Replace S: and the size as appropriate for the server.
Drive Type
Recommended Shadow Copy Size
OS Drive (C:)
10–20 GB (or none if storing elsewhere)
Small Data Drive (<250 GB)
10–15% of the drive
Medium Data Drive (250 GB–1 TB)
10–20% of the drive
Large Data Drive (>1 TB)
100–300 GB, depending on change rate
File Server with frequent changes
15–20% of the volume
Verify the Change
Run:
vssadmin list shadowstorage
Confirm the output now shows:
For volume: (C:)
Shadow Copy Storage volume: (S:)
This confirms the shadow copy storage has been successfully moved.
Optional Health Checks
Verify the VSS service is running:
sc query vss
Check that all VSS writers are stable:
vssadmin list writers
All writers should report:
State: Stable
Last Error: No error
Notes
This changes where future Volume Shadow Copies are stored. It does not move existing snapshots.
Existing restore points or snapshots may be removed when the old shadow storage association is deleted.
If this server is used for backups (such as Cove, Windows Server Backup, etc.), consider running a test backup afterward to verify VSS is functioning normally.
Objective: Safely identify and remove cached Entra ID user profiles on local Windows devices to free up disk space and resolve profile issues.
Note on net user: The standard net user command only queries the local Security Account Manager (SAM) database. Because Entra ID users authenticate against the cloud, Windows does not create a local SAM account for them, making them invisible to net user. The methods below must be used instead.
1. How to View Profiles via PowerShell To get a quick list of all user profiles currently cached on a machine, run the following command in an elevated PowerShell prompt. Entra ID profiles can be identified by their SID, which always begins with S-1-12-1.
2. How to Safely Remove Profiles via PowerShell WARNING: Never delete a user’s folder directly from C:\Users. Doing so leaves orphaned SID entries in the registry (ProfileList). If that user logs into the device again, Windows will fail to load their profile and force them into a temporary profile (C:\Users\TEMP).
To cleanly wipe both the file system directory and the associated registry keys, run PowerShell as an Administrator and use the Remove-CimInstance command.
Method A: Remove by SID (Recommended) Copy the SID from the viewing step and run:
3. Essential Diagnostic Commands: quser and dsregcmd Before removing a profile or when troubleshooting an Entra ID login issue, you should use these two built-in command-line tools to understand the current state of the machine. Checking Active Sessions with quser While Get-CimInstance shows you every profile saved on the disk, it doesn’t tell you if the user is currently using the machine. Run this in CMD or PowerShell:
quser
What it does: Displays all currently active or disconnected login sessions on the machine.
Why use it: Always run quser before deleting a profile to ensure the target user doesn’t currently have a locked/disconnected session running in the background. You cannot cleanly delete a profile that is actively loaded into memory.
Checking Cloud Connectivity with dsregcmd /status If an Entra ID user is failing to log in, or their profile isn’t syncing properly, the issue might be with the device itself rather than the user profile. Run this in CMD or PowerShell (no admin required):
dsregcmd /status
What it does: Outputs the complete Azure AD/Entra ID registration status of the local device.
What to look for: • AzureAdJoined : YES (Under Device State): Confirms the machine is successfully joined to the client’s cloud tenant. • AzureAdPrt : YES (Under SSO State): Confirms the user has a valid Primary Refresh Token. If this says NO, the user’s cloud credentials are out of sync or expired, which will break access to local Office apps and OneDrive.
Appendix: The GUI Method If technicians prefer a visual interface, or if you are doing a bulk cleanup on a single machine, use the native Windows tool:
Open the Run dialog (Win + R) or CMD.
Type sysdm.cpl and press Enter.
Navigate to the Advanced tab.
Under the User Profiles section, click Settings.
Select the target profile from the list and click Delete.
This executes the same safe removal process as the PowerShell commands above.
Cove backups may fail or complete with errors indicating that files (often SQL-related or tax software database/temp files) are “in use by another process.”
This is most commonly seen with accounting/tax applications (e.g., Accounting CS), where background database activity interferes with snapshot-based backups.
Symptoms
You may see the following in Cove:
Backup completes with errors
Repeated failures on specific files
Error message similar to:
“The process cannot access the file because it is being used by another process”
If Cove Backup fails to backup System State because of Windows Cryptographic Service errors and Volume Shadow Copy service with the following errors or similar:
System State\ASR Writer\BCD\?\Volume{7ac063a6-0000-0000-0000-100000000000}\Boot\<VSSFileGroup>
System State\System Writer\System Files\C:\ProgramData\Microsoft\Crypto\<VSSFileGroup>\SystemKeys
System State\System Writer\System Files\C:\ProgramData\Microsoft\Crypto\<VSSFileGroup>\SystemKeys
Then the Windows Cryptographic Service needs restarted using the following powershell script or commands to allow the next backup to complete:
More about the Cryptographic Service according to Gemini:
The Windows Cryptographic Services (CryptSvc) manages certificates, digital signatures, and system integrity in Windows. When a backup fails during Volume Shadow Copy (VSS), it is often because the VSS System Writer (which relies on CryptSvc) lacks the proper security rights or service permissions to query vital system files.
If you’re anything like me, you use chrome for your primary browsing, but pretty much every time you open firefox or safari, you’re specifically just wanting another inconito window that isn’t logged into whatever you might have going in your chrome incog session.
I regularly have chromes incog signed into a given ms365 admin panel, then need to sign into a given user of that org with the temp pass I’ve just made- and today I finally got annoyed enough to look at how to make firefox and safari just open in incognito mode every time since that’s the only reason I ever open them. If that’s some thing that would make your life easier too:
Safari Safari allows you to change its default launching behavior directly within its application settings.
Open Safari.
Click on Safari in the top menu bar and select Settings… (or press Cmd + ,).
Ensure you are on the General tab.
Look for the dropdown menu labeled Safari opens with:.
Change this option to A new private window.
Firefox Firefox offers two different approaches depending on how you want the browser to behave. Method 1: The “Never Remember History” Mode (Recommended) This method forces Firefox to run in a permanent private browsing mode. The browser looks normal, but it will never save history, cookies, or site data.
Open Firefox.
Click the three horizontal lines (menu icon) in the top-right corner and select Settings (or press Cmd + ,).
Click on Privacy & Security in the left-hand sidebar.
Scroll down to the History section.
In the dropdown menu next to Firefox will:, select Use custom settings for history.
Check the box that says Always use private browsing mode.
Firefox will prompt you to restart the browser to apply the change.
Diagnosing and Fixing Windows Firewall/Network Profile Issues Blocking SMB
A device on the network (scanner, printer, external system) can’t reach a Windows machine’s shared folder over SMB (port 445). The credentials are correct, the share exists, but the inbound connection silently fails. Most often, the Windows machine’s network profile is set to Public instead of Private, which disables the SMB-In firewall rule by default.
This guide walks through rapid diagnosis via PowerShell and shows how to repair it efficiently.
One-Pass Diagnostic (run this first)
Copy and paste this entire script to get a complete picture:
This single command will tell you your network profile, active shares, firewall rule state, Wi-Fi quality, driver version, and any duplicate network profiles. Run it and look at the output — most issues are visible immediately.
Start here to determine if this is a firewall/profile problem or something else.
1. Confirm the share exists and the basic path works
List all SMB shares on this machine:
Get-SmbShare | Select Name, Path, Description
What to look for:
Is your target share listed? (e.g., SCANS, C$, FileShare)
What local path does it point to? (e.g., C:\SCANS)
If not found: The share doesn’t exist. Create it first before proceeding. This diagnostic won’t help a missing share.
2. Test credentials against the share from a remote machine
If possible, run this from another machine on the same network (not from the target itself). Replace 192.168.1.188 with the target IP and “SCANS” with your share name:
net use \\192.168.1.188\SCANS /user:Scanning Scanning12
net use
net use \\192.168.1.188\SCANS /delete
What to look for:
“The command completed successfully” → Auth works. The problem is firewall/inbound rules on the target.
Error 1326 → Bad username or password. Fix credentials and re-test.
Error 53 / 64 → Network unreachable or path not found. Check IP, routing, and share name spelling.
Key point: If net use succeeds from another machine but the remote device (scanner) still can’t connect, the issue is inbound firewall rules on your target machine — proceed to step 3 below.
Diagnosis: Network Profile and Firewall Rules
If you’ve confirmed credentials and share existence, the culprit is almost always the network profile category (Public vs Private) and the SMB-In inbound firewall rule.
Multiple entries for the same network name (e.g., “Office WiFi”, “Office WiFi 2”, “Office WiFi 3”)
Duplicate profiles = Windows re-identified the network multiple times, creating a new profile each time (usually due to Wi-Fi reconnects)
The most recent DateLastConnected is the one currently in use
If duplicates are classified Public, each one is a potential liability
Why this matters: Frequent Wi-Fi disconnects can cause Windows to create new profiles that default to Public. Even if you fix the current one to Private, a re-identification creates a new Public profile next time.
Repair: Setting the Profile and Enabling SMB-In
Once you’ve identified the issue (usually Public profile + SMB-In disabled), fix it in order of least to most invasive.
Fix 1: Change the profile to Private (recommended)
This immediately activates all the inbound rules that are already enabled for Private, including SMB-In. For a machine on a trusted internal LAN, Private is the semantically correct setting.
Test: From the remote machine, try the connection again:
net use \\192.168.1.188\SCANS /user:Scanning Scanning12
Fix 2: Enable SMB-In for the Public profile (if the profile must stay Public)
If for some reason the profile must remain Public, explicitly enable the SMB-In rule for Public and scope it to your local subnet:
DriverDate more than a year old? Update the driver from the NIC vendor (Intel, Qualcomm, Realtek, etc.) directly — don’t rely on Windows Update.
Check power management (on laptops especially)
Get-NetAdapterPowerManagement -Name "Wi-Fi"
Look for:
SelectiveSuspend: Enabled or DeviceSleepOnDisconnect: Enabled → These can cause disconnects to save power. Disable them on a desktop or stationary device.
If these are enabled, disable them:
Disable-NetAdapterPowerManagement -Name "Wi-Fi"
Check for duplicate network profiles (indicates reconnect churn)
See the registry query in the “Additional Context” section above. Multiple profiles for the same network name is a red flag for instability.
If duplicates exist: Back up the registry key, then remove stale duplicates (keep only the most recently connected one). Each reconnect event creates a new candidate for being classified Public, so cleaning them up reduces surface area.
Complete diagnostic script (one-liner)
Here’s a single script that runs all the key diagnostics and formats them for quick review:
Passwordless Login to Entra-Joined Devices Using a Temporary Access Pass (TAP)
TL;DR
Run this command on an Entra-joined Windows device (elevated Command Prompt), reboot, enable TAP in the Entra admin center, issue a passcode, and your user is one globe-icon-click away from a passwordless sign-in:
Handing a user a short-lived passcode that gets them straight to the Windows desktop — no password, no MFA prompt, no helpdesk back-and-forth — is one of the cleanest workflows Microsoft has shipped in years. The trick is pairing a Temporary Access Pass (TAP) from Microsoft Entra ID with the Web Sign-in credential provider in Windows.
This walkthrough covers the whole flow: flipping on Web Sign-in with a single registry command, enabling the TAP policy in Entra, issuing the passcode, and logging in on the device.
What You’ll Need
A Microsoft Entra joined device (this does not work on Hybrid Joined or AD-only machines)
Windows 11 22H2 with KB5030310 or later (Windows 10 1809+ works for Web Sign-in but Windows 11 is strongly preferred)
Microsoft Entra ID P1 license or higher for the user
One of these admin roles to issue the TAP: Global Administrator, Privileged Authentication Administrator, or Authentication Administrator
Authentication Policy Administrator role to configure the TAP policy itself
Step 1: Enable Web Sign-in on the Device
Web Sign-in is the credential provider that puts the little globe icon on the Windows lock screen. Without it, the device has nowhere to accept a TAP code at sign-in time.
Open an elevated Command Prompt (Run as administrator) on the target device and run:
HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Authentication is the policy location Windows reads at sign-in
EnableWebSignIn is the value name that toggles the Web Sign-in credential provider
REG_DWORD /d 1 sets it to enabled (use 0 to disable later)
/f is force, no confirmation prompt
Reboot the device for the change to take effect. After it comes back up, you’ll see a new sign-in option on the lock screen — a small globe icon under “Sign-in options.”
Doing this at scale? The registry command is great for testing, recovery, or a single device. For fleet-wide deployment, push the equivalent setting through Intune: Devices → Configuration → Create → Settings catalog → Authentication → Enable Web Sign In → Enabled. Same outcome, but managed centrally and survives device wipes.
Step 2: Enable the Temporary Access Pass Policy in Entra
TAP is off by default in the tenant. Turn it on:
Go to the Microsoft Entra admin center at entra.microsoft.com
Navigate to Protection → Authentication methods → Policies
Click Temporary Access Pass
Switch Enable to On
Under Target, choose All users or scope to a specific group (recommended for pilots)
Click the Configure tab and set:
Minimum lifetime: 1 hour
Maximum lifetime: 8 hours (this is the hard ceiling Microsoft allows)
Default lifetime: 1 hour
One-time use: No if the device will reboot during setup, Yes for tighter security
Length: 8 characters minimum
Click Save
Replication can take a few minutes. If a TAP prompt doesn’t appear right away, give it 5–10 minutes.
Step 3: Issue a TAP to the User
In the Entra admin center, go to Identity → Users → All users
Find and click the user
Open Authentication methods in the left menu
Click + Add authentication method
From the dropdown, choose Temporary Access Pass
Set the activation time, lifetime, and one-time use preference
Click Add
Entra will display the passcode exactly once. Copy it now — once you close the window, it’s gone. Hand it to the user through a secure channel (in person, a phone call, or a verified secure messaging tool — not plain email).
Step 4: Sign In to the Device With the TAP
On the Windows lock screen:
Click Sign-in options below the password field
Click the globe icon (Web Sign-in)
Click Sign in
Enter the user’s UPN (e.g., jane.doe@contoso.com) and click Next
When prompted, enter the Temporary Access Pass code
Windows authenticates against Entra and signs the user in to the desktop
No password. No MFA prompt. The user is in.
Gotchas Worth Knowing
Entra Joined only. Web Sign-in + TAP doesn’t work on Hybrid Joined or domain-joined devices. On those, the user has to authenticate with a password, smart card, or FIDO2 key first, and TAP can only be used to register Windows Hello afterward.
Internet required. Web Sign-in needs an active connection. Offline sign-in falls back to cached credentials.
Web Sign-in becomes the default credential provider after it’s used, which can confuse users on subsequent sign-ins. If that’s an issue, push an Intune policy to set Password (or Windows Hello) as the default credential provider: Settings catalog → Administrative Templates → System → Logon → Assign a default credential provider.
Conditional Access still applies. If your CA policies require compliant devices or specific locations, TAP sign-in respects those rules.
Federated tenants: if FederatedIdpMfaBehavior is set to enforceMfaByFederatedIdp, the user gets redirected to the federated IdP instead of seeing a TAP prompt. Set it to acceptIfMfaDoneByFederatedIdp if you want TAP to be accepted.
Configuring Third-Party OATH TOTP Applications for Multi-Factor Authentication
This guide provides instructions for enabling and configuring third-party authenticator apps (such as Google Authenticator or Authy) as a secondary sign-in method for Microsoft 365 accounts through Entra. This is an alternative for users who prefer not to use the Microsoft Authenticator app.
Target Audience: This document includes both administrative configuration steps (for IT staff) and end-user setup instructions.
Before users can add a third-party app, the Microsoft Entra ID tenant must be configured to allow “Software OATH tokens.”
1. Enable OATH Tokens
Log in to the Microsoft Entra admin center.
Navigate to Protection > Authentication methods > Policies.
Select Software OATH tokens.
Set the Enable toggle to On.
In the Target tab, select the appropriate groups or All users.
Click Save.
2. Resolving “Missing Link” Issues
If users report they cannot see the option for “Different authenticator app,” check the following settings:
Registration Campaign:
Navigate to Authentication methods > Registration campaign.
If state is set to Microsoft Managed, Microsoft may hide other options to force the use of the Microsoft app. Consider just setting to “Enabled” or adding an exclusion for specific users during setup.
System-preferred MFA:
Navigate to Authentication methods > Settings.
If enabled, Entra ID will automatically skip selection screens to prompt for the most secure method found. This is preferred to leave enabled to make sure strongest MFA method is selected, but if it causes issues, switch to “Disabled”
On UniFi networks running CyberSecure, web traffic to Wireguard.com for downloads will tend to get blocked. Here’s how to allowlist in UniFi Cybersecure (as of 5/7/26, Network Application 5.0.16)
To allowlist –
Go into Unifi Network Dashboard for the Site
> Settings
> Cybersecure
> Content Filters
> Applied Policy (Default or whatever it’s named)
> Allowlist
> add wireguard.com
> Save Changes
And then refresh the webpage on whichever device you’re connecting from.
Might need to then go into Incognito to load the download.wireguard.com/windows-clients webpage, but it’ll get you moving forward again if you need it 🙂 otherwise we should have a Wireguard MSI in our IT Software Archive in OneDrive.