How is your org preparing for Secure Boot certificates expiring June 2026?

Microsoft says Secure Boot certificates start expiring in June 2026. If systems don’t get the new certs, future boot components may be blocked.

According to the post:
The original Secure Boot certificates (circa 2011) will start expiring in June 2026.

Systems that don’t have updated certificates may stop receiving boot security updates and may even reject new signed components.

Microsoft and OEMs are rolling updates, and the blog suggests letting Windows Update manage Secure Boot certificate deployment or evaluating options now.

How are you proactively handling this in your environment?

Curious to see how others are planning for or already solving this - especially at scale.

Thanks!

https://redd.it/1pxm8nf
@r_systemadmin

Trying to figure it out.

Pic for reference: https://i.ibb.co/m5GK7SjQ/tailscale.png

Somehow, I have come up with a total brain freeze the last week. Trying to figure out how to get "domain PCs" to operate off of "DC02" while NOT installing tailscale on the PCs. No ports are currently open on the pfSense firewall, and they are not wanting to open for IPSec or OpenVPN.

Mirroring AD and SQL to DC02 is self-explanatory using tailscale. Getting the domain PCs to see it has me at a brain freeze. Possibly put Hyper-V on DC02 and install Debian/GNU with tailscale router?

https://redd.it/1py5bfs
@r_systemadmin

How do you manage remote employee asset management?

What's up?! First post here because I'm pretty new in my career and hitting a bit of a roadblock.

My boss has tasked me with figuring out asset retrieving. I went down the path of attempting to figure it all out in-house but I can see that spiraling into an actual logistics nightmare. In my searching online, I've seen some companies exist that do it all for you. I've checked allwhere, Unduit, and workwize so far. Leaning towards allwhere because my boss will like the no contract lock in part. But I'm open to possibly doing it all in-house.

So my question is: How do you manage this for your company? If it's done in-house, any price hacks I should know about?

https://redd.it/1pxx56x
@r_systemadmin

Remote IT Job (Help desk, sysadmin, etc.)

Hello everyone, I just recently quit my car sales job because I want to peruse my career in IT. I currently have an Associates in Cybersecurity where I worked with Objective Oriented Programming, Programming Fundamentals, CCNA labs, networking, etc. all that good stuff. I just recently got my A+, plan to get my Net+ January 6th, Sec+ around February, and CCNT sometime after since I got a free voucher from my CCNA classes. Sometime after getting the “CompTIA Trifecta” I plan on getting CISSP & CCNA. The issue is how do I secure my first remote IT job? I live in a relatively small town in Arkansas (15k population) and there’s not many local jobs around the area. I have very high troubleshooting skills with desktop computers as that’s what I’ve worked with my whole life. I’m trying to get pretty good at networking, VLANS, segmentation, etc. lots of stuff to learn but I really need to buckle down on something soon so I’m not out of a job for a while and create a large unemployment gap. I actively apply on indeed every day, I have a family friend helping me on LinkedIn forwarding me jobs that have requirements out of this world, but besides that I’ve heard nothing besides the good ole “we appreciate your application but decided to move forward with other applicants, if you’re interested in any more jobs check out our job board”. What kind of advice to You guys recommend? I’m currently in the process of making an “Enterprise Level Virtual Lab” with my gaming pc that has 64gb of DDR5 Ram, i9-12900K, Radeon 7900XT, that will have 2 DNS Domain controllers: 1 main, 1 backup for redundancy, 2 Windows 11 workstation computers, and 2 servers, 1 for a File Server and 2 for an Ubuntu ticketing system. This will all work in conjunction with Kali Linux that I will run sandbox testing as well. This is all so I can log this on my Resume as home lab experience. Thoughts?

https://redd.it/1py9n1i
@r_systemadmin

Windows 11 upgrade via WSUS only installed 21H2 and doesn't offer newer versions

I have been upgrading computers to Windows 11 (from Windows 10) via WSUS in a non-internet connected network segment. The upgrades worked well but I noticed that the version of Windows 11 installed is 21H2 and not the latest 25H2. I can't figure out why it is only installing the old version.

I have both the "Upgrade to Windows 11 (business editions) en-us x64" and "Windows 11, version 25H2 x64 2025-12" updates approved for the group. When I check for updates on the clients none are available.

Computers report in WSUS shows that the "Upgrade to Windows 11 (business editions) en-us x64" update is "Installed" but that the "Windows 11, version 25H2 x64 2025-12" update is "Not Applicable".

How can I get these newly upgraded Windows 11 machines from 21H2 and 25H2 and better yet why can't I upgrade straight from Windows 10 22H2 to Windows 11 25H2 which is the desired upgrade path?

https://redd.it/1pybxmi
@r_systemadmin

MSP off boarding - advice?

Recently landed an internal head of IT for a company who is bringing the IT Function in-house from being solely MSP supported.

We aren’t due to off board from the MSP until Feb and was using Azure PIM for global admin elevation for our MS365 tenant.
In the week I have been at the company, haven’t yet created a break glass global admin account, as didn’t want to go ahead and upset the MSP.

For some reason (maybe NCE dates - I don’t know) they have revoked our Azure P2 licenses from the tenant and now have no PIM roles and can’t get GA into the O365 tenant.

Called MS Support for an admin takeover but because the MSP is still listed in our tenant as a partner they won’t let me go ahead with the admin takeover incase there is unpaid invoices to the MSP! They have forcefully closed the support case and said they won’t get involved in disputes.

I asked the MSP if they could help but they’re saying their GDAP access has been revoked.

Has anyone got any advice?

https://redd.it/1pyfbw0
@r_systemadmin

The current state of "AI in Backup" (Veeam vs Rubrik). Is anyone actually buying the hype?

Backup used to be simple. Swap tapes, send them offsite, pray you never need to restore. Now it's our main defense against ransomware and apparently, it’s supposed to be "AI-driven" now too.

I’ve been trying to cut through the marketing noise recently regarding the big shifts in the backup space. You’ve probably seen it: Veeam bought Securiti.ai to focus on governance (knowing what is inside the backup file), and Rubrik is going absolutely hard on the GenAI hype train, integrating with Amazon Bedrock to speed up recovery capabilities.

We've been evaluating both approaches in our lab, trying to figure out what actually matters when things hit the fan. I wanted to share a few practical takeaways here because the demos always look perfect, but reality is usually messier.

It basically comes down to what headache you want to solve:

The Governance/Scanning Play (Veeam approach) The idea here is scanning backup data offline to find PII or compliance risks without thrashing your production DB performance.

The good: If you have a sprawling hybrid mess and need to answer "where is every credit card number stored?" this is solid.
The catch: The "proxy tax." You need serious compute power to churn through petabytes of backup data to index it all. It’s not magic; those CPU cycles cost money somewhere.

The "Talk to your data" Play (Rubrik approach) They are pushing the "Cyber-Recovery" angle. The pitch is using an LLM so a Tier 1 SOC analyst can just type plain English questions like "Show me what broke with CVE-2025-X and give me a clean snapshot."

The good: Sounds amazing for bridging the gap between SOC and Infra teams during a crisis.
The fear: OpEx creep. Be really careful about consumption-based pricing for these AI queries. If your team starts using the chatbot for daily tasks instead of just 3 AM emergencies, that API bill is going to explode.

The other headache: Something I hadn't really considered until we dug into it: your backup repo is basically the perfect training dataset for an LLM. Now I have another governance issue—worrying about who (or which internal models) can access the archives for training purposes.

Honestly, I'm still skeptical. At 3 AM when everything is on fire, I'm not sure I want to be chatting with a bot. I think I’d prefer having a pre-scanned, validated clean recovery point ready to go.

What are you guys seeing out there? Are any of you actually using these GenAI backup features in prod yet, or is it still mostly vendor noise?

https://redd.it/1pyfmao
@r_systemadmin

How do you test VoIP call flows before deploying changes?

I worked on creating a VoIP stack (Kamailio + Freeswitch + Asterisk + some custom logic),

and every time we change something we still end up doing manual test calls.



Things like:

\- inbound call routing

\- IVR / DTMF

\- voicemail

\- call forwarding

.......



We’ve tried SIPp noscripts, but they’re painful to maintain and don’t really

cover full call flows.



Curious how other teams handle this:

\- manual testing?

\- noscripts?

\- CI?

\- or just testing in production 😅



Genuinely interested in how others do it.



https://redd.it/1pyh32j
@r_systemadmin

You guys ever think of changing career?


Feels like it is just downhill and this is no longer fun. ”Only” been working in IT for 10 years and honestly it feels very meh.

Me? I’m just an IT Lead who’s role is to not manage employees anymore but consultants / ”bought services”. This ain’t no fun.

Ever dream of changing career? Got any fun ideas or career switch where you can apply previous job experience to?

Would love to hear what you think.

https://redd.it/1pyjgfr
@r_systemadmin

Anyone know how much crowdstrike pricing is for government or non profits?

I'm helping a small local government office look at endpoint security options and crowdstrike keeps coming up. We've heard it's good but we've checked online and the pricing is totally unclear for public sector or non profit type of budgets.

Their website just says "contact sales" but we're trying to get a rough idea before we even reach out. We don't need a huge enterprise setup, just something solid for about 50 endpoints for now.

Does anyone have any insight into how much crowdstrike might charge for a public sector or education/non-profit org? Even an estimated range would be super helpful.

Lastly, are there any good alternatives that work well for government but might be more budget friendly?

https://redd.it/1pyk135
@r_systemadmin

Anyone else stuck between a hostile local IT team and corporate IT?

I joined my current company last year. Small sysadmin team (5–6 people), reporting to a senior sysadmin and a director who’ve both been there 25+ years. Very strong “this is our environment” energy.

I came in with a more modern / DevOps-leaning background (Docker, Ansible, NetBox, etc.). The existing culture is very legacy Linux: heavy shell noscripting, extreme rigidity, and strong opinions about how things must be done.

At this point, I mostly just say “yes sir” and go with the flow. I’m trying hard not to take things personally, but it’s difficult when I get constant pushback on very small stuff:

• Strong resistance to Docker

• Complaints about one tool per VM because it “wastes” a CrowdStrike license

• Hyper-strict naming rules (dashes only, even in Python code) This goes deep though.

• Requests for features that feel unrealistic or fundamentally misunderstand what tools like NetBox are for (e.g., clicking a device and forcing native SSH sessions)

Individually, none of this is catastrophic. Collectively, it’s kinda exhausting. The hardest part is that I share an office with the senior admin. He’s extremely knowledgeable, but he’s also very loud, curses constantly, gets visibly upset, and communicates in a very intense, commanding way. He aggressively picks apart work and points out what’s “wrong” with it. I honestly can’t tell how much of it is intentional versus just how he’s wired — but sitting in the same room with that energy for 8–9 hours a day is brutal, especially since I’m fairly introverted.

On top of that, he hates our corporate IT team with a passion and talks about them like they’re the devil incarnate. We were acquired by a parent company, and corporate IT handles change control and many if not all network changes we need. That arrangement drives him (and my manager) crazy. I’ve felt caught in the middle and sometimes unsure whether I’m supposed to fully cooperate with corporate IT or “play defense” for the local team. It’s super confusing.

What makes it weirder: my director’s boss is the same executive corporate IT ultimately reports to. Same umbrella, same leadership chain — but no regular step-ups, no alignment meetings, and I’ve never interacted with that level. So I’m left guessing who I’m actually supposed to prioritize. My director and the senior sys admin regularly instruct me to not help or support this corporate team, we keep denoscriptions off interfaces to keep them in the dark, we revoke their privileges to our tools— anything to piss them off. They’ve become “need to know”.

I don’t feel disrespected enough to go to HR, and I’m not trying to rock the boat. I just find myself holding my tongue constantly and reminding myself not to take the daily criticism personally. I just want to do my job.

The pay is very good, which is why I’m still here. But coming from a long, relaxed, collaborative job, this place feels rigid, tense, and high-pressure by comparison.

I guess I’m looking for perspective:

• Is this just how long-tenured sysadmin teams are sometimes?

• How do you mentally detach from constant criticism without burning out?

• Has anyone navigated being stuck between corporate IT and a hostile local team?

• At what point is “good money, bad culture” not worth it?

Mostly venting, but curious how others have handled similar situations.

https://redd.it/1pyldq1
@r_systemadmin

Anyone here reselling VoIP/UCaaS? What platforms are reliable?

My team manages IT for a handful of small and mid-size clients, and we’re thinking about rolling out our own VoIP/UCaaS offering next year instead of constantly playing middleman with third-party vendors. I’m curious what platforms members of this community have had good or bad experiences with.

And also, what matters most for you when recommending a VoIP solution to a business (is it call quality, ease of provisioning, white-labeling, recurring revenue, or something else?) I’d love to hear your experiences.


https://redd.it/1pyl0rb
@r_systemadmin

Dell iDrac Write Endurance Warnings

I have 3 Dell R740xd servers.

Two of the servers iDracs are sending daily alerts about the write endurance of a SSD. In one server it is disk 24 and in the other server it is disk 25.

In each server disks 24 and 25 are a RAID 1 and run ESXi for each host. The data stores live on another RAID array.

But when I check disk 24 in server 1 it has a write endurance of 0% and then disk 25 has a write endurance of nothing it is just a dash. When I look at the other raid array on server 1 the write endurances are the same just a dash.

Same thing on the other server as well.

The disks are all Micron disks and have been in there for a few years now. The iDracs are all on the latest firmware and I also tried rebooting the iDracs to see of that would reset anything. All the disks are also reporting healthy by the iDrac.

But nothing seems to work, and we are getting multiple emails a day about these write endurance warnings. I have seen other posts from years past where people just said create an email rule and call it a day. But I wanted to see if there are any better solutions then that.

https://redd.it/1pym1b4
@r_systemadmin

MS Teams Channels missing tabs ex. Planner, OneNote etc..

As of almost two weeks ago, it appears that tabs within Microsoft Teams channels Ex. Planner or OneNote etc..

When attempting to add these tabs back, I get prompted to request approval. No approval email is ever received, and the request is indefinitely in a grayed-out “Requested” state.

I cant tell if this is some new MS change and its standard behavior or if I changed something.

Any info is appreciated.

https://redd.it/1pyqdoj
@r_systemadmin

Cyber insurance query

When answering insurance questionnaires, do you ever deliberately limit scope or wording (e.g. “as of this date”, “for these systems only”, “to the best of our knowledge”)? If so, where is that wording usually captured?

https://redd.it/1pyrgak
@r_systemadmin

Post-mortem sanity check: how do you handle “un-scannable” expiries (API keys, internal certs) without spreadsheets?

We just had a ~2 hour outage because a 3rd-party API key expired.

What’s annoying is that this wasn’t a surprise. We knew about it. It was written down in a “DevOps Secrets” spreadsheet, and someone even had a calendar reminder, but that person was on PTO, and honestly the spreadsheet hadn’t been opened in months.

We already use UptimeRobot for public SSL certs, so those are fine. But for the “offline” stuff , Apple Push certs, API tokens, internal signing keys, we don’t seem to have a good answer.

I’m honestly just trying to sanity-check how other teams deal with this:

Do you actually have a tool that tracks these properly?
Or is everyone using some shared spreadsheet + reminders and hoping it doesn’t get missed?

I’m tempted to hack together a cron job to nag us, but that feels like yet another fragile workaround that’ll probably rot over time.
Curious what’s actually worked for people.

https://redd.it/1pytylt
@r_systemadmin

Suggest arguments

I am working as a sysadmin intern in a university.
They have a site for professors to upload their recorded lectures and notes and for students to access them. It used aws s3 bucket to store the data.

There are many pcs that are outdated for general use with i3-7th gen and almost 50, 1tb hdd. I had setup a ubuntu microcloud's microceph, and set and integrated it with the site for proof of concept. I had configured redndancy, backup and for security i had seperated the server from all other nodes in the university network. For observability of the server i used Graphana and protheumus. We already have a power backup for the it department and the other servers, so power will not be an issue

The director argued that money is never the issue for tech. The current trend in tech is that we should pour money and since all big tech are using cloud and it is the "trend" why should we have an in-house cloud.

I had future plans of using microcloud's lxd and other features to implement most features offered by cloud providers so that students could learn the tech that goes into setting up these cloud services and allow students to use these in-house services for testing and research purposes. Obviously even for such a small scale cloud, it would require a couple good nodes with good configurations which would be a cost but the university anyways does not care about money.

I have created a document citing stanford's it department with their own cloud and other companies that have shifted to a hybrid model as well.

Please suggest good arguments and suggestion what should be done

https://redd.it/1pyu60k
@r_systemadmin

Bitlocker hardware encryption post

There was an excellent post a little while ago showing how to enable the new hardware enabled bitlocker as well as some performance comparisons and for some reason the mods nuked it? How is that not relevant to this sub?

https://redd.it/1pyx9or
@r_systemadmin