Anyone else having Bitlocker recovery key issues after installing the latest October 2025 Windows 11 KB5066835 update and then restarting?

Been getting reports of computers getting Bitllocker recovery key screen after installing the latest October 2025 Windows 11 KB5066835 update. Anyone else having this issue? We opened a Microsoft Support Case but the issue has not been acknowledged by Microsoft Support.

https://redd.it/1oadz4t
@r_systemadmin

Weird powershell command running and I need advice.

Past couple of days a couple of my servers have been spawning these powershell command ran by SYSTEM

Powershell.exe -ExecutionPolicy Restricted -Command function Get-UEFIX509Certificates{ $Certs = @(); try { $UefiDb = Get-SecureBootUEFI -Name db }

And this command can either be spawned with multiple processes or just one and it’s taking up a % of memory where SW is triggering alerts for high memory. Our end point security has not been triggered with this spawned powershell noscript.

I started an internal incident and investigation with my other colleagues but they haven’t seen this command before.

Our MCM team only uses “Powershell.exe -ExecutionPolicy Bypass” with Software Center to deploy updates, so it’s not related to windows updates.


Copilot threw this together since I can’t find anyone else that has ran across this noscript before.

this is what copilot said about the noscripts that are running
 
powershell.exe -ExecutionPolicy Restricted -Command function Get-UEFIX509Certificates { $Certs = @(); try { $UefiDb = Get-SecureBootUEFI -Name db }
What this means:
    1.    ExecutionPolicy Restricted
This is the most restrictive policy in PowerShell, which normally prevents noscripts from running. However, the -Command parameter allows inline commands to execute despite the restriction.
    2.    Custom Function: Get-UEFIX509Certificates
The code defines a function intended to retrieve UEFI X.509 certificates. These certificates are part of the Secure Boot infrastructure in UEFI firmware.
    3.    Key Operation: Get-SecureBootUEFI -Name db
This command queries the UEFI Secure Boot database (db). The database contains trusted certificates and keys used to validate boot loaders and drivers during Secure Boot.
In short:
PowerShell is trying to read Secure Boot configuration data from the UEFI firmware, specifically the certificate database. This is typically done for:
    •    Auditing Secure Boot settings.
    •    Checking trusted certificates.
    •    Security compliance or troubleshooting boot integrity.

I’m reaching out to see if anyone else in the community has seen this happen and can shed light on what and why these commands are spawning.

https://redd.it/1oafv3h
@r_systemadmin

RAID Rebuild Time

Hey All!

Hoping someone with more storage experience could help me. I have a server that houses my company's VMS and Access Control System, It is currently at 44TB of Video storage and 16TB was just added today for expansion into a new site next door. I followed the instructions at How to Reconfigure a Virtual Disk With OpenManage Server Administrator (OMSA) | Dell to add the drives to the array but here 5 hours later it is still showing at 0% in OMSA. Anyone have any guess how long it will take a raid 5 array of this size to reconfigure? I heard it could take a week. Is that true? Im pretty good on the software side of Sysadmin but now that Im with a company that Im the single IT guy the hardware side of this is new to me. Thanks in advance and sorry if this is a stupid question lol

https://redd.it/1oaah1z
@r_systemadmin

Receiving offensive, racist and homophobic support emails

Hi,

I'm not sure if this is the right place to ask, but I'll give it a shot anyway.

For the past few days, I've been receiving offensive, racist, and homophobic emails. These messages are from a customer complaining about a free product they're using.

I won’t go into too many details, but essentially, the person is being extremely offensive, making racist and homophobic remarks towards both me and the product. The person is also demanding that I remove certain features simply because he/she don't like them.

Over the years, I've learned to ignore this type of negativity, but this feels on another level.

I don’t want to waste too much time nor resources on this, but if there's anything I can do to prevent it, I’m happy to fill out any necessary report forms.

The individual is also using their own agency/company domain to send these emails.

https://redd.it/1oam2oj
@r_systemadmin

New job!

TL;DR Taking over as school IT manager with limited experience and wanted guidance on what to become skilled at. On prem AD and Google Workspace environment.

Hi all,

I am going to be taking over as a sysadmin/IT manager of a school. Altogether 2000 students and staff.

I will be replacing someone who has worked there for 30+ years and is retiring. From what I’ve heard a lot of the systems and procedures are outdated and I am fairly nervous to slowly make changes to modernise things due to my lack of experience.

I have had experience in IT since 2022 but in a proper MSP environment since 2023 which includes being an IT engineer for around 10 different schools.

I am still fairly new to IT and obviously there is a sense of imposter syndrome (which is fine- it’s always good to feel like you need to learn more) but I wanted to get some advice from others around here on what I should get better at and solidify.

The school is using a hybrid environment which includes on prem AD and Google Workspace.

Some things I am specifically nervous about is the backup solutions and how to implement the disaster recovery plan.
Also, managing and troubleshooting complex windows server issues.

Any advice and guidance would be truly appreciated!

https://redd.it/1oamhvp
@r_systemadmin

How much do you trust immutable storage to be immutable?

I've just got Veeam writing backups out to a hardened repository and I must admit it feels damned good.

Immutable setup using single use credentials no SSH etc. all done by the guides.

But there's always that little nagging doubt that there's still a way to get at the backups.

My absolute last line of defence is having a copy on tape. You can fit a lots of bandwidth on a shelf.

But if you've got immutable storage and you have management interfaces disabled so there's no iDRAC/iLO/SSH or other access how much faith do you have that there really no way for the bad guys to get at it?

https://redd.it/1oam23u
@r_systemadmin

Reusing “deleted” users username/email address

Would anyone like to explain why this can be a bad idea? We are standing up an IAM system that noscripts the creation disablement and to my dismay deletion of accounts after 90 days but I don’t see why we care to “reclaim” a username and I sense there being issues with doing so.

What’s your experience with deleting user accounts and then resurrecting them ??

https://redd.it/1oalz5u
@r_systemadmin

Where can I buy non-copilot laptops?

See noscript. I have a blind user in my org who cannot use it because the copilot key took the place of the right ctrl key.

https://redd.it/1oaruop
@r_systemadmin

Strange behavior in linux: user can still run sudo commands and switch users even though pam prohibits it

If a user is removed from the sudo group and tries to run sudo some-command they correctly receive a permission denied error.
Additionally, PAM can be configured so that when the user runs su some-user a "su: permission denied" message is shown, even if the correct password is entered for some-user.

However, I found this restriction applies only to command-line. There are other ways for the same user to perform privileged actions. For example, instead of running:

sudo systemctl restart cron.service

they can simply run:

systemctl restart cron.service

In this case, GDM displays a graphical password prompt for the root password, and the operation completes successfully. This makes membership in the sudo group useless, since the same command can be executed without sudo ! The only difference is that the password is entered in a graphical window instead of the command line! The graphical display has root privileges and follows its own policy not PAM.

The same issue occurs with su: a user can switch to another account, even root, through graphical tools, even if they are not in the sudo group and cannot run su from the terminal.

This seems like a design flaw. There appears to be backdoors that bypass PAM restrictions and group-based privilege control.

question:

How can I configure Linux desktop so that a user is confined, that is, they cannot run any executable requiring elevated privileges (even if they know the root password), and they cannot switch to another user context even through Wayland/GDM?

In other words, I want to ensure that users can execute only the commands for which they have explicit execution permissions.



https://redd.it/1oaqvg4
@r_systemadmin

Windows on ARM

Has anyone started using Windows Arm laptops in a enterprise space?

We use HP Elite Books (most are AMD) but we've had some interest in the ARM varients, if anyone has rolled them out, do they work fine with AD / standard office applications?

We are going to get a couple for our digital team to test but thought it's always good to do research on it and get others opinions

https://redd.it/1oau5gr
@r_systemadmin

Does having a CSP Azure subnoscription affect support for your non-CSP subnoscriptions in the same tenant?

I've been in this situation once before at a previous org but want to confirm that what I remember is actually the case:

We are planning to add a new subnoscription to our Azure tenant via our CSP to support PAYG Teams Phone billing. All our current Azure subnoscriptions are direct billing with Microsoft. I know that when you buy through a CSP, Microsoft won't support that subnoscription directly (even if you have Unified Support) and you have to work through the CSP, which we have no problem with.

We want to keep direct support available for the existing subs, especially because the product teams that manage some of the other subnoscriptions are considering Unified Support in future. I'm about 98% sure that adding this new sub this won't affect support eligibility for the non-CSP subs, and that we can still go direct to Microsoft for support on them. Our CSP agrees but asked me to confirm with Microsoft just to be sure since it will upset our product teams if things change because of something my team purchased, but of course all our Microsoft contacts are unresponsive.

Can others here who have this sort of setup confirm/deny that you can still get direct MS support on your non-CSP subnoscriptions?

https://redd.it/1oaqxdi
@r_systemadmin

Mac connecting to wireless printers - only one wifi network causing issues

Hi all,

Background: I install and manage all the hardware and software for my small law firm with fewer than 10 employees. I do okay and troubleshoot a lot of issues by searching through Google, forums, etc. I recently bought new laptops for everyone and switched myself back to a Macbook Pro after about three years with a PC. The Macbook is a pleasure and has spoken seamlessly to all of our cloud-based file and case management apps, Microsoft Office has behaved, etc. Except for one thing.

I cannot get the Macbook Pro to connect to our wireless printers (one large Brother, one all-in-one HP) in the office. They wouldn't autodetect, so I tried by using the IP address, tried installing drivers. It connected to the HP for about half a day, then started reading it as offline. I removed and tried to reinstall the HP and now it won't connect at all. I've restarted all the things, reset all the things, cleaned cache, etc. etc. No dice. The Macbook Pro connects wirelessly to my home printer (a Brother) and a friend's home printer (another HP) without a hiccup.

We have a typical typical high-speed wifi set up with a router and extender. I just set up four new PC laptops and they all connected without a hitch. The PC laptops have had occasional issues, for example where an employee will need to reinstall the Brother printer every few weeks because it just gets slow or stops connecting. But that has seemed pretty normal.

Any suggestions before I have to pull in an outside IT person for the first time?

https://redd.it/1oaxzuy
@r_systemadmin

BT fiber connection

Hi,


iv just recently had a line installed via a reseller who are complete garbage BT left me with a adva in a remote office that terminates to fiber but i can find nothing in my order paperwork on what this termination is so i am struggling to order a media convertor.


Its two strand but the lad on site isnt the best so i dont want to ask him to pull the SFP anyone know what the standard is ? i was looking at https://amzn.eu/d/fxSqJvq and a patch lead https://amzn.eu/d/58XfHdr but honestly iv no clue its always come with the media convertor before.

thanks in advance



https://redd.it/1oazm6x
@r_systemadmin

Reboot Restore Rx Pro

Anyone have experience with this software? It seems like it's not the best for handling Windows Updates despite the option being available in the UI. I have been running a public access kiosk computer with this software for years now with the Windows Update option disabled and automatic Windows Updates disabled in general. It seems to cause too many problems. This isn't just when feature updates happen. It seems to be a problem for general security updates.

I recently upgraded a PC to Windows 11 and continued to use version 12 of Reboot Restore since the license doesn't carry over for the new version supposedly (Version 13 - Enterprise). I decided to retry the update option and it once again causes problems. I even had problems with Windows Update working altogether, even when I went into services.msc and manually restarted Windows Updates.

Am I doing something wrong?

https://redd.it/1ob1a1q
@r_systemadmin

Basic Server Security Questions

Hey Everyone -

Long story short, I manage a team of about 15 people in our warehouse/logistics area that uses a small app I've built that basically connects via SOAP API to another system (3rd party). Theres one function it tho that we can basically only send one request every 1 minute or things get stuck. So currently I had built out kind of a broker on each app that says "send request...wait 1 minute...send next request...wait 1 min" - the problem is obviously that each persons computer would just be doing the same thing and they would all still be sending to many requests to our third party service.

So my thought process was to get a small VPS and rig up a queue manager to a database in the air. Our app sends the request up to the vps, it gathers all the requests and then shoots them out to the third party service. I'm not an IT guy - im just a manager try to help live an easier life by using this app.

Anyways, I've got it setup. And it works fine. My question is im just concerned about basic security because now I am shooting up a username/ssh key into the server and it holds it there.

What I have done so far - and honestly, this is just me reading online for several days:

For Basic Security -

\- for the domain/nameservers i got cloudflare which seems to offer protection against DDOS and offers basic SSL certificate for the domain. Have the domain running from https://

\- Installed fail2Ban on the server

\- closed access to all ports except 22, 80, 443

\- (I have in my notes to also change port 22 to something else but havent done it yet)

\- disabled root access

On the App on the desktop side - the username/ssh is already using encryption for windows dpai and I added an AES-256 encryption for when it sends the code i have a key on the desktop side and got a key on the server side. on the server side it holds the key just until it processes and then dumps it.


Just wanted opinions if I am on the right track here - am i not doing enough? am i doing too much? or am I complete idiot? I'm not doing much and I dont think my small little thing would attract much attention - but never know. I just need to be able to tell the boss that were secure lol. Thank you all!

https://redd.it/1ob2jax
@r_systemadmin

Scammers

Recently got hit by some scammers* claiming to be Verifone support. End user followed their instructions and sold things, faked with cash, them provided card numbers to refund to. Then requested the clerk tie a card number to the clerks personal apple wallet and do.the refund again.

Be on the lookout and let your end users know.

I have 2 phone numbers, but I'm sure they're spoofed or VoIP. They answered when I called and definitely sound like they're state side.

https://redd.it/1ob4am2
@r_systemadmin

Oct emergency patch question

I haven’t approved Oct updates yet in WSUS. With this emergency patch MS is putting out, will that overwrite the existing bad patch in WSUS? Are they pulling the bad patch and I’ll see the new one listed at some point?

https://redd.it/1ob77up
@r_systemadmin

State of ReFS on Windows 11 25H2

Deploying a new desktop and took the opportunity to mess around with ReFS as the Bootable Partition on Windows 11 25H2.

HP EliteDesk 8 G1i Mini
Intel Core Ultra 7 265
64GB RAM
Samsung SSD 980 Pro 2TB with Heatsink

Features that are available and probably worked:
• ReFS Integrity on and off
• ReFS Compression
• ReFS DeDuplication
• ReFS DeDupe & Compression

Features that did not work in my case:
• Booting Win 11 25H2 from ReFS (it was not stable)
• Block Cloning in File Explorer
(I've just read the restrictions on block cloning and saw that the max file size is 4GB. Possibly I was testing with 10GB files (I don't remember). Bit disappointing as I do a lot of duplicating of large files and was very interested in "instant" copy creation. However this feature apparently is a game changer with Hyper-V, and vhdx are all over 4GB, so maybe Hyper-V does it's block copy intelligently, breaking it down into >4GB blocks, while File Explorer doesn't).

CrystalDiskMark 9.0.1 with default settings

All benchmarks were performed with ReFS Integrity Off. (NTFS doesn't have integrity streams). I was going to do additional benchmarks with DeDupe and Compression&DeDupe as well as storage use, and then repeat with ReFS integrity on, however the OS kept freezing so was unusable.

| | Integrity Off | | Compression (ZSTD L3) | | | | NTFS | | | |
|:-------------:|:-------------:|:------------:|:---------------------:|:------------:|:------:|:-------:|:-----------:|:------------:|:------:|:-------:|
| | Read (MB/S) | Write (MB/s) | Read (MB/S) | Write (MB/s) | % Read | % Write | Read (MB/S) | Write (MB/s) | % Read | % Write |
| SEQ1M Q8T1 | 6778.33 | 4939.53 | 6682.05 | 4944.06 | -1% | 0% | 6725.4 | 4857.13 | -1% | -2% |
| SEQ1M Q1T1 | 3179.05 | 2363.24 | 1987.87 | 2679.29 | -37% | 13% | 3239.23 | 2419.95 | 2% | 2% |
| RND4K Q32T1 | 414.32 | 340.42 | 414.31 | 361.3 | 0% | 6% | 395.45 | 394.05 | -5% | 16% |
| RND4K Q1T1 | 61.09 | 120.88 | 29.43 | 113.79 | -52% | -6% | 45.38 | 126.18 | -26% | 4% |

All the benchmarks I'd read were with ReFS with default settings (Integrity on) against NTFS (which doesn't have integrity streams) and were showing performance deficits of ReFS. Based on above, possibly ReFS has very comparable performance to NTFS when configured with the same feature set.

Compression benchmarks were very odd. Big speedup for write and big slowdown for read are not logical. One would expect slowdown for write and similar or possible slight speedup for read (with costs to CPU). Seeing as the benchmarks were run once, and I paid little attention to if background tasks were running, it's possible this is just a bad benchmark result.

As I understand the features:
Compression
With ReFS, you set the compression state using PowerShell Set-ReFsDedupVolume, however the PowerShell command doesn't seem to let you specify the compression settings. If you use 'refsutil compression', you can enable/disable compression, set the format (LZ4 - Fast or ZSTD - Balance between compression and speed) as well as the compression level and chunk size.

Using refsutil also causes a job to run to de/compress the entire drive. Using PowerShell requires a

separate command to run the initial compression pass: Start-ReFSDedupJob, which is were you specify the compression properties, but it's unclear if that sets the default for the volume or just for that run?

Unless I'm remembering it incorrectly, setting compression on with refsutil resulted in PowerShell saying that it wasn't enabled for the volume and refsutil saying it was enabled. I enabled it with both just to be sure.

DeDupe
DeDuplication volume properties are set with the PowerShell Set-ReFsDedupVolume command. Then DeDupe passes are scheduled with Start-ReFSDedupJob/SetReFSDedupeSchedule. A DeDupe pass seems to run with relatively low priority (in my very limited experience of one partial pass) doesn't seem to take much CPU or drive resources on a relatively idle machine, takes a very long time, and as expected, uses inclemently more RAM as it continues. ReFS DeDupe only scans the entire volume on the initial pass. Subsequent scans will do an incremental DeDupe.

DeDupe and Compression can be combined.

Integrity Streams
Integrity steams can be enabled/disabled on format /I:enable or disable. The property can then be adjusted for a volume, a folder or a file with Set-FileIntegrity, which I believe will calculate the checkums for each included file/folder so may take significant time.

By default ReFS runs a File Integrity Scrubber every four weeks to validate infrequently accessed data checksums. This can be configured with PS.

Installing Win 11 onto ReFS
a) Install Win 11. I like to install it onto an unpartitioned drive and Win 11 will create the default FAT32 UEFI and NTFS Recovery partitions, in addition to the main partition for OS.
b) Once complete, boot back into Win 11 setup USB, and on the disk selection screen press Shift+F10 for command prompt, format the main partition with ReFS with your desired properties and then close CMD.
c) Select the main partition in the installer and it will install Win 11 onto ReFS.

Notes:
• Win 11 25H2 booted from ReFS was NOT stable. After some number of hrs of use, the storage would stop responding properly and the system would run incredibly slow.
• Same machine booted on NTFS did not have the same issue.
• This was just for fun, and the benchmarks are rough indications only and were not performed in was designed to generate exactly reproduceable results.

https://redd.it/1ob92me
@r_systemadmin

Thickheaded Thursday - October 23, 2025

Howdy, /r/sysadmin!

It's that time of the week, Thickheaded Thursday! This is a safe (mostly) judgement-free environment for all of your questions and stories, no matter how silly you think they are. Anybody can answer questions! My name is AutoModerator and I've taken over responsibility for posting these weekly threads so you don't have to worry about anything except your comments!

https://redd.it/1odz8ea
@r_systemadmin

An ATM jackpotting incident has increased my hatred for dealing with law enforcement.

The credit union I work at had two of their ATMs jackpoted and every law enforcement agency involved wants the footage a different way. Between the two cities, one state, and two federal agencies that want footage we have 7 different versions archived for two different ATMs. That is before what insurance wants. I swear the next person who asks is just getting the 7 hour raw footage. It is legitimately less paperwork at this point to get robbed at gunpoint. Also, given how close NCR thinks they are to a countermeasure for the technique used it would have been nice of them to let people know a bypass for the dispenser security was in the wild. Our ATM support company was seemingly unaware that was done. Still determining if that was on NCR or them.

https://redd.it/1oe7bqa
@r_systemadmin