Endpoint Manager for Windows Recommendation??

So our company has about 300+ windows 11 home endpoints, not my decision, so obviously we can't join them to a domain to monitor workstation health etc. Any of you ever implemented a system to manage windows home endpoints that's worked without significant drawbacks? The environment right now is one giant mess. There is absolutely no consistency in configuration. There are people with expired AV's. Over 100 systems have not recieved updates in the last 3 years. I have even come across staff running unactivated versions of windows (that was probably the previous IT's work). We've caught people running unsolicited applications on their PC's. Our network is extremely secure but the internal is an attacker's wet dream. Am i overthinkign this or what? I do intend to clean it up though.

https://redd.it/1q3lt30
@r_systemadmin

Solo Teacher seeking help: Win11 Clients cannot find Win2016 DC (VirtualBox Bridged)

I'm a Computer Science teacher attempting to revive an underfunded, languishing computer lab with 29 student PCs. I’m working solo (school doesn't have a dedicated IT dept) to set up a Windows Server 2016 VM (VirtualBox) to act as a Domain Controller so I can finally manage these machines via Group Policy (blocking USBs, managing updates, etc.).

The Problem is that despite having connectivity (Ping works), the Windows 11 Pro student PCs cannot join the domain. They return the error: "An Active Directory Domain Controller for the domain lab.local could not be contacted." Additionally, nslookup fails on the clients, and they lose internet access when pointed to the Server’s DNS.

The Setup

Host Physical PC: Lenovo (Windows 11). IP: 10.1.3.58 | Gateway: 10.1.3.254
Server VM (Windows Server 2016):
Static IP: 10.1.3.200 | Gateway: 10.1.3.254 | DNS: 127.0.0.1
Domain: lab.local
Network: VirtualBox Bridged Adapter, Promiscuous Mode: "Allow All."
DNS: Forwarders set to 202.201.x.x (ISP DNS.)
Student PCs (Windows 11 Pro):
IP: DHCP (on the 10.1.3.x subnet).
DNS: Manually set to `10.1.3.200`.

What has been verified so far:

1. Connectivity: Student PCs can ping the Server IP (`10.1.3.200`).
2. DNS Records: The `_msdcs`, `_tcp`, and `_ldap` SRV records do exist in the Server's Forward Lookup Zones.
3. Services: Netlogon has been restarted; `ipconfig /registerdns` has been run.
4. Firewalls: Server Firewall is temporarily OFF for testing; Student PC set to "Private" network profile.
5. Clocks: Time and Date are synced within seconds across all machines.
6. IPv6: Disabled on both Server and Client to prevent resolution conflicts.

The Block:

nslookup lab.local on the student PC times out.
`nltest /dsgetdc:lab.local` returns `Status = 1355 (0x54B)` (DC not found).
Even though the server is "there" (Ping), the DNS traffic seems to be dropping into a black hole between the Physical Student PC and the Virtualized Server.

I just need that first "Welcome to the Domain" message so I can start securing this lab for my students. If anyone has experience with VirtualBox Bridged networking quirks or Win11-to-2016 DNS handshake issues, I would be incredibly grateful for your input.

https://redd.it/1q3mydn
@r_systemadmin

When does a ticket stop being a bug?

Most of us have tickets that refuse to die.
Cleared cache. Restarted services. Escalated. De-escalated.
It flips back to In Progress or Pending Customer, even though the customer already replied. It’s like it has a reason.

Eventually, it stops feeling like a bug. It starts feeling like part of the system.
When do you stop trying to fix it and start documenting it… as infrastructure?



https://redd.it/1q3kqv0
@r_systemadmin

Dockingstations from Lenovo and HP horrible

I work at a big Telecom Provider and our B2B customers all use dockingstations, as it is usual in every company.

The 1st and 2nd lvl support team always complain about the tickets about "docking station" troubleshooting. They have to do 45 seconds laptop hardware reset + docking station reset, when they suddenly have no connections to their multiple monitors, or LAN connection

Reseting the docking station by either pushing the button which is light up with and small LED for 15 seconds or even fully disconnect the power plug to the docking station. Every freaking time. Why are docks so problematic? Is this normal?

https://redd.it/1q3ow7o
@r_systemadmin

Drowning in SaaS status alerts (RSS). How do you handle incident monitoring without the noise?

I’m looking for a sanity check on how other IT teams are tracking incidents for all the SaaS vendors we rely on (Google Workspace, Slack, Zoom, Salesforce, etc.).

Right now, we are pulling RSS feeds from various status pages into a dedicated channel/dashboard. The problem is that we are absolutely drowning in alerts.

The signal to noise ratio is terrible we get pinged for every minor degradation or scheduled maintenance window, which means the team has developed serious alert fatigue and started ignoring the channel entirely.

https://redd.it/1q3rb2g
@r_systemadmin

Virtualization && Serial Console Issues (Rant first, question is at the bottom)

Hi folks, i am a self-taught everything & currently expanding my Brain into the world of QEMU/libvirt/virsh …

What's troubling me is the bare minimum for interaction itself – a properly functioning serial console. Both from Local to Guest & Host to Guest. Both from my Terminal using virsh console & using virt-manager.

.

My goal is simple:

Being able to properly interact with my VM(s).

.

For starters, i created a VM using virt-manager (VMM) on my local Machine to the baremetal Host-Server. AKA there are 3 OSes – Local, Host, Guest.

On Local i connected VMM to the Host with qemu+ssh://me@host/system.

The Host and Guest got the same OS — Debian1207.

By default, VMM creates a Video Device, which i remove after the installation finished – to edit the GRUB_CMDLINE_LINUX="console=tty0 console=ttyS0,115200n8" first, as well as GRUB_TERMINAL=console.

Once this is configured, the Backspace-Key will not get send to the Guest, what ever i do.

To be clear, nothing i can do in the Guest will make CTRL+V then "←"-Key & showkey -a then "←"-Key output anything, ever.

I tried many edits to the XML, inside VMM & fully without VMM with virsh edit & virsh define. But it gets always changed back immediately. But only what i change inside <devices/>.

The XML0

.

Well, let's skip the GUI all together.

.

Using virsh to create a new VM in consolemode. There the problems start even sooner & get even worse … (both from Local & Host)

The Debian installer does not come with a Serial Mode afaik. Thus, i can either do it blind or edit the bootoption to force it …

Now into the console of the Debian installer, the window is tiny & there's no scrolling, therefore when there are too many options to fit on the screen it's impossible to see them all …

Okay, let's say i finished through it after some tries and the installation was completed. BUT after the initial boot into Debian … … … the Terminal stays empty. Because GRUB wasn't told to boot in console mode, as i did before (as far as i can tell, that's the reason).

The XML1

.

.

Is it too much to ask for at least one of them, Virt-Manager or Virsh Console to work? Please

^(Any help would be nice as well, to all the comedians who simply want to answer “yes” xD.)

https://redd.it/1q3tbrj
@r_systemadmin

OPNsense + multi-ISP + VLAN-heavy small office design — am I overengineering or missing something?

Hey everyone,

I’m designing a small office / home-office network and would really appreciate a technical sanity check. I might be overengineering, but I want to be sure there are no fundamental flaws before I commit to the hardware and wiring.
Goals

Use multiple ISPs with strict policy-based routing

Keep two work PCs consistently exiting via different ISPs

Separate office Wi-Fi, servers, CCTV, and IoT devices

Ensure CCTV cameras have zero internet access
Allow remote access via VPN (Tailscale) without exposing services

This is for reliability, predictability, and clean separation — not anonymity or bypassing rules.
Hardware

"Firewall / Router: OPNsense (bare metal)"

Core Switch: TP-Link JetStream (L2 managed, VLAN-aware)

Wi-Fi APs: TP-Link Omada EAP230 / EAP235 (AP mode only)
Servers:

Proxmox host (multiple VMs/containers)
Mini PC for WordPress sites
CCTV: Mini PC NVR (custom OS, 2 NICs)

"VPN: Tailscale (device-to-device only)"

ISPs:
ISP 1 (Fiber)
ISP 2 (Fiber)
ISP 3 (Fiber)
High-level topology

ISP 1 ─┐
ISP 2 ─┼──> OPNsense (ONLY routing device)
ISP 3 ─┘
|
| 802.1Q trunk
v
Managed L2 Switch
|
APs / PCs / Servers
Switches and APs are L2 only

All routing and WAN selection happens only in OPNsense
VLAN design
VLAN

"Purpose"
Internet

Work PC / Account 1
ISP 1 only

Work PC / Account 2
ISP 2 only

Office Wi-Fi / phones / thin clients
ISP 3

Servers (Proxmox, WordPress, mgmt)

ISP 3 (optional failover)

CCTV cameras ❌ No internet

IoT / Home Assistant

ISP 3 (restricted)

No inter-VLAN routing except explicit rules

No load balancing or failover for VLAN 10 / 20

Policy routing (OPNsense)

VLAN 10 → Gateway WAN1 only

VLAN 20 → Gateway WAN2 only

VLAN 30 / 40 / 60 → WAN3

VLAN 50 → blocked (no default gateway)

CCTV approach

Cameras live in VLAN 50

No gateway, no NAT, no internet

NVR Mini PC has 2 NICs:
NIC 1 → VLAN 50 (cameras only)
NIC 2 → VLAN 40 (management)

IP forwarding, NAT, and bridging disabled on the NVR OS

Remote viewing via Tailscale, not port forwarding
Wi-Fi

Omada APs in AP-only mode

Wired backhaul

SSIDs mapped to VLANs (Office Wi-Fi → VLAN 30)

No routing or NAT on APs

What I’m unsure about
Is this a reasonable use of OPNsense, or am I pushing complexity too far for a small office?

Any common pitfalls with multi-WAN + strict policy routing in OPNsense?

Is the 2-NIC NVR design safe long-term if routing is disabled?

Would you simplify anything without sacrificing isolation?

At what point would you say “drop OPNsense and use an SMB router instead”?

I’m comfortable managing OPNsense, but I don’t want a fragile setup that breaks silently.
Appreciate any feedback — especially from people running multi-WAN OPNsense or similar homelab/SMB environments.

Thanks!

https://redd.it/1q3sjn6
@r_systemadmin

Just priced out a Dell server I purchased in Jan. 2024 and the price went up 85.7%

I bought a Dell R360 in Jan. 2024. I just decided to configure it exactly the same. Jan. 2024 it cost $7,700. Jan. 2025 it costs $14,300.
Only 32GB of RAM.

This is way out of hand!

https://redd.it/1q3zkue
@r_systemadmin

modern internal ticketing system


Hey everyone, Our IT team is currently using a pretty basic help desk system, but as our company grows from around 200 to 800 employees, it’s starting to feel really clunky. We get a lot of repetitive tickets, and tracking everything manually is becoming a nightmare. I’ve been looking at some modern ITSM platforms, but it’s hard to tell which one actually makes life easier instead of just being more complicated.

What systems do you usually use and how do they handle ticket automation, integrations with Slack/Teams, and reporting? Anything you regret choosing or wish you’d known before switching? Really appreciate any experiences or advice. Would definitely take notes

https://redd.it/1q3rfwm
@r_systemadmin

I made a serverless app to transform GitHub Releases into APT and RPM package repos

https://reprox.dev/

There are so many great Linux softwares that are distributed exclusively by putting .deb and/or .rpm files into Github Releases, which means I have to "Watch" for new releases and manually download/install. I made this for myself to make it easy to add these projects to my package manager. Thoughts and feedback welcome!

https://redd.it/1q41z52
@r_systemadmin

I am doing something wrong with the time service

Or at least I think that I have done something basic incorrectly.
My goal is to switch time sync on the PDC to 1.us.pool.ntp.org .
I have turned off the Hper-v time pass through.

I run this sequence of commands

net stop w32time

w32tm /config /syncfromflags:manual /manualpeerlist:"1.us.pool.ntp.org,0x8 1.us.pool.ntp.org,0x8 2.us.pool.ntp.org,0x8 3.us.pool.ntp.org,0x8"

w32tm /config /reliable:yes

w32tm /config /update

net start w32time

When I run the w32tm /config /update command it fails because the service is not running. I start the service OK and then run the update OK but still do not have the 1.us.pool.ntp.org as the NTPserver

https://redd.it/1q41707
@r_systemadmin

From IT Technician to Endpoint Admin – Advice on Career Path?

Hi everyone.

I’m currently an IT Technician and my company told me there’s a potential career growth path either towards Endpoint Administrator or Cloud Support. I’m mostly working with M365 right now, and honestly, I have no idea which one to pursue.

In this market, I’m not too worried about salary. My main considerations are wether the role is "AI-proof" or if it has high employability.

My ultimate goal is to eventually move into cybersecurity, specifically as a SOC analyst. I know this might not be the most direct path, but I’m happy to have the opportunity to move internally and learn along the way.

So I wanted to ask the community:

Have any of you worked as M365 admins? Did you enjoy it?
What’s the career progression like for Endpoint Admins versus Cloud Support roles?
If you had to choose between Endpoint Admin and Cloud Support, which would you pick and why?
For Cloud Support, what exactly do you do day-to-day, and what are the career growth opportunities there?

Thanks in advance for any insight!

https://redd.it/1q3zg7g
@r_systemadmin

Microsoft silently kills Windows and Office phone activation and forces online activation with a Microsoft account — Windows users are now herded into an online-only portal for activation

https://www.tomshardware.com/software/windows/microsoft-silently-kills-windows-and-office-phone-activation-and-forces-online-activation-with-a-microsoft-account-windows-users-are-now-herded-into-an-online-only-portal-for-activation

Anyone run into this?

How does this work for air gap environments?

Trying to find some positives …

https://redd.it/1q4aui0
@r_systemadmin

Looking for a good SSO solution

We currently manage over 1,000 computers/users, some remote and some in designated desks. We are looking to deploy an SSO solution to combat password reuse and password resets. We looked into MiniOrange and ManageEngine. They have quite an extensive list of integrations.

Any quirks that I must be aware of before going ahead with the evaluation?

If you are looking to implement an SSO solution, which integrations would you prioritize.

https://redd.it/1q4dfrn
@r_systemadmin

Happy password reset day, admins

Holidays are over, work is back, and you know what today brings, a lot of password reset tickets.

Happy Password Reset Day, admins.



https://redd.it/1q4exi9
@r_systemadmin

January Microsoft 365 Changes Admins Should Know

New year, new Microsoft 365 changes! January is packed with 30+ impactful updates, including feature rollouts, retirements, and behavior changes that could affect your environment. Here’s what admins need to know as 2026 kicks off. 

In the Spotlight: 

Retirement of Activity-Based Authentication Timeout in OWA: The activity-based sign-out feature that logged users out after inactivity is being retired. Admins should switch to Idle session timeout to maintain similar session control. 
Auto-Archive for Exchange Online: Auto-Archiving is now generally available in Exchange Online. To prevent storage overruns, emails are automatically moved to your archive mailbox once you hit 96% quota, ensuring uninterrupted mail flow. 
Block External Users in Teams from Microsoft Defender: Security admins can now block external users and domains for Microsoft Teams directly from Microsoft Defender using the Tenant Allow/Block List.  
Trust DigiCert Global Root G2 for Microsoft Entra: Microsoft will migrate Microsoft Entra services to DigiCert Global Root G2 starting January 7, 2026. Organizations must trust the G2 root CA and remove any G1 pinning to avoid authentication failures. 
Retirement of IDCRL Authentication in SharePoint and OneDrive: Microsoft retires IDCRL authentication in SharePoint and OneDrive by January 30, 2026, blocking legacy sign-ins by default. Organizations should move to modern authentication (OpenID Connect and OAuth), with temporary re-enablement available until April 2026. 

Here’s a quick overview of what’s coming: 

Retirements: 5    
New Features: 11  
Enhancements: 5   
Functionality Changes: 3    
Action Required: 2 

Retirements: 

The opt-in toggle for Anthropic’s commercial terms in the Microsoft 365 admin center is being deprecated by Jan 7, 2026, as Anthropic becomes a default Microsoft subprocessor. 
The “When Sending a Message” Group Policy in Classic Outlook for Windows retires on Jan 13, 2026. Admins should migrate to the new granular policies to avoid configuration gaps. 
Extended support for Microsoft Advanced Threat Analytics (ATA) officially ends on January 13, 2026. 
Starting January 13, 2026, new App-V packages for Microsoft 365 Apps can no longer be created. Existing packages still work, but all new builds must shift to Click-to-Run model. 
The Technology Experience Score is retired from the Microsoft Adoption Score starting Jan 15, 2026. This cuts network, app health, and endpoint sub-scores, lowering the max score from 900 to 600. 

New Features: 

Microsoft Purview now lets admins delete sensitive or overshared content directly during Data Security Investigations to quickly reduce risk, while respecting existing DLP and retention policies. 
Outlook for Windows introduces Wait on Send for DLP, delaying email delivery until DLP checks complete. 
DLP policy tips are coming to Outlook for Mac, alerting users when sensitive data is detected and helping them resolve or override policy issues before sending emails. 
Microsoft Teams will support apps in private channels, allowing bots, tabs, and message extensions, with apps configured at the channel level rather than the team level. 
A new SharePoint Permissions report under Data Access Governance will track a user’s full site access, including direct or group-based permissions. 
SharePoint site analytics will include OneNote file usage, tracking unique viewers and trending content. 
Microsoft 365 will launch Copilot Readiness Packages to provide admins with guided assessments and secure deployment presets. 
A new pay-as-you-go experience in the Microsoft 365 admin center will centralize billing, budgets, and usage for Backup and Copilot. 
Insider Risk Management User Analytics in Purview will provide unified user activity summaries across DLP, Defender, and Communication Compliance. 
Microsoft Teams admin center improves meeting and call

troubleshooting with automatic issue detection, smarter search & filters, and Copilot-powered recommendations. 
Previously limited to users, cross-tenant synchronization in Microsoft Entra now supports security groups, enabling centralized group management and cross-tenant access 

Enhancements: 

Teams will shorten meeting URLs by using only a meeting ID and hashed passcode, with URLs expiring after 60 days for scheduled meetings and 8 hours for Meet Now meetings. 
Microsoft Teams is introducing a redesigned Workflows experience powered by Power Automate, with a modern UI, smarter templates, and natural language–based automation. 
Microsoft Purview Insider Risk Management will use OCR to detect sensitive data in images shared across SharePoint, Teams, and endpoints, helping identify potential data leaks. 
Purview Insider Risk Management limits will expand significantly: Variants per indicator: 3 → 10; Total variants: 100 → 400; Detection group items: 200 → 500. 
Microsoft Purview Communication Compliance enhances policy alert customization, allowing admins to set per-policy alert frequency, email alert frequency, and recipients directly during policy creation. 

Existing Functionality changes: 

Microsoft Defender for Identity introduces an opt-in automatic Windows event auditing feature for unified sensors (v3.x), auto-applying required auditing settings on sensors. 
Teams Desktop for Windows will run a new teams_modulehost.exe process to handle calling features separately from ms-teams.exe, improving isolation and reliability. 
Microsoft Teams will turn on message safety settings by default, including weaponizable file type protection, malicious URL protection, and reporting incorrect security detections. 

Action Needed: 

Starting Jan 5, 2026, Outlook for Android will require Android 10.0 or later to receive updates and security patches. Users should upgrade their OS to maintain ongoing support. 
Switch to *Schema.org* markup for reliable calendar event extraction, as the legacy method is unsupported and unreliable for the Events from email feature. 

Act now to stay ahead and ensure these updates don't impact you! 

https://redd.it/1q4itap
@r_systemadmin

No I can't call you, I'm busy AF

Seriously, why do people to that? You sent me an email with a problem. We can't troubleshoot this problem through email. I ask you to call the help desk so that someone who has more time than me can actually look at the issue. But noooooo you can't be assed to dial a 4 number extension, we have to call you...

ffs

https://redd.it/1q4mhyy
@r_systemadmin

Do you expect your frontline manager to be a Subject Matter Expert?

Is your boss the SME for the assortment of tech that your team administers? Do you expect them to be? Do you expect them to know how to at least do your job?

I imagine that the answer depends on the size of the organization and consequently the department and maybe even by industry.

https://redd.it/1q4qe4m
@r_systemadmin

Thickheaded Thursday - January 08, 2026

Howdy, /r/sysadmin!

It's that time of the week, Thickheaded Thursday! This is a safe (mostly) judgement-free environment for all of your questions and stories, no matter how silly you think they are. Anybody can answer questions! My name is AutoModerator and I've taken over responsibility for posting these weekly threads so you don't have to worry about anything except your comments!

https://redd.it/1q77x5g
@r_systemadmin

Who's still working from home in 2026?

Out of curiosity, who is still WFH in 2026? Did your org make you come back into the office?

WFH here, usually 3 days a week give or take. Sometimes 4 depending on the week. Our office is pretty much empty; you might be lucky to run into a couple of people sometimes.

https://redd.it/1q7cbpb
@r_systemadmin