Category: IT (Page 1 of 13)

Moving Volume Shadow Copy Storage to Another Drive

Check the Current Shadow Copy Storage Location

  1. Open Command Prompt as Administrator.
  2. Run:

vssadmin list shadowstorage

Review the output for each volume. You’re looking for:

  • For volume: The volume being protected (typically C:).
  • Shadow Copy Storage volume: Where the shadow copies are currently stored.
  • Used/Allocated/Maximum Space: How much storage is being used.

Example:

For volume: (C:)

Shadow Copy Storage volume: (C:)

If the storage volume is C:, the shadow copies are being stored on the system drive.

Verify the Destination Drive

Before moving the storage:

  • Confirm the destination drive (for example S:) has sufficient free space.
  • Ensure it is a local NTFS volume.
  • Verify the drive will remain connected and available.

Remove the Existing Shadow Storage Association

If shadow storage is currently on C:, remove the association:

vssadmin delete shadowstorage /for=C: /on=C:

If you receive a message stating the association was not found, it may have already been removed.

Create a New Shadow Storage Location

Create the new storage association on the destination drive: Set the size to what is preferable. 

vssadmin add shadowstorage /for=C: /on=S: /maxsize=100GB 

Replace S: and the size as appropriate for the server.

Drive TypeRecommended Shadow Copy Size
OS Drive (C:)10–20 GB (or none if storing elsewhere)
Small Data Drive (<250 GB)10–15% of the drive
Medium Data Drive (250 GB–1 TB)10–20% of the drive
Large Data Drive (>1 TB)100–300 GB, depending on change rate
File Server with frequent changes15–20% of the volume

Verify the Change

Run:

vssadmin list shadowstorage

Confirm the output now shows:

For volume: (C:)

Shadow Copy Storage volume: (S:)

This confirms the shadow copy storage has been successfully moved.

Optional Health Checks

Verify the VSS service is running:

sc query vss

Check that all VSS writers are stable:

vssadmin list writers

All writers should report:

  • State: Stable
  • Last Error: No error

Notes

  • This changes where future Volume Shadow Copies are stored. It does not move existing snapshots.
  • Existing restore points or snapshots may be removed when the old shadow storage association is deleted.
  • If this server is used for backups (such as Cove, Windows Server Backup, etc.), consider running a test backup afterward to verify VSS is functioning normally.

——————————————————————————————————————————-

Managing Local Entra ID (Azure AD) Profiles via PowerShell

Objective: Safely identify and remove cached Entra ID user profiles on local Windows devices to free up disk space and resolve profile issues.


Note on net user:
The standard net user command only queries the local Security Account Manager (SAM) database. Because Entra ID users authenticate against the cloud, Windows does not create a local SAM account for them, making them invisible to net user. The methods below must be used instead.


1. How to View Profiles via PowerShell
To get a quick list of all user profiles currently cached on a machine, run the following command in an elevated PowerShell prompt.
Entra ID profiles can be identified by their SID, which always begins with S-1-12-1.

Get-CimInstance Win32_UserProfile | Select-Object LocalPath, SID

2. How to Safely Remove Profiles via PowerShell
WARNING: Never delete a user’s folder directly from C:\Users. Doing so leaves orphaned SID entries in the registry (ProfileList). If that user logs into the device again, Windows will fail to load their profile and force them into a temporary profile (C:\Users\TEMP).


To cleanly wipe both the file system directory and the associated registry keys, run PowerShell as an Administrator and use the Remove-CimInstance command.


Method A: Remove by SID (Recommended)
Copy the SID from the viewing step and run:

Get-CimInstance Win32_UserProfile | Where-Object { $_.SID -eq "S-1-12-1-YOUR-SID-HERE" } | Remove-CimInstance

Method B: Remove by Folder Path
If you prefer to target the exact folder name located in C:\Users:

Get-CimInstance Win32_UserProfile | Where-Object { $_.LocalPath -like "*\TargetUsername" } | Remove-CimInstance

3. Essential Diagnostic Commands: quser and dsregcmd
Before removing a profile or when troubleshooting an Entra ID login issue, you should use these two built-in command-line tools to understand the current state of the machine.
Checking Active Sessions with quser
While Get-CimInstance shows you every profile saved on the disk, it doesn’t tell you if the user is currently using the machine.
Run this in CMD or PowerShell:

quser
  • What it does: Displays all currently active or disconnected login sessions on the machine.
  • Why use it: Always run quser before deleting a profile to ensure the target user doesn’t currently have a locked/disconnected session running in the background. You cannot cleanly delete a profile that is actively loaded into memory.

Checking Cloud Connectivity with dsregcmd /status
If an Entra ID user is failing to log in, or their profile isn’t syncing properly, the issue might be with the device itself rather than the user profile.
Run this in CMD or PowerShell (no admin required):

dsregcmd /status
  • What it does: Outputs the complete Azure AD/Entra ID registration status of the local device.
  • What to look for:
    AzureAdJoined : YES (Under Device State): Confirms the machine is successfully joined to the client’s cloud tenant.
    AzureAdPrt : YES (Under SSO State): Confirms the user has a valid Primary Refresh Token. If this says NO, the user’s cloud credentials are out of sync or expired, which will break access to local Office apps and OneDrive.

Appendix: The GUI Method
If technicians prefer a visual interface, or if you are doing a bulk cleanup on a single machine, use the native Windows tool:

  1. Open the Run dialog (Win + R) or CMD.
  2. Type sysdm.cpl and press Enter.
  3. Navigate to the Advanced tab.
  4. Under the User Profiles section, click Settings.
  5. Select the target profile from the list and click Delete.

This executes the same safe removal process as the PowerShell commands above.

Cove Backup Failures – MS SQL / File In Use Errors

Related Ticket: #6220

Overview

Cove backups may fail or complete with errors indicating that files (often SQL-related or tax software database/temp files) are “in use by another process.”

This is most commonly seen with accounting/tax applications (e.g., Accounting CS), where background database activity interferes with snapshot-based backups.


Symptoms

You may see the following in Cove:

  • Backup completes with errors
  • Repeated failures on specific files
  • Error message similar to:
    • “The process cannot access the file because it is being used by another process”

Common file types involved:

  • SQL database files (.mdf, .ldf)
  • Temp database files
  • Application-specific database components (Accounting CS, etc.)

Resolution

Step 1 – Restart Backup-Related Services

Reset the Windows Backup Engine and VSS services:

net stop wbengine
net stop vss
net stop swprv

net start swprv
net start vss
net start wbengine

Notes:

  • wbengine = Windows Backup Engine (key factor in this case)
  • vss = Volume Shadow Copy Service
  • swprv = Microsoft Software Shadow Copy Provider

Step 2 – Manually Run Backup

  • Trigger a manual backup
  • Confirm successful completion

Step 3 – Monitor Scheduled Backup

  • Leave auto-backup enabled
  • Verify next scheduled run completes successfully

When to Use This Fix

  • Backup errors reference “file in use”
  • Files are tied to SQL or database-driven applications
  • Issue repeats across multiple runs
  • Manual retries alone do not resolve it
  • Issue clears after service restart

Root Cause (Observed Behavior)

Based on troubleshooting from this case:

  • The issue is triggered when an application keeps a database file “active” during backup
  • Even though VSS is designed to handle open files, something in the backup chain can become unstable
  • When a disconnect or interruption occurs, related services (especially backup engine components) may get into a bad state
  • Once this happens, backups continue to fail until services are reset

There is no confirmed root cause from N-able, even after reviewing debug logs
→ Behavior is intermittent and not fully explained by vendor support


Key Takeaways

  • Often tied to database activity, not just simple file locks
  • The backup engine (not just VSS) can get stuck in a bad state
  • Restarting wbengine alongside VSS is the critical step
  • Issue is intermittent and not fully understood by N-able

Optional Preventative Considerations

  • Schedule backups outside business hours when possible
  • Ensure database-heavy applications are closed overnight
  • Watch for recurring patterns tied to specific software

Cove Backup Error – VSS Crypto Service error in System State Backup

If Cove Backup fails to backup System State because of Windows Cryptographic Service errors and Volume Shadow Copy service with the following errors or similar:

System State\ASR Writer\BCD\?\Volume{7ac063a6-0000-0000-0000-100000000000}\Boot\<VSSFileGroup>

System State\System Writer\System Files\C:\ProgramData\Microsoft\Crypto\<VSSFileGroup>\SystemKeys

System State\System Writer\System Files\C:\ProgramData\Microsoft\Crypto\<VSSFileGroup>\SystemKeys

Then the Windows Cryptographic Service needs restarted using the following powershell script or commands to allow the next backup to complete:

Powershell:

# Requires -RunAsAdministrator

Write-Host “Stopping Volume Shadow Copy…” -ForegroundColor Yellow
Stop-Service -Name “vss” -Force

Write-Host “Stopping Cryptographic Services…” -ForegroundColor Yellow
Stop-Service -Name “cryptsvc” -Force

# Small pause to allow services to completely release files

Start-Sleep -Seconds 3

Write-Host “Starting Cryptographic Services…” -ForegroundColor Green
Start-Service -Name “cryptsvc”

Write-Host “Starting Volume Shadow Copy…” -ForegroundColor Green
Start-Service -Name “vss”

Write-Host “Services successfully restarted!” -ForegroundColor Cyan

Then launch the Cove backup manager for the problem device and run a fresh backup to verify the script fixed what it needed to.

Command Prompt:

net stop cryptsvc
net start cryptsvc

If that doesn’t do it, may need to restart Volume Shadow Copy Service instead using:

net stop vss
net start vss

And if neither of those do it, start here since there may be a permissions issue for the Cryptographics service

https://me.n-able.com/s/article/Cove-System-State-backup-error-VSS-writer-System-Writer-is-missing-Please-ensure-that-Cryptographic-Services-service-has-enough-rights-because-of-incorrect-COM-Security-settings

More about the Cryptographic Service according to Gemini:

The Windows Cryptographic Services (CryptSvc) manages certificates, digital signatures, and system integrity in Windows. When a backup fails during Volume Shadow Copy (VSS), it is often because the VSS System Writer (which relies on CryptSvc) lacks the proper security rights or service permissions to query vital system files.

How to make Safari and Firefox open in incognito or private mode every time

If you’re anything like me, you use chrome for your primary browsing, but pretty much every time you open firefox or safari, you’re specifically just wanting another inconito window that isn’t logged into whatever you might have going in your chrome incog session.

I regularly have chromes incog signed into a given ms365 admin panel, then need to sign into a given user of that org with the temp pass I’ve just made- and today I finally got annoyed enough to look at how to make firefox and safari just open in incognito mode every time since that’s the only reason I ever open them. If that’s some thing that would make your life easier too:

Safari
Safari allows you to change its default launching behavior directly within its application settings.

  • Open Safari.
  • Click on Safari in the top menu bar and select Settings… (or press Cmd + ,).
  • Ensure you are on the General tab.
  • Look for the dropdown menu labeled Safari opens with:.
  • Change this option to A new private window.

Firefox
Firefox offers two different approaches depending on how you want the browser to behave.
Method 1: The “Never Remember History” Mode (Recommended)
This method forces Firefox to run in a permanent private browsing mode. The browser looks normal, but it will never save history, cookies, or site data.

  • Open Firefox.
  • Click the three horizontal lines (menu icon) in the top-right corner and select Settings (or press Cmd + ,).
  • Click on Privacy & Security in the left-hand sidebar.
  • Scroll down to the History section.
  • In the dropdown menu next to Firefox will:, select Use custom settings for history.
  • Check the box that says Always use private browsing mode.
  • Firefox will prompt you to restart the browser to apply the change.

Diagnosing Scanning Issues

Diagnosing and Fixing Windows Firewall/Network Profile Issues Blocking SMB

A device on the network (scanner, printer, external system) can’t reach a Windows machine’s shared folder over SMB (port 445). The credentials are correct, the share exists, but the inbound connection silently fails. Most often, the Windows machine’s network profile is set to Public instead of Private, which disables the SMB-In firewall rule by default.

This guide walks through rapid diagnosis via PowerShell and shows how to repair it efficiently.


One-Pass Diagnostic (run this first)

Copy and paste this entire script to get a complete picture:

Write-Host "=== SMB Connectivity Diagnosis ===" -ForegroundColor Cyan
Write-Host "`n1. Network Profile" -ForegroundColor Yellow
Get-NetConnectionProfile | Select InterfaceAlias, NetworkCategory

Write-Host "`n2. SMB Shares on this machine" -ForegroundColor Yellow
Get-SmbShare | Select Name, Path, Description

Write-Host "`n3. SMB-In Firewall Rule State" -ForegroundColor Yellow
Get-NetFirewallRule -DisplayGroup "File and Printer Sharing" |
    Where-Object { $_.DisplayName -eq "File and Printer Sharing (SMB-In)" } |
    Select DisplayName, Enabled, Profile

Write-Host "`n4. Wi-Fi Signal and Driver (if applicable)" -ForegroundColor Yellow
netsh wlan show interfaces | Select-String "Signal|RSSI|Channel|DriverVersion" -ErrorAction SilentlyContinue
Get-NetAdapter -Name "Wi-Fi" -ErrorAction SilentlyContinue | Select Name, DriverVersion, DriverDate

Write-Host "`n5. Known Network Profiles (check for duplicates)" -ForegroundColor Yellow
Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" -ErrorAction SilentlyContinue |
    ForEach-Object {
        $p = Get-ItemProperty $_.PSPath
        [PSCustomObject]@{
            Name     = $p.ProfileName
            Category = switch ($p.Category) {0{'Public'}1{'Private'}2{'Domain'}}
        }
    } | Sort-Object Name | Format-Table -AutoSize

This single command will tell you your network profile, active shares, firewall rule state, Wi-Fi quality, driver version, and any duplicate network profiles. Run it and look at the output — most issues are visible immediately.


Quick Reference: Common Repairs

Profile is Public, needs to be Private:

Set-NetConnectionProfile -InterfaceAlias "Wi-Fi" -NetworkCategory Private

SMB-In is disabled for Public, need to enable it (scoped to LocalSubnet):

Get-NetFirewallRule -DisplayGroup "File and Printer Sharing" | Where-Object { $_.DisplayName -eq "File and Printer Sharing (SMB-In)" -and $_.Profile -match "Public" } | Set-NetFirewallRule -Enabled True -RemoteAddress LocalSubnet

Test auth from a remote machine (the real test):

net use \\192.168.1.188\SCANS /user:Scanning Scanning12
net use
net use \\192.168.1.188\SCANS /delete

Disable Wi-Fi power management (if the adapter is powering down):

Disable-NetAdapterPowerManagement -Name "Wi-Fi"

Verify the fix worked:

Get-NetConnectionProfile | Select InterfaceAlias, NetworkCategory
Get-NetFirewallRule -DisplayGroup "File and Printer Sharing" | Where-Object { $_.DisplayName -eq "File and Printer Sharing (SMB-In)" } | Select DisplayName, Enabled, Profile

Quick Triage (60 seconds)

Start here to determine if this is a firewall/profile problem or something else.

1. Confirm the share exists and the basic path works

List all SMB shares on this machine:

Get-SmbShare | Select Name, Path, Description

What to look for:

  • Is your target share listed? (e.g., SCANS, C$, FileShare)
  • What local path does it point to? (e.g., C:\SCANS)

If not found: The share doesn’t exist. Create it first before proceeding. This diagnostic won’t help a missing share.

2. Test credentials against the share from a remote machine

If possible, run this from another machine on the same network (not from the target itself). Replace 192.168.1.188 with the target IP and “SCANS” with your share name:

net use \\192.168.1.188\SCANS /user:Scanning Scanning12
net use
net use \\192.168.1.188\SCANS /delete

What to look for:

  • “The command completed successfully” → Auth works. The problem is firewall/inbound rules on the target.
  • Error 1326 → Bad username or password. Fix credentials and re-test.
  • Error 53 / 64 → Network unreachable or path not found. Check IP, routing, and share name spelling.
  • Error 5 → Auth worked, but permission denied. Check share NTFS permissions.

Key point: If net use succeeds from another machine but the remote device (scanner) still can’t connect, the issue is inbound firewall rules on your target machine — proceed to step 3 below.


Diagnosis: Network Profile and Firewall Rules

If you’ve confirmed credentials and share existence, the culprit is almost always the network profile category (Public vs Private) and the SMB-In inbound firewall rule.

3. Check the NIC’s network profile

Get-NetConnectionProfile | Select InterfaceAlias, NetworkCategory

What to look for:

  • NetworkCategory: PublicThis is the problem. SMB-In is disabled for Public by default.
  • NetworkCategory: Private → Correct for a trusted LAN. Firewall should allow SMB. Proceed to step 4.
  • NetworkCategory: Domain → Domain-joined machine. Profile rules apply per-domain policy.

If Public: Note the InterfaceAlias (usually Wi-Fi or Ethernet). You’ll need it for the fix.

4. Check the SMB-In firewall rule state

Get-NetFirewallRule -DisplayGroup "File and Printer Sharing" |
    Where-Object { $_.Direction -eq "Inbound" } |
    Select DisplayName, Enabled, Profile, Action

What to look for:

  • Find the row File and Printer Sharing (SMB-In)
  • Check the Enabled and Profile columns for your NIC’s profile (Public, Private, or Domain)
  • If Enabled: False for the Public/Private profile your NIC is on, SMB-In is blocked — that’s your answer

Example of disabled SMB-In on Public:

DisplayName                        Enabled  Profile  Action
-----------                        -------  -------  ------
File and Printer Sharing (SMB-In)   False    Public   Allow
File and Printer Sharing (SMB-In)    True    Private  Allow

If your NIC is on Public and SMB-In shows False for Public, you’ve found the root cause.

5. Verify the target machine can be reached on port 445

Run this from the remote machine trying to connect (scanner, printer, another computer):

Test-NetConnection -ComputerName 192.168.1.188 -Port 445

What to look for:

  • TcpTestSucceeded: True → Port is reachable. Confirms network connectivity and the SMB port is listening.
  • TcpTestSucceeded: False → Port blocked. Either the firewall rule is denying (step 4), the machine is offline, or network routing is broken.

Additional Context: Check for duplicate profiles and reconnect churn

If you’re seeing intermittent issues or the profile keeps changing, check for accumulated duplicate network profiles:

Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" |
    ForEach-Object {
        $p = Get-ItemProperty $_.PSPath
        [PSCustomObject]@{
            Name                = $p.ProfileName
            Category            = switch ($p.Category) {0{'Public'}1{'Private'}2{'Domain'}}
            DateCreated         = [DateTime]::FromFileTime([UInt64]$p.DateCreated[0])
            DateLastConnected   = [DateTime]::FromFileTime([UInt64]$p.DateLastConnected[0])
        }
    } | Format-Table -AutoSize

What to look for:

  • Multiple entries for the same network name (e.g., “Office WiFi”, “Office WiFi 2”, “Office WiFi 3”)
  • Duplicate profiles = Windows re-identified the network multiple times, creating a new profile each time (usually due to Wi-Fi reconnects)
  • The most recent DateLastConnected is the one currently in use
  • If duplicates are classified Public, each one is a potential liability

Why this matters: Frequent Wi-Fi disconnects can cause Windows to create new profiles that default to Public. Even if you fix the current one to Private, a re-identification creates a new Public profile next time.


Repair: Setting the Profile and Enabling SMB-In

Once you’ve identified the issue (usually Public profile + SMB-In disabled), fix it in order of least to most invasive.

Fix 1: Change the profile to Private (recommended)

Get the exact interface alias first:

Get-NetConnectionProfile | Select InterfaceAlias, NetworkCategory

Set it to Private (replace “Wi-Fi” with your InterfaceAlias if different):

Set-NetConnectionProfile -InterfaceAlias "Wi-Fi" -NetworkCategory Private

Verify the change:

Get-NetConnectionProfile | Select InterfaceAlias, NetworkCategory

Expected result:

InterfaceAlias  NetworkCategory
-----------     ---------------
Wi-Fi           Private

This immediately activates all the inbound rules that are already enabled for Private, including SMB-In. For a machine on a trusted internal LAN, Private is the semantically correct setting.

Test: From the remote machine, try the connection again:

net use \\192.168.1.188\SCANS /user:Scanning Scanning12

Fix 2: Enable SMB-In for the Public profile (if the profile must stay Public)

If for some reason the profile must remain Public, explicitly enable the SMB-In rule for Public and scope it to your local subnet:

Get-NetFirewallRule -DisplayGroup "File and Printer Sharing" |
    Where-Object { $_.DisplayName -eq "File and Printer Sharing (SMB-In)" -and $_.Profile -match "Public" } |
    Set-NetFirewallRule -Enabled True -RemoteAddress LocalSubnet

Verify:

Get-NetFirewallRule -DisplayGroup "File and Printer Sharing" |
    Where-Object { $_.DisplayName -eq "File and Printer Sharing (SMB-In)" } |
    Select DisplayName, Enabled, Profile, @{N='RemoteAddress';E={($_ | Get-NetFirewallAddressFilter).RemoteAddress}}

Expected result:

DisplayName                       Enabled  Profile  RemoteAddress
-----------                       -------  -------  ---------
File and Printer Sharing (SMB-In)   True    Public   LocalSubnet
File and Printer Sharing (SMB-In)   True    Private  LocalSubnet

The LocalSubnet scope limits SMB to local-segment IPs only, preventing exposure if the device lands on an untrusted network.


Preventive Diagnosis: Identify root causes of profile instability

If this issue recurs, the problem is usually network profile churn — Windows re-identifying the network and creating new profiles. Investigate these:

Check Wi-Fi signal and AP quality

netsh wlan show interfaces

Look for:

  • Signal: 70% or higher → Good. Low signal is a common cause of reconnects.
  • Channel → Check if it’s congested (2.4 GHz channels 1/6/11 are standard; 5 GHz has more space).
  • RSSI: -60 dBm or better → Solid. Anything worse is weak.

If signal is poor: The problem is RF. Move the access point or relocate the device closer.

Check for driver issues

Get-NetAdapter -Name "Wi-Fi" | Select Name, DriverVersion, DriverDate

Look for:

  • DriverDate more than a year old? Update the driver from the NIC vendor (Intel, Qualcomm, Realtek, etc.) directly — don’t rely on Windows Update.

Check power management (on laptops especially)

Get-NetAdapterPowerManagement -Name "Wi-Fi"

Look for:

  • SelectiveSuspend: Enabled or DeviceSleepOnDisconnect: Enabled → These can cause disconnects to save power. Disable them on a desktop or stationary device.

If these are enabled, disable them:

Disable-NetAdapterPowerManagement -Name "Wi-Fi"

Check for duplicate network profiles (indicates reconnect churn)

See the registry query in the “Additional Context” section above. Multiple profiles for the same network name is a red flag for instability.

If duplicates exist: Back up the registry key, then remove stale duplicates (keep only the most recently connected one). Each reconnect event creates a new candidate for being classified Public, so cleaning them up reduces surface area.


Complete diagnostic script (one-liner)

Here’s a single script that runs all the key diagnostics and formats them for quick review:

Write-Host "=== SMB Connectivity Diagnosis ===" -ForegroundColor Cyan
Write-Host "`n1. Network Profile" -ForegroundColor Yellow
Get-NetConnectionProfile | Select InterfaceAlias, NetworkCategory

Write-Host "`n2. SMB Shares on this machine" -ForegroundColor Yellow
Get-SmbShare | Select Name, Path, Description

Write-Host "`n3. SMB-In Firewall Rule State" -ForegroundColor Yellow
Get-NetFirewallRule -DisplayGroup "File and Printer Sharing" |
    Where-Object { $_.DisplayName -eq "File and Printer Sharing (SMB-In)" } |
    Select DisplayName, Enabled, Profile

Write-Host "`n4. Wi-Fi Signal and Driver (if applicable)" -ForegroundColor Yellow
netsh wlan show interfaces | Select-String "Signal|RSSI|Channel|DriverVersion" -ErrorAction SilentlyContinue
Get-NetAdapter -Name "Wi-Fi" -ErrorAction SilentlyContinue | Select Name, DriverVersion, DriverDate

Write-Host "`n5. Known Network Profiles (check for duplicates)" -ForegroundColor Yellow
Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" -ErrorAction SilentlyContinue |
    ForEach-Object {
        $p = Get-ItemProperty $_.PSPath
        [PSCustomObject]@{
            Name     = $p.ProfileName
            Category = switch ($p.Category) {0{'Public'}1{'Private'}2{'Domain'}}
        }
    } | Sort-Object Name | Format-Table -AutoSize

Run this when a connectivity issue comes in, and it gives you a full picture in one pass.


Troubleshooting matrix

SymptomDiagnosis CommandLikely CauseFix
Remote device can’t connect, no error codeGet-NetConnectionProfileNetwork profile is PublicSet to Private
Remote device gets generic “connection error”Check SMB-In rule with Get-NetFirewallRuleSMB-In disabled on active profileEnable SMB-In or switch to Private
Port 445 shows closed from remoteTest-NetConnection -Port 445Firewall blocking or service not listeningEnable rule, or Test-NetConnection localhost 445 to confirm SMB is up
Auth succeeds locally but fails remotelynet use from remote machineLikely a firewall rule keying off profile, not share/authConfirm profile and SMB-In rule state
Problem happens intermittentlyGet-ChildItem .../NetworkList/ProfilesDuplicate profiles from Wi-Fi reconnects; newer profile is PublicClean duplicates; investigate RF stability
Problem returns weeks laternetsh wlan show interfaces + driver checkUnstable Wi-Fi or driver issue causing reconnectsUpdate driver, optimize Wi-Fi channel/placement, or move to wired

Quick reference: Common PowerShell repairs

Profile is Public, needs to be Private:

Set-NetConnectionProfile -InterfaceAlias "Wi-Fi" -NetworkCategory Private

SMB-In is disabled for Public, need to enable it:

Get-NetFirewallRule -DisplayGroup "File and Printer Sharing" |
    Where-Object { $_.DisplayName -eq "File and Printer Sharing (SMB-In)" -and $_.Profile -match "Public" } |
    Set-NetFirewallRule -Enabled True -RemoteAddress LocalSubnet

Test auth from remote (safest test):

net use \\<target-ip>\<share-name> /user:<username> <password>
net use \\<target-ip>\<share-name> /delete

Disable Wi-Fi power management (if adapter is powering down):

Disable-NetAdapterPowerManagement -Name "Wi-Fi"

When to escalate

If after these steps the issue persists, check:

  • Third-party firewall/endpoint protection (Sophos, SentinelOne, ZeroTrust) — these can override Windows Firewall. Check their console for 445 rules.
  • Network/VLAN isolation — confirm both machines are on the same network segment (DHCP scope, VLAN, or subnet).
  • SMB protocol version mismatch — older devices may only speak SMBv1, which is disabled on modern Windows for security. Check device firmware.
  • DNS/hostname resolution — if the remote device is resolving a hostname instead of an IP, confirm it’s reaching the right target.

Using Web sign in with TAP

Passwordless Login to Entra-Joined Devices Using a Temporary Access Pass (TAP)

TL;DR

Run this command on an Entra-joined Windows device (elevated Command Prompt), reboot, enable TAP in the Entra admin center, issue a passcode, and your user is one globe-icon-click away from a passwordless sign-in:

reg add HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Authentication /v EnableWebSignIn /t REG_DWORD /d 1 /f


Handing a user a short-lived passcode that gets them straight to the Windows desktop — no password, no MFA prompt, no helpdesk back-and-forth — is one of the cleanest workflows Microsoft has shipped in years. The trick is pairing a Temporary Access Pass (TAP) from Microsoft Entra ID with the Web Sign-in credential provider in Windows.

This walkthrough covers the whole flow: flipping on Web Sign-in with a single registry command, enabling the TAP policy in Entra, issuing the passcode, and logging in on the device.


What You’ll Need

  • A Microsoft Entra joined device (this does not work on Hybrid Joined or AD-only machines)
  • Windows 11 22H2 with KB5030310 or later (Windows 10 1809+ works for Web Sign-in but Windows 11 is strongly preferred)
  • Microsoft Entra ID P1 license or higher for the user
  • One of these admin roles to issue the TAP: Global Administrator, Privileged Authentication Administrator, or Authentication Administrator
  • Authentication Policy Administrator role to configure the TAP policy itself

Step 1: Enable Web Sign-in on the Device

Web Sign-in is the credential provider that puts the little globe icon on the Windows lock screen. Without it, the device has nowhere to accept a TAP code at sign-in time.

Open an elevated Command Prompt (Run as administrator) on the target device and run:

reg add HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Authentication /v EnableWebSignIn /t REG_DWORD /d 1 /f

That’s it. What this does:

  • HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Authentication is the policy location Windows reads at sign-in
  • EnableWebSignIn is the value name that toggles the Web Sign-in credential provider
  • REG_DWORD /d 1 sets it to enabled (use 0 to disable later)
  • /f is force, no confirmation prompt

Reboot the device for the change to take effect. After it comes back up, you’ll see a new sign-in option on the lock screen — a small globe icon under “Sign-in options.”

Doing this at scale? The registry command is great for testing, recovery, or a single device. For fleet-wide deployment, push the equivalent setting through Intune: Devices → Configuration → Create → Settings catalog → Authentication → Enable Web Sign In → Enabled. Same outcome, but managed centrally and survives device wipes.


Step 2: Enable the Temporary Access Pass Policy in Entra

TAP is off by default in the tenant. Turn it on:

  1. Go to the Microsoft Entra admin center at entra.microsoft.com
  2. Navigate to Protection → Authentication methods → Policies
  3. Click Temporary Access Pass
  4. Switch Enable to On
  5. Under Target, choose All users or scope to a specific group (recommended for pilots)
  6. Click the Configure tab and set:
    • Minimum lifetime: 1 hour
    • Maximum lifetime: 8 hours (this is the hard ceiling Microsoft allows)
    • Default lifetime: 1 hour
    • One-time use: No if the device will reboot during setup, Yes for tighter security
    • Length: 8 characters minimum
  7. Click Save

Replication can take a few minutes. If a TAP prompt doesn’t appear right away, give it 5–10 minutes.


Step 3: Issue a TAP to the User

  1. In the Entra admin center, go to Identity → Users → All users
  2. Find and click the user
  3. Open Authentication methods in the left menu
  4. Click + Add authentication method
  5. From the dropdown, choose Temporary Access Pass
  6. Set the activation time, lifetime, and one-time use preference
  7. Click Add

Entra will display the passcode exactly once. Copy it now — once you close the window, it’s gone. Hand it to the user through a secure channel (in person, a phone call, or a verified secure messaging tool — not plain email).


Step 4: Sign In to the Device With the TAP

On the Windows lock screen:

  1. Click Sign-in options below the password field
  2. Click the globe icon (Web Sign-in)
  3. Click Sign in
  4. Enter the user’s UPN (e.g., jane.doe@contoso.com) and click Next
  5. When prompted, enter the Temporary Access Pass code
  6. Windows authenticates against Entra and signs the user in to the desktop

No password. No MFA prompt. The user is in.


Gotchas Worth Knowing

  • Entra Joined only. Web Sign-in + TAP doesn’t work on Hybrid Joined or domain-joined devices. On those, the user has to authenticate with a password, smart card, or FIDO2 key first, and TAP can only be used to register Windows Hello afterward.
  • Internet required. Web Sign-in needs an active connection. Offline sign-in falls back to cached credentials.
  • Web Sign-in becomes the default credential provider after it’s used, which can confuse users on subsequent sign-ins. If that’s an issue, push an Intune policy to set Password (or Windows Hello) as the default credential provider: Settings catalog → Administrative Templates → System → Logon → Assign a default credential provider.
  • Conditional Access still applies. If your CA policies require compliant devices or specific locations, TAP sign-in respects those rules.
  • Federated tenants: if FederatedIdpMfaBehavior is set to enforceMfaByFederatedIdp, the user gets redirected to the federated IdP instead of seeing a TAP prompt. Set it to acceptIfMfaDoneByFederatedIdp if you want TAP to be accepted.

Setup Guide: Enabling Google Authenticator for an MS365 Org through Entra

Refer to this scribe guide if easier to interact with:

https://scribehow.com/page/Setup_Guide_Enabling_Google_Authenticator_for_an_MS365_Org_through_Entra__4Bga1zmmQDu7NrgOK858nA

Configuring Third-Party OATH TOTP Applications for Multi-Factor Authentication

This guide provides instructions for enabling and configuring third-party authenticator apps (such as Google Authenticator or Authy) as a secondary sign-in method for Microsoft 365 accounts through Entra. This is an alternative for users who prefer not to use the Microsoft Authenticator app.

Target Audience: This document includes both administrative configuration steps (for IT staff) and end-user setup instructions.

Before users can add a third-party app, the Microsoft Entra ID tenant must be configured to allow “Software OATH tokens.”

1. Enable OATH Tokens

  1. Log in to the Microsoft Entra admin center.
  2. Navigate to Protection > Authentication methods > Policies.
  3. Select Software OATH tokens.
  4. Set the Enable toggle to On.
  5. In the Target tab, select the appropriate groups or All users.
  6. Click Save.

2. Resolving “Missing Link” Issues

If users report they cannot see the option for “Different authenticator app,” check the following settings:

  • Registration Campaign:
    • Navigate to Authentication methods > Registration campaign.
    • If state is set to Microsoft Managed, Microsoft may hide other options to force the use of the Microsoft app. Consider just setting to “Enabled” or adding an exclusion for specific users during setup.
  • System-preferred MFA:
    • Navigate to Authentication methods > Settings.
    • If enabled, Entra ID will automatically skip selection screens to prompt for the most secure method found. This is preferred to leave enabled to make sure strongest MFA method is selected, but if it causes issues, switch to “Disabled”

When Wireguard gets blocked by UniFi CyberSecure

On UniFi networks running CyberSecure, web traffic to Wireguard.com for downloads will tend to get blocked. Here’s how to allowlist in UniFi Cybersecure (as of 5/7/26, Network Application 5.0.16)

To allowlist –

Go into Unifi Network Dashboard for the Site

> Settings

> Cybersecure

> Content Filters

> Applied Policy (Default or whatever it’s named)

> Allowlist

> add wireguard.com

> Save Changes

And then refresh the webpage on whichever device you’re connecting from.

Might need to then go into Incognito to load the download.wireguard.com/windows-clients webpage, but it’ll get you moving forward again if you need it 🙂 otherwise we should have a Wireguard MSI in our IT Software Archive in OneDrive.

« Older posts

© 2026 Ultrex KB

Theme by Anders NorenUp ↑