Plex was how last pass got hacked. https://www.howtogeek.com/147554/lastpass-data-breach-shows-why-plex-updates-are-important/

You still need to do stuff even if it is plex.

To back off your post, does anyone have one for Australia?

April first.

I don’t think that works on my Samsung TV, or my partners iPad though. :)

Although not especially effective on the YouTube front, it actually increases network security just by blocking api access to ad networks on those kinds of IoT and walled garden devices. Ironically my partner loves it not for YouTube but apparently all her Chinese drama streaming websites. So when we go travel and she’s subjected to those ads she’s much more frustrated than when she’s at home lol.

So the little joke while not strictly true, is pretty true just if you just say ‘streaming content provider’.

There have been a few cases where ports are blocked. For example on many residential port 25 is blocked. If you pay and get a static ip this often gets unblocked. Same with port 10443 on a few residential services. There’s probably more but these are issues I’ve seen.

If you think about how trivial these are to bypass, but also that often aligns to fixing the problem for why they’re blocked. Iirc port 10443 was abused by malicious actors when home routers accepted Nat- pnp from say an unpatched qnap. Automatically forwarding inbound traffic on 10443 to the nas which has terrible security flaws and was part of a wide spread botnet. If you changed the Web port, you probably also are maintaining the qnap maybe. Also port 25 can be bypassed by using start-tls authenticated mail on 587 or 465 and therefore aren’t relaying outbound mail spam from infected local computers.

Overall fair enough.

It’s paraphrasing Torvalds himself though. It’s a cheeky title.

“… and I have absolutely no excuses to delay the v6.6 release any more, so here it is,”

Oh because if an application doesn’t exist natively in azure, ie not a MS Store app, then you can only deploy by uploading the msi which of course is one version. At an MSP with thousands of devices in dozens if not a hundred tenancies, and new software versions being released daily, you need something that will update all that.

Chocolatey is just for the poorer customers, a best effort, immybot for soe management though if the customer is full. Whenever Microsoft finishes getting their own repository fixed though, using winget could be the new chocolatey. Right now it doesn’t do patching or at least it didn’t 12 months ago. It could install and report but not update.

So thinking of solution life cycle you want something that doesn’t need tons of manual innervation, and you can use PDQ or chocolatey or immybot or whatever. Microsoft can handle its first party software suites and rmm deployment but 3rd party at this stage is just not good enough.

Hope that helps

Because you can pay for extended security updates, yes. Looking at defence and governnent globally, this is true of systems including xp.

So aside from using machine wide installers and ensuring that users are licensed for those products, you also need to setup enterprise roaming.

By the way, intune policies if they aren’t changing don’t take 8 hours to propogate to the machine, they take hours to propogate world wide like group policy takes hours to propogate in international sized ad forests.

So if you’ve got your intune policy set to auto sign in one drive and teams and whatever apps, assuming all your devices are intune registered, that setting doesn’t take hours to get to the machine. It’s immediate on first login. If you change that setting, it’s some hours to get it across every single machine. By the way in my experience, generally 80% of the time with a forced sync from the company portal app you should deploy with intune, it’s practically as fast as gpupdate. There’s a few times where you need to patiently wait 15 minutes but you can see that if you name your configuration profile like (v12) and you’ll see it’s either still (v11) or immediately (v12) and you stuffed a setting and it’s still not working.

You should be using machine wide installers not user appdata installers. Are you not?

Just to add more confusion, we are removing MDT from all customers and replacing with intune using the already created json templates we have plus then also deploying chocolatey with intune then calling powershell from intune to install other software. I’d say only 20% of our customers have on-premise AD the other 80% are all Microsoft Business Premium licensed unless over 300 staff, and that’s why we have been transitioning customers to only that for the last few years.

MDT is the right tool for AD on premises though so don’t be dissuaded from that, just more, you should know.

Bring free on cloudflare makes it widely adopted quickly likely.

It’s also going to break all the firewalls at work which will no longer be able to do dns and http filtering based on set categories like phishing, malware, gore, and porn. I wish I didn’t need to block these things, but users can’t be trusted and not everyone is happy seeing porn and gore on their co-workers screens!

The malware and other malicious site blocking though is me. At every turn users will click the google prompted ad sites, just like the keepass one this week.

Anyway all that’s likely to not work now! I guess all that’s left is to break encryption by adding true mitm with installing certificates on everyone’s machines and making it a proxy. Something I was loathe to do.

After I followed the instructions and having 15 years of system administration experience. Which I was willing to help but I guess you’d rather quip.

From my perspective unless there’s something that you’ve not yet disclosed, if wireguard can get to the public domain, like a vps, then tailscale would work. Since it’s mechanically doing the same thing, being wireguard with a gui and a vps hosted by tailscale.

If your ISP however is blocking ports and destinations maybe there are factors in play, usually ones that can be overcome. But your answer is to pay for mechanically the same thing. Which is fine, but I suspect there’s a knowledge gap.

Are you sure? Did you want to troubleshoot this or did you just want to give up?

I’ve got two synology nas connected to each other directly for hyper backup replications at clients because both units are on cgnat isps and there’s no public IP. And it just works.

Didn’t understand that by willing you meant wanting.

To be honest I think we have different cultural values here. The way I read this and the way you read it is clearly different. I’m disappointed by how little I had my expectations changed, while you had them moved more.

I think the question is, where can you bet on a single coin flip? Maybe because I’m Australian, there’s only one day a year you can bet on a (two) coin flip legally here. Everyone else seems to generally understand that coin flips aren’t fair for gambling and therefore is illegal.

If this paper was like ‘this is how corruption in sports…’ rather than ‘this is like that magician cup and balls trick’ then I’d understand your concern.

But like you said, you don’t even have a coin in the house, so the practical side is day to day, perhaps not even once a year, not only are you not deciding on a coin flip, even if you were, you’d (or whomever was flipping it for you) have to learn a technique to see it affect you.

I’ve seen something similar to this before in remote desktop servers where user redirected printers end up bloating registries to the point login times exceed processing limits and so not all the configuration in the registry or group policy gets processed. Each redirected printer gets created and never pegged, and it’s unique to that rdp session so they are duplicated to infinity over time. Glad you found it out, the only point with the complexity is I was trying to explain that it being complex doesn’t mean it won’t be robust if it’s still implemented without conflicts so you can rule that out (if you’ve ruled out conflicts) . Sounds like you found the culprit in the end! Good work.

When the horses have all bolted, BBC is the one to close the barn door.

Hey, sorry to say but not seeing this at all. About 60 customers, each between 30-200 staff, in Australia region. Almost all of them have reasonable conditional access policies managing maximum login times per app, requirements for device compliance for data sync and geo-restrictions and longer login times for known sites, as well as standard mfa requirements.

Id say there’s something else in your stack. We monitor many of our customers with 3rd party tools too, including Arctic Wolf for seim /SOC alerts and triage and isolation if AAD accounts are breached. Sentinel one with integration in aad too. Though personally I feel like most medium and small businesses would be better served with the already included defender for business. A topic for a different day.

But no unusual requirement for cleaning cache and such to ensure the policies we configure act as we expect.

I’ve seen different tenants act differently of course in the past. But nothing right now I can suggest. I’d personally start doing a/b testing and reviewing all logs relative and see what impact before and after has on logs.

Anyway sounds frustrating so good luck.