are private sites exempt from the 47 day cetificate renewal ?

i've heard about CA/B ballout that will require certificates to be renewed every 47 days, and that will lead to the adoption of more automation like ACME, but according the requirments

https://cabforum.org/working-groups/server/baseline-requirements/requirements/

"These Requirements do not address the issuance, or management of Certificates by enterprises that operate their own Public Key Infrastructure for internal purposes only, and for which the Root Certificate is not distributed by any Application Software Supplier"

so does't that mean any intenral web site or application that uses a certificate that was signed by the orgnaization (and said orgnanization pushes it's public root certs to it's clients) , is exempt from it being renewed? is there a difference in how those are made? how would a browser know this? i'm assuming browsers will simply see certs with larger than 47 days period and will declare them unsafe, but how will they make the distinction from "public" to "private" sites?



https://redd.it/1q0z2dg
@r_systemadmin

Thickheaded Thursday - January 01, 2026

Howdy, /r/sysadmin!

It's that time of the week, Thickheaded Thursday! This is a safe (mostly) judgement-free environment for all of your questions and stories, no matter how silly you think they are. Anybody can answer questions! My name is AutoModerator and I've taken over responsibility for posting these weekly threads so you don't have to worry about anything except your comments!

https://redd.it/1q10szk
@r_systemadmin

Best SASE platform for shadow IT control and legacy RDP access in 2026?

Hey r/sysadmin,

Our security team recently ran some logs on outbound traffic and freaked out over all the unsanctioned SaaS apps popping up. Sales on random CRM tools, devs hitting sketchy AI sites, etc.

Combined with remote users complaining about laggy RDP sessions to our old on prem apps, management is now mandating that we look at consolidating into a proper SASE setup to lock things down without killing performance.

We are around 300 users, mostly US based with some EU presence. Hybrid setup but pushing more cloud. The current mess is a separate VPN for remote users, a basic web filter that is easy to bypass, and no real visibility into private app access.

Trying to go in with eyes open before we commit. War stories welcome.

Thanks

https://redd.it/1q106eu
@r_systemadmin

Sanity check: Is my company's imaging process normal?

Hello all, I'm a low level support engineer at my company. Together with a small team of others, we are tasked with handling the imaging of laptops for a long term client. I'm trying to get a better picture of what's actually happening to compare the setup my company has with others as we run into some pretty annoying, consistent issues.

I'll stress again, I'm very low level. For example, I'm told what to do in the Intune environment without actually understanding what Intune really is. Heck, until recently, I didn't even know what "imaging" was so please forgive any tech illiterate behaviour on my part.

Our process:

Start up Intune, look up laptop's serial number, delete previous user.
Grab the now userless laptop, boot up BIOS, check if Secure Boot is enabled.
Boot up BIOS again, start MDT via the slotted USB-stick.
MDT does its thing, eventually going to desktop.
Lite Touch downloads and installs the local language, reboots a few times, downloads and installs a few Windows updates.
Autopilot starts up, we push a few buttons and then it does its configuration.

From what I gather, this may be an atypical process as one would use MDT or Autopilot, not both. I couldn't tell you why we use both, I assume there's a good reason for it. I speculate that we may be installing older software for compatibility reasons.

The entire process in terms of duration varies, sometimes as short as an hour and sometimes as long as three with exceptions that go shorter or longer. Based on a sample size of nearly three hundred devices we've imaged, the average time is just under two hours excluding prep and post-process handling. Not exactly ideal in scenarios where we have to process a substantial quantity in a single day. To my understanding, the target is that several dozen devices can be imaged per day.

Common issues:

Dirty Environment Found: Kinda frequent. We have a few work arounds and solutions but ideally we'd want to figure out the cause and how to prevent it from happening to save time.
English Autopilot: As mentioned before our MDT downloads and installs the local language. I've observed that some of the laptops take a bit to connect to the internet via the docking station or RJ45 port, I'm guessing the network has some security protocols delaying connection. Thing is, the Lite Touch part of the MDT will then skip straight to Autopilot in English forcing us to restart the entire process.

The question is this, really, how does your company handle the imaging process?

https://redd.it/1q16xd5
@r_systemadmin

Sysadmins and coffee: A scientific inquiry into our primary fuel source

Let's be honest: Coffee is basically a required dependency for sysadmin work.



But I'm curious about the actual numbers:

\- How many of us are drinking 5+ cups a day?

\- Are we buying quality beans, or just chugging whatever's in the break room?

\- Pod machines for convenience, or are there pour-over purists lurking among us?



I'm doing research on coffee consumption in tech (specifically cybersecurity and sysadmin roles) and would love input from people who actually live this life.



**Survey (\~3 min):** https://docs.google.com/forms/d/e/1FAIpQLSeaz-YspVu\_MeT\_eKd4Y-d6qmAL6b0tQOZDrCvZjtxcF1NGhQ/viewform



Questions cover:

\- Daily consumption (no judgment if it's double digits)

\- Where/how you brew

\- What you're actually willing to spend on decent coffee

\- Whether you'd be interested in specialty coffee designed for tech professionals (man-page packaging, technical specs, no marketing nonsense)



**Follow-up:** https://docs.google.com/forms/d/e/1FAIpQLSerHY38QYy4JaPqigHUvU5BUE8HtcF0r-2NOVhzNzIkp8lzUQ/viewform



curious if my hypothesis (that we all drink way more coffee than we admit) is accurate or wildly off.



Thanks, and may your coffee pot never run dry. ☕

https://redd.it/1q1bkx8
@r_systemadmin

Do you need box.com 3rd party backup solutions

As a company with 40 employees we use box for all of our cloud file storage. They obviously have backup systems in place. Is it important to do a 3rd party backup additionally or not critical since they do offsite backup? If you would recommend what companies do this?

https://redd.it/1q1czng
@r_systemadmin

How are you dealing with enshittification of Windows 11 in the business world?

Update: Thanks, all, for the discussion. I'm glad that, in the enterprise, there are tools to escape this trend that Microsoft has taken to exploit the consumer.

On the home front, I appreciate the tips for tuning Win 11 Pro using tools such as:

https://schneegans.de/windows/unattend-generator/

to get around Microsoft's schenanigens, but I still worry that some changes could be silently reverted by a Windowsupdate. I will give it a try on a VM to see what happens.

One final thing: With some disappointment, I see that there is still a percentage of sysadmins who show hostility to those who aren't as skilled as they are. Back in my day, people like that gave us a bad name.

Maybe that's because I dared to venture into an area (this sub) I am no longer qualified to be in. Still, I would advise those who so badly want to be superior that a kinder attitude could be better. At least it worked well for me.

\---------

As a long-retired junior sysadmin, I'm curious about how you are all dealing with how Windows, especially Windows 11, has gone into the crapper lately with Microsoft's heavy-handed and relentless push to milk more money from its users.

I'm talking about things such as:

1. shoving AI down our throats
2. push towards no local accounts
3. pushing its One-Drive service via incessant notifications to backup our PC to it
4. ads in the start menu
5. mining our data and search queries/results (I'm not sure who to blame for this exactly but I suspect Microsoft has a hand in it)
6. general bloat

Due to the ending of support for Windows 10 and the perverse direction of some applications vendors to support only Windows 11, I needed to move to Windows 11.

I am trying to counter Microsoft's attempts to pretty much ruin my PC by:

1. switching to Linux where I can (primary desktop, travel laptop)
2. reducing all of the above by using Windows 11 IoT Enterprise LTSC for the few PCs that need Windows 11 (photo editing PC (Capture One doesn't work with Linux), wife's PC (TurboTax needs Win 11)).

But in the business world, you usually can't do #1 and #2 would get you into trouble with Microsoft.

How are you dealing with the state of Windows in 2026?

https://redd.it/1q1bc6o
@r_systemadmin

New Version KRBTGT Password Reset Script Released

FYI: the newest version of the KRBTGT Password Reset noscript has just been released!

Wanna try it out? Get it here: https://jorgequestforknowledge.wordpress.com/2026/01/01/powershell-noscript-to-reset-the-krbtgt-account-password-keys-for-both-rwdcs-and-rodcs-update-8/


Any feedback/comments? Please use https://github.com/zjorz/Public-AD-Scripts/issues

https://redd.it/1q1htit
@r_systemadmin

I made a game where you're the sysadmin for the Elder Gods. It's called I.T Never Ends and it's free on itch

I've been working on **I.T Never Ends**, a card-based game where you play as a long string of unfortunate system administrators and IT technicians at a megacorp that's been taken over by Lovecraftian entities after what seems to be some sort of apocalypse. The company is still running. The tickets are still coming in. HR is now a sentient hive mind, and they're very concerned about your PTO balance. I really want to share it with [r/sysadmin](https://www.reddit.com/r/sysadmin/) since, well, that's literally who the game is about.

**The premise**

You seem to be a human working at IT Corp? Your job is to resolve support tickets, except your "users" are mix of Gary from sales, Timmy the intern, Sarah the Lead Engineer and Reality-Bending Horrors and middle managers who may or may not exist in linear time. You swipe left or right on tickets, try to keep four metrics balanced (Productivity, Morale, Budget and Entropy), do minigames, performance reviews, firewall drills and IM messages with coworkers who send you unsolicited cat pics.

**Some actual tickets from the game:**

* "The printer on floor 7 is printing documents from next week. Please advise."
* "My monitor is showing me. Not my screen. Me. From behind."
* "The new hire in Accounting doesn't cast a shadow. Is this a dress code violation?"
* "I keep receiving emails from myself dated 1987. I wasn't born until 1994."
* "The hold music is speaking to me specifically. It knows things."

**Some of my favorite endings:**

* The Singleton: "The database merged everyone into one employee. You are Steve. Everyone is Steve. Steve is very productive."
* The Eternal Standup: "The team has achieved perfect alignment. They never sit. They never work. They only update. They are a monument to process over product."
* The CLI Revolution: "You realized GUIs were a mistake. The company now sells pure ASCII experiences. Revenue dropped 99%, but the purity is unmatched."
* Meeting Eternal: "You became Meeting Room B itself, trapping employees in pointless meetings for all eternity. The agenda is never ending."
* Optimized for Wellness: "HR removed everything that made you unhappy. They also removed everything that made you... you."
* Union Representative: "You became the ambassador between humans and the Vending Machine Collective. In return, no machine in any building you enter ever eats your dollar again."
* Cosmic Quack: "Joined the Cosmic Duck Fleet. IT support across the galaxy awaits. Your first ticket: the Andromeda Galaxy's WiFi is down."

**The game has:**

* 1500+ unique tickets/story cards
* 70+ different endings (from "became the Stapler King" to "transcended reality")
* Branching narrative paths involving murder mysteries, time loops, and the Archive (IT's version of purgatory)
* Minigames (because sometimes you need to defrag a possessed server)
* A cast of coworkers who are varying degrees of cursed

I'm hoping to get as much feedback and eyes on as possible before launching on Steam in May, so there's a completely free to play build on itch here:
[https://dadbodgames.itch.io/it-never-ends](https://dadbodgames.itch.io/it-never-ends)

It requires no sign up or anything like it. All I ask is that you report back somewhere if you like/hate the thing and why.

Would love to hear what you think, and if you've got any real tickets that sound like they belong in a horror game, I'm always looking for inspiration. Some of the stuff I've read on this sub is already halfway there.

https://redd.it/1q1ie6c
@r_systemadmin

Please take a freshmen level accounting course at your local community college.

From the cost center threads, to some of the usual attitudes you see in IT.
There is a complete lack of understanding as to how their organization actually functions.
Please for your own careers take a financial and managerial accounting class, the two freshmen level classes at your local community college and your career and understanding of your organization will improve.
I think the clarity gained from this will really help you all. Without some fundamental understanding expect to never be taken seriously nor to “have a seat at the table” in your organization.

Edit- Udemy, YouTube and Coursera work! But please gain some fundamental business understanding

https://redd.it/1q1jkaw
@r_systemadmin

Microsoft Defender, SentinelOne and others detecting N-ABLE N-central's 'software-scanner.exe' as malicious

https://www.reddit.com/r/cybersecurity/comments/1q1fxss/defender_just_decided_nable_is_malware_for_anyone/

https://www.reddit.com/r/msp/comments/1q1jdjg/defender_detecting_ncentral_softwarescannerexe_as/

VT submission:
https://www.virustotal.com/gui/file/aeeb08c154d8e1d765683d399f9c784f2047bac7d39190580f35c001c8fe2a17

Previously detected by Defender, no longer. Flagged by SentinelOne as well based on reports but not reflected by the VT analysis.

https://redd.it/1q1l7q8
@r_systemadmin

Windows Server patch that isn't patching...

Have a Server 2022 system whose December patch isn't fully 'patching'. By this, I mean it shows up as a list of patches in the list of installed updates, BUT it doesn't show an installation date. It shows up in other ways, but not that.

As such, ACAS scans are showing all previous patches including the December 2025 patch as not being present.

This patch has been removed and installed several times. (Reboots included between patches to the best of my knowledge.) Has anyone seen this before, if so what resolved the issue?




https://redd.it/1q1o5dc
@r_systemadmin

I need some advice on a document about the state of the state of the IT, how it was before, what I have done this year and what I have planned for 2026 as well as the authority and governance that IT needs

Hi everyone!

I have a written a document for the upper management at my company on exactly what was the state of IT was when I first came, what I have done since I am there, what supplementary budget I need for 2026 as well as the authority and governance that IT needs to function properly.


Basically:

The company needs to clearly state that every IT request must go through the ticketing systems I have put in place, but people always come to me, just for me to say to them to send a ticket.
The company needs to give IT the power to manage every software/subnoscription and to be an admin on it. For the moment there are always some subnoscriptions that I don't manage, and it is a horror to troubleshoot problems without admin access.
I have listed the project that needs to be done to secure the company properly, with their risks if it isn't implemented, the loss if a breach happens because of it, and how the C-Suite could be held accountable for it.
Other projects that would be nice to have but it is not necessary

For the moment, the CEO asked me to put a risk (1 to 9) and priority (1-9) to every project for 2026. I have given that list to him that list and normally he should come back to me next week about which et want me to implement.

The thing is, I know that this company doesn't take cyberthreat seriously; they said that they are not a big company so hackers don't target them. But for me, that is not true; every company is a target, even smaller ones. For reference, we are 32 employees for the moment.

For the moment, when the CEO comes back to me, I will ask him to sign a paper with the list of implementations that he will not implement and that he recognizes that he will take responsibility for it. For me, it is the way to show that I have clearly stated the risks that we currently have and that he takes accountability if something goes south.

So what else can I do?

https://redd.it/1q1q95v
@r_systemadmin

KQL between dates in purview

Might be better off in a Microsoft centric community but the knowledge here is pretty deep so I'm taking my changes.. Mods can remove if needed.

KQL is a somewhat logical language but when MS puts it's hands on it..
Nothing makes sense..

I need to run a query, both Purview and Defender between two dates..

So

where timestamp {TimeRange:start} AND {TimeRange:end}

would be logical but nooooo..

Any ideas?

https://redd.it/1q1t1hf
@r_systemadmin

Weekly 'I made a useful thing' Thread - January 02, 2026

There is a great deal of user-generated content out there, from noscripts and software to tutorials and videos, but we've generally tried to keep that off of the front page due to the volume and as a result of community feedback. There's also a great deal of content out there that violates our advertising/promotion rule, from noscripts and software to tutorials and videos.

We have received a number of requests for exemptions to the rule, and rather than allowing the front page to get consumed, we thought we'd try a weekly thread that allows for that kind of content. We don't have a catchy name for it yet, so please let us know if you have any ideas!

In this thread, feel free to show us your pet project, YouTube videos, blog posts, or whatever else you may have and share it with the community. Commercial advertisements, affiliate links, or links that appear to be monetization-grabs will still be removed.

https://redd.it/1q1utbi
@r_systemadmin

Anyone dealing with Start Search breaking on 24H2/25H2

Just curious on this. Fleet of approx 2k machines. All on 23H2 E, but started moving some to 24H2/25H2 E.

I've noticed that a few machines after upgrade, and even a few with a fresh image, have had the start menu search break.

It seems to be user profile specific, but I cannot for the life of me find a fix beyond re-imaging and hope it doesn't happen.

Even removing the user profiles from the device and re-adding them doesn't fix search for the specific users affected.

None of my 23H2 E installations are affected. All are domain joined locally.



https://redd.it/1q1vv1k
@r_systemadmin

Intel I210 NICs Completely Invisible on Supermicro Motherboard

I've just tried to install Proxmox on a new X11SCH-LN4F motherboard, and the network interfaces (Intel I210s) were unable to be found, and the installation failed as a result. It turns out they are completely invisible to the system. They are not listed under "Hardware" in the IPMI, and they do not show up after running `lspci`. I've tried updating the BIOS and trying the same thing on another OS by installing Debian 13. I got the same result each time, and now I have no idea what's going on.

How can I fix this? This is beyond frustrating, and I have never seen anything like this before. Has anyone had similar issues? I'd appreciate any help.

https://redd.it/1q1wo3p
@r_systemadmin

How much to be paid working emergency christmas day?

Hey all,

Got an emergency call and worked from noon Christmas day until 3am the 26th to deal with ransomware as the sysadmin. How much would you expect? Based in Midwest with a 1 year old and 4 year old while I was hosting.

Business has no real policy on what that type of pay is.

https://redd.it/1q1x712
@r_systemadmin

Scheduling Tasks and Linux

I’ve been doing this for quite some time now starting with VMS then various Unices such as Solaris, HP-UX, Tru64, Irix, and AIX. Then a mixture of Unix and Linux systems including BSD type systems such as OpenBSD and FreeBSD but mostly Red Hat and similar.

So I’m reasonably familiar with Cron.

Three jobs back was my first time in a strictly Linux environment. Still an Ubuntu and CentOS mixture (and my first official usage of Ubuntu). Previous job same thing. Current job all Ubuntu.

One difference with the current job though. The previous systems admin, who was a mixture of interesting stuff and WTF stuff (clearly not coming from an Operations type environment based on some of what he did), actually set up systemd timer tasks vs using cron.

Since there was no documentation when I got here, it’s taken several months before someone casually mentioned, “oh, the last guy set up a systemd task for this process” and I started poking around.

It’s basically a replacement for Cronjobs. This guy has a timer task that every 30 minutes runs a shell noscript. That’s all it does.

So of course, first off, create your bloody documentation or we’ll curse your name unto the 7th generation. And second, if you’re coming from Unix (or Linux if you’re used to Cron), do a check of /etc/systemd/system to see what extra bits are running.

Note to the mods, I see a Linux flair but not a Unix flair. Awwwww

https://redd.it/1q1yuy4
@r_systemadmin

CEO retired. How do you politely say "no" without burning a bridge?

The president/CEO of my company retired about 2 months ago. He's called me at least once a week since for help with his iPad, computer, personal email, etc. and now I feel like I might be personal tech support for life.

This guy founded the company I work for. His name is literally on the building. I feel like I owe the guy a lot. He's always been extremely appreciative of my work which I value more than almost anything else because it hasn't always been the case in my career. The business he built helped put a new truck in my driveway and food on my family's table for 5 years. He's approved multiple large raises and said "absolutely" without hesitation when I asked for a promotion. He's signed his name to hefty bonus checks every Christmas (some 5 figures). He's friends with all the other execs (some of whom I have done some side work for) and I will be seeing him at company social events for as long as I'm here.

Do I just bite the bullet, and accept that I'll have to help him with his shit occasionally? Or is there a point to set some boundaries? If so, how do I do so without offending him or burning any other bridges.

https://redd.it/1q207sq
@r_systemadmin

Is your AD Forest/Domain on Functional Level 2025?

If not do you have a plan to get there? Side-question, do you run Windows Server Core for AD functions?

I found it quite humerus that Azure Connect requires full GUI.

https://redd.it/1q1zs2g
@r_systemadmin