Author: Andrae Snegirev

Managing Local Entra ID (Azure AD) Profiles via PowerShell

Objective: Safely identify and remove cached Entra ID user profiles on local Windows devices to free up disk space and resolve profile issues.


Note on net user:
The standard net user command only queries the local Security Account Manager (SAM) database. Because Entra ID users authenticate against the cloud, Windows does not create a local SAM account for them, making them invisible to net user. The methods below must be used instead.


1. How to View Profiles via PowerShell
To get a quick list of all user profiles currently cached on a machine, run the following command in an elevated PowerShell prompt.
Entra ID profiles can be identified by their SID, which always begins with S-1-12-1.

Get-CimInstance Win32_UserProfile | Select-Object LocalPath, SID

2. How to Safely Remove Profiles via PowerShell
WARNING: Never delete a user’s folder directly from C:\Users. Doing so leaves orphaned SID entries in the registry (ProfileList). If that user logs into the device again, Windows will fail to load their profile and force them into a temporary profile (C:\Users\TEMP).


To cleanly wipe both the file system directory and the associated registry keys, run PowerShell as an Administrator and use the Remove-CimInstance command.


Method A: Remove by SID (Recommended)
Copy the SID from the viewing step and run:

Get-CimInstance Win32_UserProfile | Where-Object { $_.SID -eq "S-1-12-1-YOUR-SID-HERE" } | Remove-CimInstance

Method B: Remove by Folder Path
If you prefer to target the exact folder name located in C:\Users:

Get-CimInstance Win32_UserProfile | Where-Object { $_.LocalPath -like "*\TargetUsername" } | Remove-CimInstance

3. Essential Diagnostic Commands: quser and dsregcmd
Before removing a profile or when troubleshooting an Entra ID login issue, you should use these two built-in command-line tools to understand the current state of the machine.
Checking Active Sessions with quser
While Get-CimInstance shows you every profile saved on the disk, it doesn’t tell you if the user is currently using the machine.
Run this in CMD or PowerShell:

quser
  • What it does: Displays all currently active or disconnected login sessions on the machine.
  • Why use it: Always run quser before deleting a profile to ensure the target user doesn’t currently have a locked/disconnected session running in the background. You cannot cleanly delete a profile that is actively loaded into memory.

Checking Cloud Connectivity with dsregcmd /status
If an Entra ID user is failing to log in, or their profile isn’t syncing properly, the issue might be with the device itself rather than the user profile.
Run this in CMD or PowerShell (no admin required):

dsregcmd /status
  • What it does: Outputs the complete Azure AD/Entra ID registration status of the local device.
  • What to look for:
    AzureAdJoined : YES (Under Device State): Confirms the machine is successfully joined to the client’s cloud tenant.
    AzureAdPrt : YES (Under SSO State): Confirms the user has a valid Primary Refresh Token. If this says NO, the user’s cloud credentials are out of sync or expired, which will break access to local Office apps and OneDrive.

Appendix: The GUI Method
If technicians prefer a visual interface, or if you are doing a bulk cleanup on a single machine, use the native Windows tool:

  1. Open the Run dialog (Win + R) or CMD.
  2. Type sysdm.cpl and press Enter.
  3. Navigate to the Advanced tab.
  4. Under the User Profiles section, click Settings.
  5. Select the target profile from the list and click Delete.

This executes the same safe removal process as the PowerShell commands above.

Cove Backup Failures – MS SQL / File In Use Errors

Related Ticket: #6220

Overview

Cove backups may fail or complete with errors indicating that files (often SQL-related or tax software database/temp files) are “in use by another process.”

This is most commonly seen with accounting/tax applications (e.g., Accounting CS), where background database activity interferes with snapshot-based backups.


Symptoms

You may see the following in Cove:

  • Backup completes with errors
  • Repeated failures on specific files
  • Error message similar to:
    • “The process cannot access the file because it is being used by another process”

Common file types involved:

  • SQL database files (.mdf, .ldf)
  • Temp database files
  • Application-specific database components (Accounting CS, etc.)

Resolution

Step 1 – Restart Backup-Related Services

Reset the Windows Backup Engine and VSS services:

net stop wbengine
net stop vss
net stop swprv

net start swprv
net start vss
net start wbengine

Notes:

  • wbengine = Windows Backup Engine (key factor in this case)
  • vss = Volume Shadow Copy Service
  • swprv = Microsoft Software Shadow Copy Provider

Step 2 – Manually Run Backup

  • Trigger a manual backup
  • Confirm successful completion

Step 3 – Monitor Scheduled Backup

  • Leave auto-backup enabled
  • Verify next scheduled run completes successfully

When to Use This Fix

  • Backup errors reference “file in use”
  • Files are tied to SQL or database-driven applications
  • Issue repeats across multiple runs
  • Manual retries alone do not resolve it
  • Issue clears after service restart

Root Cause (Observed Behavior)

Based on troubleshooting from this case:

  • The issue is triggered when an application keeps a database file “active” during backup
  • Even though VSS is designed to handle open files, something in the backup chain can become unstable
  • When a disconnect or interruption occurs, related services (especially backup engine components) may get into a bad state
  • Once this happens, backups continue to fail until services are reset

There is no confirmed root cause from N-able, even after reviewing debug logs
→ Behavior is intermittent and not fully explained by vendor support


Key Takeaways

  • Often tied to database activity, not just simple file locks
  • The backup engine (not just VSS) can get stuck in a bad state
  • Restarting wbengine alongside VSS is the critical step
  • Issue is intermittent and not fully understood by N-able

Optional Preventative Considerations

  • Schedule backups outside business hours when possible
  • Ensure database-heavy applications are closed overnight
  • Watch for recurring patterns tied to specific software

Cove Backup Error – VSS Crypto Service error in System State Backup

If Cove Backup fails to backup System State because of Windows Cryptographic Service errors and Volume Shadow Copy service with the following errors or similar:

System State\ASR Writer\BCD\?\Volume{7ac063a6-0000-0000-0000-100000000000}\Boot\<VSSFileGroup>

System State\System Writer\System Files\C:\ProgramData\Microsoft\Crypto\<VSSFileGroup>\SystemKeys

System State\System Writer\System Files\C:\ProgramData\Microsoft\Crypto\<VSSFileGroup>\SystemKeys

Then the Windows Cryptographic Service needs restarted using the following powershell script or commands to allow the next backup to complete:

Powershell:

# Requires -RunAsAdministrator

Write-Host “Stopping Volume Shadow Copy…” -ForegroundColor Yellow
Stop-Service -Name “vss” -Force

Write-Host “Stopping Cryptographic Services…” -ForegroundColor Yellow
Stop-Service -Name “cryptsvc” -Force

# Small pause to allow services to completely release files

Start-Sleep -Seconds 3

Write-Host “Starting Cryptographic Services…” -ForegroundColor Green
Start-Service -Name “cryptsvc”

Write-Host “Starting Volume Shadow Copy…” -ForegroundColor Green
Start-Service -Name “vss”

Write-Host “Services successfully restarted!” -ForegroundColor Cyan

Then launch the Cove backup manager for the problem device and run a fresh backup to verify the script fixed what it needed to.

Command Prompt:

net stop cryptsvc
net start cryptsvc

If that doesn’t do it, may need to restart Volume Shadow Copy Service instead using:

net stop vss
net start vss

And if neither of those do it, start here since there may be a permissions issue for the Cryptographics service

https://me.n-able.com/s/article/Cove-System-State-backup-error-VSS-writer-System-Writer-is-missing-Please-ensure-that-Cryptographic-Services-service-has-enough-rights-because-of-incorrect-COM-Security-settings

More about the Cryptographic Service according to Gemini:

The Windows Cryptographic Services (CryptSvc) manages certificates, digital signatures, and system integrity in Windows. When a backup fails during Volume Shadow Copy (VSS), it is often because the VSS System Writer (which relies on CryptSvc) lacks the proper security rights or service permissions to query vital system files.

When Wireguard gets blocked by UniFi CyberSecure

On UniFi networks running CyberSecure, web traffic to Wireguard.com for downloads will tend to get blocked. Here’s how to allowlist in UniFi Cybersecure (as of 5/7/26, Network Application 5.0.16)

To allowlist –

Go into Unifi Network Dashboard for the Site

> Settings

> Cybersecure

> Content Filters

> Applied Policy (Default or whatever it’s named)

> Allowlist

> add wireguard.com

> Save Changes

And then refresh the webpage on whichever device you’re connecting from.

Might need to then go into Incognito to load the download.wireguard.com/windows-clients webpage, but it’ll get you moving forward again if you need it 🙂 otherwise we should have a Wireguard MSI in our IT Software Archive in OneDrive.

© 2026 Ultrex KB

Theme by Anders NorenUp ↑