@scottalanmiller said in bitlocker suddenly enabled:

@PhlipElder said in bitlocker suddenly enabled:

@pattonb said in bitlocker suddenly enabled:

greetings, I have a user that claims on his recently purchased lenovo laptop, that he started it up and is now asking for the bitlocker key. I have checked his Microsoft account, and there has not been any bitlocker keys used or saved. Is this a matter of a user inadvertently enabling bitlocker or............ ?

Recent Windows Update is the culprit. The catch is, to remove it one needs to get in to the OS partition in order to remove it.

Seriously? What the heck. What triggers it getting deployed?

It looks like there are a few separate issues then?

• Problem1: The BitLocker recovery key was required at boot.
  • Cause: Windows update issue.
• Problem2: BitLocker is enabled and shouldn't have been, or was unexpectedly enabled.
  • Cause1: May be a managed (or unmanaged ^_^) policy enabling it.
  • Cause2: May be have been done by the user and user is lying.
  • Cause3: May have been enabled automatically by Windows.
• Problem3: The BitLocker recovery key is unknown.
  • Cause: BitLocker recovery key escrow is not set up or managed properly; lack of user training and/or user resources.
• Problem4: Microsoft accounts? AAD? Any policies? Is anything managed? What's going on?
  • Cause: Lack of proper device management & identity management. Proper device and identity management could have prevented of all above issues.

@scottalanmiller said in bitlocker suddenly enabled:

@pattonb said in bitlocker suddenly enabled:

Is this a matter of a user inadvertently enabling bitlocker or............ ?

Definitely the expectation.

It's highly unlikely. You have to know what you're doing to enable BitLocker manually. At worst, the user could be notified to turn it on, but it's clear you're turning it on.

It's possible we don't know enough of the situation and they have a policy that turns it on. He said Microsoft account which means personal account, but maybe he meant an AAD company account. There's too many unknowns.

It's also possible the user is lieing.

@pattonb said in bitlocker suddenly enabled:

greetings, I have a user that claims on his recently purchased lenovo laptop, that he started it up and is now asking for the bitlocker key. I have checked his Microsoft account, and there has not been any bitlocker keys used or saved. Is this a matter of a user inadvertently enabling bitlocker or............ ?

There are a lot of factors, and require a lot of questions, but here's an article that may help.

The answer is that depending on many things, BitLocker can be enabled on it's own. However, if logging in with a Microsoft account, the recovery key would be backed up before it's enabled.

https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlocker

@notverypunny said in Self-Signed certs for LDAPS:

So I'll start off by acknowledging that self-signed certs are less than ideal for most purposes.

Right now my goal is to get rid of plain-text LDAP on the network and want to make sure that I'm not trading one security hole for another.

I've found a couple of sets of instructions online and figured I'd run the idea past the assembled brain-power before going too far down the rabbit hole.

https://anandthearchitect.com/2019/10/10/active-directory-self-signed-certificate-for-ldaps/

https://social.technet.microsoft.com/Forums/en-US/667ec29d-d83a-49b4-9280-308964359154/best-way-to-enable-ldaps-self-signed-certificate?forum=winserversecurity

https://www.javaxt.com/wiki/Tutorials/Windows/How_to_Enable_LDAPS_in_Active_Directory

Open to other suggestions to move from LDAP to LDAPS, but I'm in an environment that has too much legacy stuff to scrap it and / or AD so that whole possible course of action is the non-starter to end all non-starters.

In an on-prem only AD environment, no problem using self signed.

@Pete-S said in Production KVM server "hardening"?:

I'm thinking about running pure KVM on debian for virtualization hosts. Not Proxmox. There will be no GUI on the servers, no web interface, only ssh for management.

Do I need to do anything special to lock down the security?

I've never used KVM in production, only on my desktop and then I've had virt-manager as well as tools like virtsh. So I don't really know what is required for a pure KVM server to be as "secure" as proxmox, xcp-ng or whatever.

Keep the OS and everything updated. Keep drivers updated. Keep firmware updated. Use only key-based auth for SSH, add only specific devices to authorized_keys file. Ensure firewall configured well. Set up log alerts for access.

@stacksofplates said in Experience with NDR Solutions:

Why is Sally accessing this service from a non work computer at 3 am her time with a chinese IP address? Sure this request has the password but that doesn't sound valid.

Which means you can automatically perform additional validation with MFA, or straight up deny access.

There's a lot of options really. You can only allow access to certain systems and/or services via company devices enrolled in MDM, with up to date OS, encryption, and endpoint protection. You can verify endpoints and users with passwordless auth via Beyond Identity and in certain cases use additional MFA via Duo or whatever you want to set up.

Sally is trying to log in to her company email. She's authenticated via passwordless auth via Beyond Identity on her work computer. Her work computer passes the health check seamlessly through BYID and allows her to access her email. Maybe she's also prompted for MFA always, or maybe only if she's logging in outside her normal geographic area on her work computer. Maybe (e.g. email) access is denied totally if from a non-company device. Options...

Just to make it clear, I'm using rclone sync to do the job on a headless Ubuntu container.

Revisiting this now two years later, as it's been that long since I last synchronized my personal OneDrive photo and video archives to Wasabi.

Most everything is great, except when doing a few --dry-run tests on some already-synchronized source/destination remotes, I noticed a few thousand files in total among several OneDrive archives result in a potential re-sync. Not a huge deal, except it's a slow process to sync.

The files themself didn't change. I verified from both the source and backup that the CRC is the same on a bunch of to-be re-synced files, but perhaps the modification time changed at the source due to other syncs or who knows.

I would like to force RClone to use checksum only when synchronizing. Is that possible with an rclone sync between OneDrive and Wasabi?

@scottalanmiller

https://worldpopulationreview.com/country-rankings/mass-shootings-by-country

@pmoncho said in Powershell "-eq" operator and "False":

I am always confused by single vs double quotes and when to use them. I will take your advice and use single first.

Single quotes are literal, double quotes resolve variables, expressions, cmdlets, anything with a $ or $() in double quotes.

@Pete-S said in Powershell "-eq" operator and "False":

Have a look at the difference between strings in double quotes and single quotes as well.

Yes this is a case where one point can lead to another and before you know it, it's a book.

His original post had nothing to do with single quotes so I wanted to watch how far I took it. That's why I purposefully said typically, because unless you cast a type before the double quotes, it's a string. But in that case is quite clear what the type is because it's literally telling you in the brackets.

@RandyBlevins said in How should you handle a potential promotion?:

Should I consider taking the new position of my pay grade stays the same?

I think this is one of the big questions.

Is the new role something you would enjoy more irrespective of a pay bump?

Or would the only enjoyment or benefit of the new role come from the pay bump and not the role?

Would the new role be worth more should you take the role for a year or two with no pay bump, but result in like a 20% base pay increase at a new company later? Maybe that would be worth it. Maybe the new role would give a slight pay bump at your current company, and lead to more bonus/equity/etc, and/or more pay raises there too.

What do other companies pay for that new role now? What might they pay in two years? Maybe in 2 years of having this new role, you could at a different company get hired at a higher level like Principal or similar, resulting in a few hundred $K more total comp per year.

You could answer these best, but may help to point them out.

@pmoncho said in Powershell "-eq" operator and "False":

Trying to figure out why this will not work? I'm stumped

$UserID = read-host "UserID to disable"
$UserE = (Get-ADUser $UserID)

write-host "Account Enabled?" $UserE.Enabled

if ($UserE.enabled -eq "False") {
   $a = read-host "Move to Disabled Accounts OU? (Y/N)"
   $answer
}

UserID to disable: test1
Account Enabled? False

C:\windows\system32

If I use the following all is works whether "Enabled" is True or False

if ($UserE.enabled -ne "True") {...

In PowerShell, typically if it's in double quotes, it's a string. That's what you were were checking for, is if a given string equals the word "False".... instead of the boolean true/false, as $true/$false.

To find out what type of output you're dealing with, you can always use the built-in getType() method. You'll notice the Name property of String or Boolean.

@d-cunnings said in User Profile migration Problem AAD -> AD:

Customer pulling in smaller firm running Windows clean Azure.

I am to get those users off their Azure and onto the On-prem domain and have been given the task to move not only their data but also their current user account experience.

Going through everything I could find over the weekend I get to the point where I conclude that there is no way to do this.

-There doesn't even seem to be a way to link a local or domain profile to an Azure account?

Has anyone of you done this?

Maybe just get rid of computers and go back to pencil and paper?

@xavierdelaraunt said in User Profile handling anno 2022:

I have quite a lot of settings I cannot get into the default settings in any way like that.

I have not ran into any policies, settings, etc that could not be don't through Intune. It would be very hard for me to think of something that I can't do to a device related to those through Intune.

If you are referring to user profile migrations across different devices (old device > new device), most of that can be resolved by better systemic practices prior. That can be a shitty experience regardless of MDM or device management system.

@scottalanmiller said in What Are You Doing Right Now:

Today I was called communist for shopping at Walmart.

Lol what?

Here's a real example.

I'm renting. I love the area we're in. There are other areas where we would enjoy living as well that are exactly the same.

I'm paying under $3K a month for rent. It's a large condo, 3BR 2Bath, wonderful area, 4 pools 4 hot tubs, awesome view, great location, great & quiet neighbors, great community.

Renting other places around here are similar priced, many are a few hundred $ more for now, but still in range.

We'd like to buy a house in our current area, or another area we like, and pretty much keep our current standard of living as we are in this condo, but in house form.

If we did that, the minimum mortgage payment we're looking at MINIMUM is $6.5K, that is with dumping a bunch of cash as a down payment... note that the $6.5K does not include insurance, PMI, taxes, closing costs, etc.

So you see, renting and owning a home is not the same thing. Just because I choose to rent, doesn't mean that I automatically will rent the same kind of house that I would want to buy. So it's just not logical to me to compare them like that. Typically, you rent to save money. Sure, I could rent a house for $8K a month, but wtf would I do that? I'd rather buy! Except, I don't want to buy, because I need the freedom to be mobile and choose where to live and not be stuck... I don't want to throw all my money into a house and live paycheck to paycheck and be forced to sell at the next higher bubble than is currently to make anything.

Yeah, we could move to a cheaper area, but we don't want to. There's no point because we just don't want to give up what makes us live happy and looking forward to the next day/weekend/time off, etc.

I'd rather keep renting, and saving money, and investing money, that I'm not throwing into a house that I may or may not get back plus more later, if life works out perfectly for home ownership. I'm very likely to move as well, need that freedom, while saving! We can't time our life according to the house, we need our housing to work for us.

@Dashrender said in Is Real Estate Actually a Good Investment on Average?:

How are these investment groups making any money buying all of these houses and then renting them all

It's not guaranteed that they do. Look at some recent examples of companies over paying for homes and getting screwed. It happens a lot. It's also not only about making money for them on the house, it's about holding money. There's so many loop holes in the system that it is a way to legally launder, avoid other things such as taxes, etc.

That said, when you can buy homes with cash, it is less likely to be a liability. They avoid PMI, mortgage, interest, not living in the home so aren't tied to it, much easier to time the market to buy and sell, etc. They tend to immediately find renters because these home are usually move in ready. If not, they have other plans.

@Mario-Jakovina said in Is Real Estate Actually a Good Investment on Average?:

@Obsolesce House is definitely an asset.
The most typicall form of asset.

(Look at any balance sheet, and real estate is always in assets, where else would it be?)

Mortgage is liability.

https://biesingerfirejourney.com/house-asset-or-liability/

https://www.richdad.com/what-are-assets-and-liabilities

https://medium.com/the-investors-handbook/is-a-house-an-asset-or-a-liability-5c57ca3190bb

https://www.clevergirlfinance.com/blog/is-a-house-an-asset/

https://www.foreignersfinances.com/is-a-house-an-asset-or-a-liability/

https://www.cbsnews.com/news/is-your-house-an-asset-or-a-liability/

I can keep going if you want.

@Jimmy9008 a house is not automatically an asset. In most cases when buying a house with a mortgage, it is considered a liability. It can take a long time to become an asset, if ever at all.

@scottalanmiller said in Is Real Estate Actually a Good Investment on Average?:

@Obsolesce said in Is Real Estate Actually a Good Investment on Average?:

@Obsolesce said in Is Real Estate Actually a Good Investment on Average?:

Additionally, had you put 202K into an index fund in 2005,what would it be worth today?

Looks like gains of nearly $400K (s&p index fund) after adjusted for inflation, nearly $600K without.

So basically a loss of ~$400K comparing the two unadjusted numbers.

Assuming 17 years with zero maintenance or repairs or other overhead.

Can't forgot about closing costs and taxes, there's that too.