⏩ TL;DR — This Week in SysAdmin

· 🎙️ Should Hyper-V live in the domain? Eric and I unpack the debate — and the unexpected third option.

· 🛡️ Still using self-signed certs? Project Runspace says stop it. Seriously.

· 🧰 Tool of the week: PingPlotter! For proving your ISP is gaslighting you.

· 🧠 New Quick Concept: Why SaaS misconfigs are the new “oops, I left RDP open.”

· 👨‍💻 Helpful gems from Ola Strom, Mike Robbins, Charbel Nemnom, and others

· 🧬 Plus: Debian Trixie issues, firewall basics, and a long look at standing desks (because your back hates you)

It’s another week of patching, learning, breaking, and somehow still fixing it all. Let’s go.

🧠 This Week’s Insight(s) from Andy

When I stand back and look at the culmination of this week’s links, I think it’s apt to set our theme this week as: “The Hidden Work That Keeps It All Running”

From quiet SaaS misconfigs to the gnarly internals of your backup setup, this week highlights the often invisible (yet mission-critical) work that sysadmins do. It’s not always glamorous, and it rarely ends up in a highly visible and flashy sprint demo, but it’s the reason the lights stay on and the data stays safe.

Whether you’re chasing down a token with no expiration date, trying to make backup restores actually reliable, or fighting with a CLI that hates you personally, you’re doing the kind of work that most folks never see. But, let’s be honest, everyone depends on said work and they don’t even know it.

I remember an incident from my days in the managed service provider trenches. It had been a BRUTAL on-call rotation that week, with multiple 2am calls throughout the week. Then I got the call we all hate to get. Major connectivity issue in a datacenter no where near me. A schedule configuration change had broken an etherchannel in a VMware ESXI cluster 240 miles away, and VMs were unable to boot. It was 4am, work started for this customer at 7am, and the clock was ticking. After multiple phone calls, and a very helpful junior tech that lived much closer than I, the two of us were able to get the etherchannel restored, and back online JUST before the 7am start.

And the best part…. no one had ANY idea that their virtual machines had been dead to the world for several hours. SysAdmin heroics were invisible and highly valuable that day.

It could be the fact that we have an episode of the podcast coming soon about show casing SysAdmin value to the business, and I keep thinking about how all that invisible work often recieves no credit. With that in mind, this issue is for the unsung fixes, the silent patches, and the config reviews no one asked for but would absolutely notice if you skipped.

And now, back to our regularly scheduled programming…

🎹 Latest on the SysAdmin Weekly Podcast

🎧 Should You Domain-Join Hyper-V Hosts or Not?
Andy and Eric dive into a decades-old debate: domain-join your Hyper-V hosts, or keep them workgroup-isolated?

Spoiler alert: there’s a very strong stance taken, with a secret Option C for the adventurous.

🎧 In Case You Missed It on SysAdmin Weekly

🎧 The State of Microsoft Certification (2025 Edition)
Paul and Andy explore what’s changed, and what hasn’t in the world of Microsoft certs. Are they still worth it? How do they fit into modern IT careers?

🎧 Sneak Peek of the Next Episode

In our next episode, Eric and Andy dig into a topic that hits close to home for every SysAdmin: making your work visible and proving your value to the business.

With layoffs and re-orgs sweeping through IT teams across the industry, this one hits hard. The guys talk about:

· Why invisibility is the enemy of job security

· How to tie your daily wins to business outcomes

· What kinds of documentation and reporting actually matter

· And why “nothing broke this week” might be the most underappreciated KPI in tech

To quote one of the guys from the episode:

“If your work as a SysAdmin is invisible, it’s only a matter of time before someone questions its value.”

Don’t miss it! This episode drops later this week on the SysAdmin Weekly Podcast!

🔍 From AndyOnTech and Project Runspace

📄 Stop Using Self-Signed Certs
Eric gives us a blunt but important reminder about why self-signed certs are a terrible idea in 2025. Yes, even in test/dev. There are better (and free) options now, use them.

🧱 Core Fundamentals

📘 How Do Firewalls Actually Work?
Simple. Clear. Timeless. Cloudflare again brings the goods with a no-fluff explanation of what firewalls are and how they protect systems. This is still foundational knowledge, even in our container-and-cloud world.

🩵 Helpful Community Content

💥 I Messed Up Microsoft Teams (So You Don’t Have To)
Ola Strom breaks down a Microsoft Teams crash-on-ARM scenario that absolutely no one wants to debug twice.

✅ Saved you at least an hour, buy this man a coffee!

🔧 Shorten Azure CLI Commands in PowerShell (Without Backticks)
Azure CLI meets readability. Mike Robbins shares a neat trick to clean up those monsterously long azcli commands that eat entire terminals.

📦 Azure Files Storage and Access Tiers Explained
Charbel Nemnom provides a deep dive on how storage tiers in Azure Files work, and when to use each. If you’re spending too much on blob storage, start here.

🪑 14 Years at a Standing Desk
A rare gem: ergonomic wisdom from long-time IT veteran Adam Engst. Spoiler: standing is good, but stretching is better.

🎟️ Other SysAdmin Content from Vendors and Official Publications

🧠 AI Workload Prep: Upcoming Microsoft Event
Rick Claus and team walk through what orgs need to do to prepare infrastructure for modern AI workloads. Worth attending.

🐧 Debian Trixie Release Notes (Issues to Watch)
Debian fans: the Trixie release is close. Here’s what you’ll want to know about issues that could impact upgrade planning.

🔊 Security Headlines for SysAdmins

🛡️ Critical SharePoint Exploits: What You Need to Know
Microsoft drops a detailed write-up on multiple actively exploited SharePoint vulnerabilities, including how attackers are gaining remote access through insecure app management pages. The blog outlines detection methods and Microsoft Defender for Endpoint telemetry you can use to validate whether you’re affected.

👉 If you’re running SharePoint on-prem or hybrid, this one’s a must-read.

🛠️ Tool of the Week

📡 PingPlotter
A dead-simple, highly visual network diagnostic tool that’s helped countless IT pros catch flaky connections and bad ISPs red-handed. Run it, screenshot it, and send it to your vendor > argument over.

🧠 Quick Win of the Week

Need ammo for an ISP battle?
Set up a PingPlotter session and let it run for a few hours. Export the graphs. Boom! Proof of upstream packet loss, in living color.

📤 Out-of-Band Insight(s)

SaaS platforms promise agility and scale, and they DO deliver (most of the time). But they also bring a new flavor of pain: misconfigurations so subtle you won’t notice until data leaks or alerts start screaming.

The core issue? Most SaaS apps were designed for ease of use, not enterprise hardening. Combine that with:

· Federated identity spaghetti (hello SSO entropy)

· Token sprawl with inconsistent scopes and lifetimes

· Admin settings buried in obscure panels

· And users clicking “Accept” like it’s a cookie banner…

…and you’ve got a misconfiguration just waiting for the wrong moment.

TL;DR: SaaS lacks centralized logging, configuration baselines, and consistent policy enforcement, making misconfig drift and blind spots inevitable. If you’re not reviewing settings after every onboarding, vendor update, or advisory you’re probably missing something critical.

It’s not your fault. But it is your problem. Such is SysAdmin Life….

🛠️ Pro Tip: Add recurring reviews of OAuth app consents, sharing settings, and admin roles to your quarterly tasks. Bonus points for per-app and per-group granularity. Future You will absolutely send snacks.

🧠 Fun Retro SysAdmin Fact

Remember RS-232 serial cables? So did your BIOS.
Back in the 80s and 90s, sysadmins kept a literal box of these bad boys for everything from modem hookups to console access on routers. Every time someone asks “Why do we still support serial?” Well, it’s because someone, somewhere, is still racking a switch that only speaks 9600 baud.

☕ Wrap-Up

Another week, another set of scripts, patches, old habits, and new ideas.
If you got something useful out of this issue, forward it to a fellow SysAdmin who might still be typing net use into a login script somewhere.

Stay caffeinated, stay patched, and for the love of uptime, stop using self-signed certs!

Until next week,
— Andy