Almost like that xkcd joke…

To back off your post, does anyone have one for Australia?

I don’t think that works on my Samsung TV, or my partners iPad though. :)

Although not especially effective on the YouTube front, it actually increases network security just by blocking api access to ad networks on those kinds of IoT and walled garden devices. Ironically my partner loves it not for YouTube but apparently all her Chinese drama streaming websites. So when we go travel and she’s subjected to those ads she’s much more frustrated than when she’s at home lol.

So the little joke while not strictly true, is pretty true just if you just say ‘streaming content provider’.

How are they placing this data? Api? Not possible to align disk tiers to api requests per minute? Api response limited to every 1ms for some clients, 0.1ms rate for others?

You’re pretty forthcoming about the problems so I do genuinely hope you get some talking points since this issue affects, app&db design, sales, and maintenance teams minimally. Considering all aspects will give you more chance for the business to realise there’s a problem that affects customer experience.

I think from handling tickets, maybe processes to auto respond to rate limited/throttled customers with 'your instance been rate limited as it has reached the {tier limit} as per your performance tier. This limit is until {rate limit block time expiry}. Support tickets related to performance or limits will be limited to P3 until this rate limit expires."

Work with your sales and contracts team to update the sla to exclude rate limited customers from priority sla.

I guess I’m still on the “maybe there’s more you can do to get your feet out of the fire for customer self inflicted injury” like correctly classifying customer stuff right. It’s bad when one customer can misclassify stuff and harm another customer with an issue by jumping a queue and delaying response to real issues, when it’s working as intended.

If a customer was warned and did it anyway, it can’t be a top priority issue, which is your argument I guess. Customers who need more, but pay for less and then have a expectation for more than they get. It’s really not your fault or problem. But if it’s affecting you I guess I’m wondering how to get it to affect you less.

If it’s possible to do, and it causes a user experience issue, especially one as jarring as “stop accepting writes” you should start adding rate limits and validate inputs with rate limits expressed to the user before they hit the error rate.

To me you should already be sanitising input anyway, and this would just be part of that logic. If a user is trying to upload more than x it warns (with link to documentation of the limit). If user has gone past the rate limits, then error.

I’m not a sre or dev, just a sysadmin though. Users expect guard rails. If it’s possible, it’s permitted.

There have been a few cases where ports are blocked. For example on many residential port 25 is blocked. If you pay and get a static ip this often gets unblocked. Same with port 10443 on a few residential services. There’s probably more but these are issues I’ve seen.

If you think about how trivial these are to bypass, but also that often aligns to fixing the problem for why they’re blocked. Iirc port 10443 was abused by malicious actors when home routers accepted Nat- pnp from say an unpatched qnap. Automatically forwarding inbound traffic on 10443 to the nas which has terrible security flaws and was part of a wide spread botnet. If you changed the Web port, you probably also are maintaining the qnap maybe. Also port 25 can be bypassed by using start-tls authenticated mail on 587 or 465 and therefore aren’t relaying outbound mail spam from infected local computers.

Overall fair enough.

It’s paraphrasing Torvalds himself though. It’s a cheeky title.

“… and I have absolutely no excuses to delay the v6.6 release any more, so here it is,”

Oh because if an application doesn’t exist natively in azure, ie not a MS Store app, then you can only deploy by uploading the msi which of course is one version. At an MSP with thousands of devices in dozens if not a hundred tenancies, and new software versions being released daily, you need something that will update all that.

Chocolatey is just for the poorer customers, a best effort, immybot for soe management though if the customer is full. Whenever Microsoft finishes getting their own repository fixed though, using winget could be the new chocolatey. Right now it doesn’t do patching or at least it didn’t 12 months ago. It could install and report but not update.

So thinking of solution life cycle you want something that doesn’t need tons of manual innervation, and you can use PDQ or chocolatey or immybot or whatever. Microsoft can handle its first party software suites and rmm deployment but 3rd party at this stage is just not good enough.

Hope that helps

Because you can pay for extended security updates, yes. Looking at defence and governnent globally, this is true of systems including xp.

So aside from using machine wide installers and ensuring that users are licensed for those products, you also need to setup enterprise roaming.

By the way, intune policies if they aren’t changing don’t take 8 hours to propogate to the machine, they take hours to propogate world wide like group policy takes hours to propogate in international sized ad forests.

So if you’ve got your intune policy set to auto sign in one drive and teams and whatever apps, assuming all your devices are intune registered, that setting doesn’t take hours to get to the machine. It’s immediate on first login. If you change that setting, it’s some hours to get it across every single machine. By the way in my experience, generally 80% of the time with a forced sync from the company portal app you should deploy with intune, it’s practically as fast as gpupdate. There’s a few times where you need to patiently wait 15 minutes but you can see that if you name your configuration profile like (v12) and you’ll see it’s either still (v11) or immediately (v12) and you stuffed a setting and it’s still not working.

You should be using machine wide installers not user appdata installers. Are you not?

Just to add more confusion, we are removing MDT from all customers and replacing with intune using the already created json templates we have plus then also deploying chocolatey with intune then calling powershell from intune to install other software. I’d say only 20% of our customers have on-premise AD the other 80% are all Microsoft Business Premium licensed unless over 300 staff, and that’s why we have been transitioning customers to only that for the last few years.

MDT is the right tool for AD on premises though so don’t be dissuaded from that, just more, you should know.

They’ll be in a hardware security module, just like the computer should be storing encryption keys with the tpm. Tbh I don’t know what’s actively implemented but definitely on the devices I manage in MDM they’re non-compliant without that. I’m sure you probably can get cheap devices without though. Just like you can get home level laptops without tpm.

After I followed the instructions and having 15 years of system administration experience. Which I was willing to help but I guess you’d rather quip.

From my perspective unless there’s something that you’ve not yet disclosed, if wireguard can get to the public domain, like a vps, then tailscale would work. Since it’s mechanically doing the same thing, being wireguard with a gui and a vps hosted by tailscale.

If your ISP however is blocking ports and destinations maybe there are factors in play, usually ones that can be overcome. But your answer is to pay for mechanically the same thing. Which is fine, but I suspect there’s a knowledge gap.

Are you sure? Did you want to troubleshoot this or did you just want to give up?

I’ve got two synology nas connected to each other directly for hyper backup replications at clients because both units are on cgnat isps and there’s no public IP. And it just works.

Didn’t understand that by willing you meant wanting.

It’s impossible to tell, because they fired all the people who were counting.

To be honest I think we have different cultural values here. The way I read this and the way you read it is clearly different. I’m disappointed by how little I had my expectations changed, while you had them moved more.

I think the question is, where can you bet on a single coin flip? Maybe because I’m Australian, there’s only one day a year you can bet on a (two) coin flip legally here. Everyone else seems to generally understand that coin flips aren’t fair for gambling and therefore is illegal.

If this paper was like ‘this is how corruption in sports…’ rather than ‘this is like that magician cup and balls trick’ then I’d understand your concern.

But like you said, you don’t even have a coin in the house, so the practical side is day to day, perhaps not even once a year, not only are you not deciding on a coin flip, even if you were, you’d (or whomever was flipping it for you) have to learn a technique to see it affect you.

I’ve seen something similar to this before in remote desktop servers where user redirected printers end up bloating registries to the point login times exceed processing limits and so not all the configuration in the registry or group policy gets processed. Each redirected printer gets created and never pegged, and it’s unique to that rdp session so they are duplicated to infinity over time. Glad you found it out, the only point with the complexity is I was trying to explain that it being complex doesn’t mean it won’t be robust if it’s still implemented without conflicts so you can rule that out (if you’ve ruled out conflicts) . Sounds like you found the culprit in the end! Good work.