equivalent) you’re seeing for similar roles in California** in 2025?

Anyone out there recently filled similar roles in the area, would love to get your insight.

https://redd.it/1ns6aqp
@r_systemadmin

EntraID Org & File Server

With so many orgs doing the "cloud-first" approach, what is everyone's go-to for file servers and mapped drives in an Entra-joined environment with no on-prem AD? Some pain points so far:

* Azure files can get pricey, but offers mapped drives
* Physical NAS on-site "sounds" great, but won't handle Entra security groups for mapped drives
* Egnyte and other similar services are at the high-end of things price-wise

The long-term goal is to transition to Sharepoint and/or Onedrive, but for now there's a lot of legacy stuff that needs to be kept in place with mapped drives.

https://redd.it/1ns7s6x
@r_systemadmin

Admin by Request on Quickbooks Enterprise Updates

I’m testing Admin by Request free tier on a 10-computer network and overall I like it so far. The main issue I’m running into is with QuickBooks Enterprise Platinum, I want it pre-approved so that when it prompts for an qb update, the update can run automatically.

If a standard user launches it using “Run as administrator,” it elevates correctly and installs. However, if they launch it as a standard user, it doesn’t work. It says

There's a new QuickBooks software update waiting for you.

Looks like you don't have the required permissions. Contact your system administrator.

What's new in this update?

I’ve tried these different combinations in the pre-approval list without success.

|Application|File|Location|Type|Notes|
|:-|:-|:-|:-|:-|
|Any|Any file|C:\\Program Files\\Common Files\\Intuit|Read-only location|Pre-approval|
|Any|Any file|C:\\Program Files\\Intuit\\QuickBooks Enterprise Solutions 24.0|Read-only location|Pre-approval|
|QuickBooks|qbw.exe|Program Files|Read-only location|Pre-approval|
|QuickBooks Application|QBWEnterpriseWholesale.exe|Program Files|Read-only location|Pre-approval|
|QuickBooks Update Service|qbupdate.exe|Program Files|Read-only location|Pre-approval|

Anybody get this working with Admin by Request, or any alternatives that have worked for you?

https://redd.it/1ns7b3m
@r_systemadmin

Company Issued Laptop

Just curious what is your company issued laptop? Started at a new job and IT is set to get the “standard laptop” - Dell 14 Pro while execs Dell 14 Plus and others get the higher spec ones. Just curious. TIA!

https://redd.it/1ns8mx2
@r_systemadmin

MDM on personal device

Company I’m working at wants me to install MDM on my personal phone. I’m not sure how i feel about that. Can i just buy a work phone and do it on that? I’m not sure if they’ll give me a work phone.

https://redd.it/1ns9xfr
@r_systemadmin

Good hardware/software setup for recording public meetings?

What is a good hardware/software solution to facilitate public meetings that must be hosted virtually (Youtube, or whatever)?

We're looking for a good solution that can support 12ish speakers/audio channels, and provides a UI that doesn't require a lot of training. Usually the city recorder is the one responsible for ensuring the audio/video is useable, and they can't be expected to use a wildly-complicated setup...

So far the best we have come up with is OBS Studio since it seems to be well documented and stable (and free!), and to upgrade our audio to support 10-bit float (which might help with clipping, which we get now).

Can anybody recommend any pieces of software/hardware for this?

https://redd.it/1nsciai
@r_systemadmin

Best resource for NTFS Permissions

Looking to do a refresher on best practices on NTFS Permissions. Any recommendation?

https://redd.it/1nsbhie
@r_systemadmin

Being able to ping a private IP. Definitely something wrong at my ISP?

I 'm having trouble accessing the work VPN. So I tried to ping one of our private IP addresses in the 172.16.0.0/12 range and to my surprise, I got a reply (didn't expect since VPN was still trying to connect). Since I don't have that subnet at home and can't remember recreating our company network at home, I first figured out I somehow could access the VPN but not everything worked or so (which would also be weird but yeah).

Then I did a traceroute and indeed, the route clearly shows my home routers, then my ISP public IPs and then finally the IP in 172.16.0.0/12 actually replying. When I ping vpn.mywork.com, the packets follow a different route.

I'm not a network engineer, but this seems to me like there's something wrong at my ISP? I'd reckon I would never be able to ping anything in 172.16.0.0/12 if I'm definitely not running those subnets at home?

https://redd.it/1nsfthx
@r_systemadmin

Setting up a Windows Server 2022 VPN has me insane

I am setting up VPN remote access on a Windows Server 2022. It has me going insane. No matter what I do, I keep getting "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer." error when trying to connect from the client machine.

I have made sure that ports are forwarded through the office router. I have verified settings on both the server and the client, and am going bonkers trying to figure it out. Does anybody have any experience with this because I am at the end of my tether over here.

I am using a pre-shared key and EAP+MSCHAPv2.

Please help.

https://redd.it/1nsjrlk
@r_systemadmin

Some devices appear disconnected, however they are connected to Action1

Sorry if this is not the right sub but i already posted in Action1 but got no answer there, so i thought maybe anyone would give me the right fix

I'm using Action1 as my device management software and I have an issue that i just noticed recently, some devices appear to be disconnected however they are active and connected to the internet, is there something i miss? i tried restarting the devices but still the same issue

https://redd.it/1nsnec0
@r_systemadmin

10 Copy-Paste Wins (Shadow APIs, npm scares, O365 detections, AI guardrails, more)

I pulled together things we keep re-inventing: runnable snippets, detections, and guardrails.
No vendor slides, no “strategic guidance”, zero fluff. Just copy-pasteable wins.

# 1) Shadow APIs: find them, fence them, document later

kubectl get ingress,svc,endpointslices -A -o json \
| jq -r '..|.hosts? // empty | .[]' | sort -u > hosts.txt

Probe `/openapi.json` etc., diff vs. spec registry, block unknown hosts/paths at WAF until reviewed.

# 2) npm supply chain: “one maintainer clicked the phish” playbook

* Quarantine new versions (<48h old).
* `npm ci --ignore-noscripts` everywhere, allowlist exceptions.
* Block [`registry.npmjs.org`](http://registry.npmjs.org) egress from CI.
* SBOM diff gate → require approver outside the committer’s team.

# 3) CI vuln noise → signal

Only gate if **Severity ≥ High + fix exists + reachable at runtime**.
Use KEV/EPSS > 0.5 as fast-track fail.

`.trivy.yml`:

severity: HIGH,CRITICAL
ignore-unfixed: true
exit-code: 1

# 4) O365/Entra detections that aren’t junk

**KQL – MFA fatigue:**

SigninLogs
| where ResultType in ("500121","50074","50097")
| summarize count() by UserPrincipalName, IPAddress, bin(TimeGenerated, 30m)
| where count_ > 6

# 5) Windows 4625 spam — find the process, not vibes

Get-WinEvent -FilterHashtable @{LogName='Security';ID=4625;StartTime=(Get-Date).AddHours(-1)} |
Where-Object {$_.Properties[8].Value -eq 3} |
ForEach-Object {
$ip=$_.Properties[19].Value
Get-NetTCPConnection -State Established -RemoteAddress $ip |
ForEach-Object { Get-Process -Id $_.OwningProcess }
}

# 6) Android 15 classroom lockdown

Require EMM that supports: Device Owner, kiosk launcher, Wi-Fi lock, APK hosting outside Play, remote screen.
Bootstrap via Zero-Touch/QR → block ADB after.

# 7) AI guardrails that don’t kill productivity

* Browser DLP extension with redact/block regexes.
* Proxy: rate-limit & size-limit to AI domains, allow enterprise tenants.
* Bannered pre-prompt in approved tools.

Policy line you can ship:

>Don’t paste client data, secrets, or code with keys into AI tools. Use only \[approved list\].

# 8) SPF flattening without a pager

Public record:

v=spf1 include:_spf.YOURDOMAIN ~all

Nightly job resolves includes → IPs, dedupes, pushes `_spf.YOURDOMAIN`.
Alert if delta > N ranges.

# 9) Browser is the new OS

* Enforce uBO-equivalent at enterprise/DNS level.
* Block unsigned EXEs via AppControl/WDAC.
* IdP-only admin portals, MFA hardware keys.

# 10) Incident comms you can paste during npm/Okta/$vendor fires

**External:**

>We’re aware of reports involving X. Deploy freeze in place. Services remain \[status\]. Next update at +2h.

**Internal thread:**

* 📦 Freeze builds
* 🔍 Scope services & SBOM
* 🔒 Apply egress blocks/controls
* 🕒 Owners + next update time

# Tiny but mighty

* MFA fatigue → number matching.
* Exchange/Outlook → auto-label exfil attempts.
* WSL2 mirrored mode → needs IPv6.

If this saves you an hour, great.
If you want the full pack (Sigma/KQL/Trivy configs, k8s policies, SPF noscript, API crawler, incident templates), **DM me** and happy to help!

https://redd.it/1nspham
@r_systemadmin