Finally got budget to implement an MDM

Capex budgets haven't been officially approved yet, but the implementation costs for an MDM have made it through all the rounds of approvals and I am STOKED.

We have around 150 mobile devices (mostly iPhones, some android phones/tablets) and it is an absolute NIGHTMARE managing them considering it's just my boss and me, and I mainly manage the phones. We've also got around 200 laptops that I'm hoping we can add to it next year, but at least we have an RMM for those that helps.

I've been asking for budget for budget for MDM for almost 2 years now, I know it's gonna be a ton of work to implement but we have an MSP to help with the legwork and it'll be so much less of my time wasted on stupid shit that an MDM can do automatically.

If folks have any suggestions for solutions you really like I'd love quick reviews - something that supports both android and apple, and if it can support windows laptops even better (we're unsure if we wanna go 3rd party or Intune). We've been trialing Vantage and it's super clunky, though my boss liked the super cheap price.

My top pick right now is MaaS360, and our SP recommended also looking at Ivanti, but I'm trying to identify a third one to demo and compare and there's... So much info to sift through online. (I've been back in the sysasmin world for about 3 years now after almost a decade career curve in telecom... Everything is a paid/sponsored ad nowadays and it feels so much more difficult to find actual useful info.)

https://redd.it/1q0i9or
@r_systemadmin

Personal Device

Curious how many tech workers use android devices vs apple for personal use. Mostly been an apple person having gotten the “free” with phone service but find myself leaning back to android now with Apple feeling pretty stagnant.

https://redd.it/1q0he3k
@r_systemadmin

"We're not allowed to copy files"

Just thought this was funny, in a kind of sad way. We have a third-party "technician" who's installed an updated version of their application on a few new servers I built for them. Disconnected herself from one of the servers when she disabled TLS 1.2 and 1.3 and enabled 1.0/1.1 (Sentinel One took the server offline due to perceived malicious activity). We managed to work that out after I explained HTTPS and certificates, so no harm, no foul.

But this is the same woman who previously had me copy 3.5Tb of files from an old server on our network to the new server (also on our network) for her, even though she has admin access on both, because she's "not allowed to copy files."


EDIT: btw, my heartache wasn't the "my company doesn't allow me to copy files" thing. I get that, even if I think it's excessive. It's the juxtaposition with disabling TLS 1.2 and 1.3 and enabling TLS 1.0/1.1 that was the what the actual F**K are you doing? reaction from me.

https://redd.it/1q0lrt4
@r_systemadmin

Happy 2026!

May no one test in prod and may our environments enjoy long uptimes!

https://redd.it/1q0mzca
@r_systemadmin

Where do “temporary” systems go to die and how do you stop them from becoming permanent?

I'm curious how other sysadmins deal with "temporary" systems that somehow live forever.

You know the ones: a quick file share spun up for a project, a noscript someone wrote to bridge a gap, a VM meant to last a quarter that's still quietly running years later. No owner, minimal documentation, and everyone's afraid to touch it because *something* depends on it.. but nobody knows what.

In my experience, these are often the hardest things to unwind, not because they're complex, but because no one remembers why they exist or who's using them.

How do you all prevent this from happening in the first place?

Expiration dates or auto-shutdown policies? Mandatory ownership tags and periodic access reviews? Something cultural that actually works?

And when you inherit a pile of these "temporary" systems, what's worked to clean them up without breaking the business or triggering a surprise 3 a.m. page?

https://redd.it/1q0ldny
@r_systemadmin

Any gotchas for removing DFS-R?

We currently have two file servers running DFS-R (yuck); an old VM connected to the old SAN, and a new one with a new SAN. It served it's purpose for migrating data and getting the entire company using DFS-N, but now it's time to decommission the old one. It seems pretty simple to disable membership of the old server for each replication group it's a part of, then turning off DFS-R on both servers, and then shutting down the old server. But are there any tips or issues you have had when doing this? And cheers to 2026!

https://redd.it/1q0lnyg
@r_systemadmin

IT IS NOT A COST CENTER

Please please please bring this into the new year and internalize/externalize it.

If your business uses computers, IT is not overhead. It is the operating system of the company.

No email. No identity. No access. No data. No backups. No security. No uptime. Nothing moves without IT. unless your entire business is a cash register and a pad of receipts.

Accounting gets a seat because money matters. HR gets a seat because people matter. Management gets a seat because coordination matters.

IT makes all of that possible.

Well run IT is not a cost. It is a multiplier. Every department is faster, safer, and more effective because systems work.

Bad IT is expensive. Good IT disappears. That does not mean it has no value. It means it is doing its job.

Internalize and externalize it. Stop apologizing for budgets. Stop framing yourself as “support.”

We make the business run.

Act like it this year.

https://redd.it/1q0rlqb
@r_systemadmin

Helpdesk to Sysadmin

I am currently a Tier 2 Helpdesk Engineer for an MSP and am wanting to move to a Sysadmin role. My current job does not have Sysadmins (its dumb but our sysadmin type tickets/projects tend to just go to our field team). So I would need to move out of this company.

My current job reimburses test vouchers for MS certs and MS certs only. I am currently working on the AZ-900 to get my feet wet (although I know it doesnt mean shit). What other MS certs should I go for to help with my resume? If not MS, what certs should I go for on my own?

My job history - IT dispatcher (Tier 0 entry)>Technical Analyst (Tier 1)>Technical Analyst (Tier 2) 4 years of IT experience total.

https://redd.it/1q0uiq4
@r_systemadmin

are private sites exempt from the 47 day cetificate renewal ?

i've heard about CA/B ballout that will require certificates to be renewed every 47 days, and that will lead to the adoption of more automation like ACME, but according the requirments

https://cabforum.org/working-groups/server/baseline-requirements/requirements/

"These Requirements do not address the issuance, or management of Certificates by enterprises that operate their own Public Key Infrastructure for internal purposes only, and for which the Root Certificate is not distributed by any Application Software Supplier"

so does't that mean any intenral web site or application that uses a certificate that was signed by the orgnaization (and said orgnanization pushes it's public root certs to it's clients) , is exempt from it being renewed? is there a difference in how those are made? how would a browser know this? i'm assuming browsers will simply see certs with larger than 47 days period and will declare them unsafe, but how will they make the distinction from "public" to "private" sites?



https://redd.it/1q0z2dg
@r_systemadmin

Thickheaded Thursday - January 01, 2026

Howdy, /r/sysadmin!

It's that time of the week, Thickheaded Thursday! This is a safe (mostly) judgement-free environment for all of your questions and stories, no matter how silly you think they are. Anybody can answer questions! My name is AutoModerator and I've taken over responsibility for posting these weekly threads so you don't have to worry about anything except your comments!

https://redd.it/1q10szk
@r_systemadmin

Best SASE platform for shadow IT control and legacy RDP access in 2026?

Hey r/sysadmin,

Our security team recently ran some logs on outbound traffic and freaked out over all the unsanctioned SaaS apps popping up. Sales on random CRM tools, devs hitting sketchy AI sites, etc.

Combined with remote users complaining about laggy RDP sessions to our old on prem apps, management is now mandating that we look at consolidating into a proper SASE setup to lock things down without killing performance.

We are around 300 users, mostly US based with some EU presence. Hybrid setup but pushing more cloud. The current mess is a separate VPN for remote users, a basic web filter that is easy to bypass, and no real visibility into private app access.

Trying to go in with eyes open before we commit. War stories welcome.

Thanks

https://redd.it/1q106eu
@r_systemadmin

Sanity check: Is my company's imaging process normal?

Hello all, I'm a low level support engineer at my company. Together with a small team of others, we are tasked with handling the imaging of laptops for a long term client. I'm trying to get a better picture of what's actually happening to compare the setup my company has with others as we run into some pretty annoying, consistent issues.

I'll stress again, I'm very low level. For example, I'm told what to do in the Intune environment without actually understanding what Intune really is. Heck, until recently, I didn't even know what "imaging" was so please forgive any tech illiterate behaviour on my part.

Our process:

Start up Intune, look up laptop's serial number, delete previous user.
Grab the now userless laptop, boot up BIOS, check if Secure Boot is enabled.
Boot up BIOS again, start MDT via the slotted USB-stick.
MDT does its thing, eventually going to desktop.
Lite Touch downloads and installs the local language, reboots a few times, downloads and installs a few Windows updates.
Autopilot starts up, we push a few buttons and then it does its configuration.

From what I gather, this may be an atypical process as one would use MDT or Autopilot, not both. I couldn't tell you why we use both, I assume there's a good reason for it. I speculate that we may be installing older software for compatibility reasons.

The entire process in terms of duration varies, sometimes as short as an hour and sometimes as long as three with exceptions that go shorter or longer. Based on a sample size of nearly three hundred devices we've imaged, the average time is just under two hours excluding prep and post-process handling. Not exactly ideal in scenarios where we have to process a substantial quantity in a single day. To my understanding, the target is that several dozen devices can be imaged per day.

Common issues:

Dirty Environment Found: Kinda frequent. We have a few work arounds and solutions but ideally we'd want to figure out the cause and how to prevent it from happening to save time.
English Autopilot: As mentioned before our MDT downloads and installs the local language. I've observed that some of the laptops take a bit to connect to the internet via the docking station or RJ45 port, I'm guessing the network has some security protocols delaying connection. Thing is, the Lite Touch part of the MDT will then skip straight to Autopilot in English forcing us to restart the entire process.

The question is this, really, how does your company handle the imaging process?

https://redd.it/1q16xd5
@r_systemadmin

Sysadmins and coffee: A scientific inquiry into our primary fuel source

Let's be honest: Coffee is basically a required dependency for sysadmin work.



But I'm curious about the actual numbers:

\- How many of us are drinking 5+ cups a day?

\- Are we buying quality beans, or just chugging whatever's in the break room?

\- Pod machines for convenience, or are there pour-over purists lurking among us?



I'm doing research on coffee consumption in tech (specifically cybersecurity and sysadmin roles) and would love input from people who actually live this life.



**Survey (\~3 min):** https://docs.google.com/forms/d/e/1FAIpQLSeaz-YspVu\_MeT\_eKd4Y-d6qmAL6b0tQOZDrCvZjtxcF1NGhQ/viewform



Questions cover:

\- Daily consumption (no judgment if it's double digits)

\- Where/how you brew

\- What you're actually willing to spend on decent coffee

\- Whether you'd be interested in specialty coffee designed for tech professionals (man-page packaging, technical specs, no marketing nonsense)



**Follow-up:** https://docs.google.com/forms/d/e/1FAIpQLSerHY38QYy4JaPqigHUvU5BUE8HtcF0r-2NOVhzNzIkp8lzUQ/viewform



curious if my hypothesis (that we all drink way more coffee than we admit) is accurate or wildly off.



Thanks, and may your coffee pot never run dry. ☕

https://redd.it/1q1bkx8
@r_systemadmin

Do you need box.com 3rd party backup solutions

As a company with 40 employees we use box for all of our cloud file storage. They obviously have backup systems in place. Is it important to do a 3rd party backup additionally or not critical since they do offsite backup? If you would recommend what companies do this?

https://redd.it/1q1czng
@r_systemadmin

How are you dealing with enshittification of Windows 11 in the business world?

Update: Thanks, all, for the discussion. I'm glad that, in the enterprise, there are tools to escape this trend that Microsoft has taken to exploit the consumer.

On the home front, I appreciate the tips for tuning Win 11 Pro using tools such as:

https://schneegans.de/windows/unattend-generator/

to get around Microsoft's schenanigens, but I still worry that some changes could be silently reverted by a Windowsupdate. I will give it a try on a VM to see what happens.

One final thing: With some disappointment, I see that there is still a percentage of sysadmins who show hostility to those who aren't as skilled as they are. Back in my day, people like that gave us a bad name.

Maybe that's because I dared to venture into an area (this sub) I am no longer qualified to be in. Still, I would advise those who so badly want to be superior that a kinder attitude could be better. At least it worked well for me.

\---------

As a long-retired junior sysadmin, I'm curious about how you are all dealing with how Windows, especially Windows 11, has gone into the crapper lately with Microsoft's heavy-handed and relentless push to milk more money from its users.

I'm talking about things such as:

1. shoving AI down our throats
2. push towards no local accounts
3. pushing its One-Drive service via incessant notifications to backup our PC to it
4. ads in the start menu
5. mining our data and search queries/results (I'm not sure who to blame for this exactly but I suspect Microsoft has a hand in it)
6. general bloat

Due to the ending of support for Windows 10 and the perverse direction of some applications vendors to support only Windows 11, I needed to move to Windows 11.

I am trying to counter Microsoft's attempts to pretty much ruin my PC by:

1. switching to Linux where I can (primary desktop, travel laptop)
2. reducing all of the above by using Windows 11 IoT Enterprise LTSC for the few PCs that need Windows 11 (photo editing PC (Capture One doesn't work with Linux), wife's PC (TurboTax needs Win 11)).

But in the business world, you usually can't do #1 and #2 would get you into trouble with Microsoft.

How are you dealing with the state of Windows in 2026?

https://redd.it/1q1bc6o
@r_systemadmin

New Version KRBTGT Password Reset Script Released

FYI: the newest version of the KRBTGT Password Reset noscript has just been released!

Wanna try it out? Get it here: https://jorgequestforknowledge.wordpress.com/2026/01/01/powershell-noscript-to-reset-the-krbtgt-account-password-keys-for-both-rwdcs-and-rodcs-update-8/


Any feedback/comments? Please use https://github.com/zjorz/Public-AD-Scripts/issues

https://redd.it/1q1htit
@r_systemadmin

I made a game where you're the sysadmin for the Elder Gods. It's called I.T Never Ends and it's free on itch

I've been working on **I.T Never Ends**, a card-based game where you play as a long string of unfortunate system administrators and IT technicians at a megacorp that's been taken over by Lovecraftian entities after what seems to be some sort of apocalypse. The company is still running. The tickets are still coming in. HR is now a sentient hive mind, and they're very concerned about your PTO balance. I really want to share it with [r/sysadmin](https://www.reddit.com/r/sysadmin/) since, well, that's literally who the game is about.

**The premise**

You seem to be a human working at IT Corp? Your job is to resolve support tickets, except your "users" are mix of Gary from sales, Timmy the intern, Sarah the Lead Engineer and Reality-Bending Horrors and middle managers who may or may not exist in linear time. You swipe left or right on tickets, try to keep four metrics balanced (Productivity, Morale, Budget and Entropy), do minigames, performance reviews, firewall drills and IM messages with coworkers who send you unsolicited cat pics.

**Some actual tickets from the game:**

* "The printer on floor 7 is printing documents from next week. Please advise."
* "My monitor is showing me. Not my screen. Me. From behind."
* "The new hire in Accounting doesn't cast a shadow. Is this a dress code violation?"
* "I keep receiving emails from myself dated 1987. I wasn't born until 1994."
* "The hold music is speaking to me specifically. It knows things."

**Some of my favorite endings:**

* The Singleton: "The database merged everyone into one employee. You are Steve. Everyone is Steve. Steve is very productive."
* The Eternal Standup: "The team has achieved perfect alignment. They never sit. They never work. They only update. They are a monument to process over product."
* The CLI Revolution: "You realized GUIs were a mistake. The company now sells pure ASCII experiences. Revenue dropped 99%, but the purity is unmatched."
* Meeting Eternal: "You became Meeting Room B itself, trapping employees in pointless meetings for all eternity. The agenda is never ending."
* Optimized for Wellness: "HR removed everything that made you unhappy. They also removed everything that made you... you."
* Union Representative: "You became the ambassador between humans and the Vending Machine Collective. In return, no machine in any building you enter ever eats your dollar again."
* Cosmic Quack: "Joined the Cosmic Duck Fleet. IT support across the galaxy awaits. Your first ticket: the Andromeda Galaxy's WiFi is down."

**The game has:**

* 1500+ unique tickets/story cards
* 70+ different endings (from "became the Stapler King" to "transcended reality")
* Branching narrative paths involving murder mysteries, time loops, and the Archive (IT's version of purgatory)
* Minigames (because sometimes you need to defrag a possessed server)
* A cast of coworkers who are varying degrees of cursed

I'm hoping to get as much feedback and eyes on as possible before launching on Steam in May, so there's a completely free to play build on itch here:
[https://dadbodgames.itch.io/it-never-ends](https://dadbodgames.itch.io/it-never-ends)

It requires no sign up or anything like it. All I ask is that you report back somewhere if you like/hate the thing and why.

Would love to hear what you think, and if you've got any real tickets that sound like they belong in a horror game, I'm always looking for inspiration. Some of the stuff I've read on this sub is already halfway there.

https://redd.it/1q1ie6c
@r_systemadmin

Please take a freshmen level accounting course at your local community college.

From the cost center threads, to some of the usual attitudes you see in IT.
There is a complete lack of understanding as to how their organization actually functions.
Please for your own careers take a financial and managerial accounting class, the two freshmen level classes at your local community college and your career and understanding of your organization will improve.
I think the clarity gained from this will really help you all. Without some fundamental understanding expect to never be taken seriously nor to “have a seat at the table” in your organization.

Edit- Udemy, YouTube and Coursera work! But please gain some fundamental business understanding

https://redd.it/1q1jkaw
@r_systemadmin

Microsoft Defender, SentinelOne and others detecting N-ABLE N-central's 'software-scanner.exe' as malicious

https://www.reddit.com/r/cybersecurity/comments/1q1fxss/defender_just_decided_nable_is_malware_for_anyone/

https://www.reddit.com/r/msp/comments/1q1jdjg/defender_detecting_ncentral_softwarescannerexe_as/

VT submission:
https://www.virustotal.com/gui/file/aeeb08c154d8e1d765683d399f9c784f2047bac7d39190580f35c001c8fe2a17

Previously detected by Defender, no longer. Flagged by SentinelOne as well based on reports but not reflected by the VT analysis.

https://redd.it/1q1l7q8
@r_systemadmin

Windows Server patch that isn't patching...

Have a Server 2022 system whose December patch isn't fully 'patching'. By this, I mean it shows up as a list of patches in the list of installed updates, BUT it doesn't show an installation date. It shows up in other ways, but not that.

As such, ACAS scans are showing all previous patches including the December 2025 patch as not being present.

This patch has been removed and installed several times. (Reboots included between patches to the best of my knowledge.) Has anyone seen this before, if so what resolved the issue?




https://redd.it/1q1o5dc
@r_systemadmin

I need some advice on a document about the state of the state of the IT, how it was before, what I have done this year and what I have planned for 2026 as well as the authority and governance that IT needs

Hi everyone!

I have a written a document for the upper management at my company on exactly what was the state of IT was when I first came, what I have done since I am there, what supplementary budget I need for 2026 as well as the authority and governance that IT needs to function properly.


Basically:

The company needs to clearly state that every IT request must go through the ticketing systems I have put in place, but people always come to me, just for me to say to them to send a ticket.
The company needs to give IT the power to manage every software/subnoscription and to be an admin on it. For the moment there are always some subnoscriptions that I don't manage, and it is a horror to troubleshoot problems without admin access.
I have listed the project that needs to be done to secure the company properly, with their risks if it isn't implemented, the loss if a breach happens because of it, and how the C-Suite could be held accountable for it.
Other projects that would be nice to have but it is not necessary

For the moment, the CEO asked me to put a risk (1 to 9) and priority (1-9) to every project for 2026. I have given that list to him that list and normally he should come back to me next week about which et want me to implement.

The thing is, I know that this company doesn't take cyberthreat seriously; they said that they are not a big company so hackers don't target them. But for me, that is not true; every company is a target, even smaller ones. For reference, we are 32 employees for the moment.

For the moment, when the CEO comes back to me, I will ask him to sign a paper with the list of implementations that he will not implement and that he recognizes that he will take responsibility for it. For me, it is the way to show that I have clearly stated the risks that we currently have and that he takes accountability if something goes south.

So what else can I do?

https://redd.it/1q1q95v
@r_systemadmin