Some Notes on the Machines

Here’s how it’s done:

Get-ProvisionedAppxPackage -Online | `
Where-Object { $_.PackageName -match "xbox" } | `
ForEach-Object { Remove-ProvisionedAppxPackage -Online -AllUsers -PackageName $_.PackageName }

Well, it’s all new again, and this time the old methods are reported as being deprecated at the end of June. Here’s a starting synopsis:

To connect:

Connect-MgGraph -Scope User.Read.All 

(or User.ReadWrite.All)

To get user info:

Get-MgUser -UserID username@domain.com

To change immutable ID to “a”:

Update-MgUser -UserID username@domain.com -OnPremisesImmutableId "a"

One cannot change ImmutableID to $null, but it can be changed, so an AD/AZ ‘hard match’ is probably still possible. Have not verified yet.

A customer had several of these errors being reported in Azure AD Connect. They were all users which had been converted to cloud-only. Several solutions are on Microsoft and related sites, none worked except this on the domain controller which has AAC:

1. Open administrative Powershell
2. To stop synchronization: set-adsyncscheduler -synccycleenabled $false
3. In the AAC Synchronization Service Manager, click Connectors
4. Right-click on the AD connector, click delete, choose “Deleted connector space only”, click OK
5. Do the same for the Azure connector
6. To restart synchronization: set-adsyncscheduler -synccycleenabled $true
7. In services.msc, restart “Microsoft Azure AD Sync”
8. Reinitialize sync: Start-ADSyncSyncCycle -PolicyType Initial

Here is how to add Send As permissions for a user, to a distribution list, in Powershell.

1. First, connect to the 365 tenant.

Install modules if needed:

Set-Executionpolicy Bypass -Scope Process 
Install-Module PowerShellGet -Force -AllowClobber
Install-Module ExchangeOnlineManagement -Force -AllowClobber

Connect to the tenant:

Connect-ExchangeOnline -UserPrincipalName adminuser@domain.com

2. Then make the setting:

Add-RecipientPermission -Identity distgroup@domain.com -Trustee user@domain.com -AccessRights SendAs

The hidden NTFS “System Volume Information” folders on Windows machines, can build up and up and up in size. I’ve seen instances ranging from 20G to hundreds of gigabytes, and every time this occurs, the overall system slows down, and often slows down a whole lot. SpaceSniffer is my favorite method of identifying this situation, but there are many. The only preventative I have been able to identify so far, is here.

But here we are discussing cleanup. If you have SentinelOne (S1) installed on this machine, you need to know that S1 considers deletion of volume shadows to be very bad actor behavior. This is because it often is a way that cryptolockers and others delete last-known-good checkpoints. S1 will not let you clear SVI, unless you disable it first, and it will complain very loudly if you try. Instructions for disabling S1, are at the end of this article. There may well be other security tools which will behave similarly, and need similar interaction beforehand.

General cleanup steps:

1. The easiest one to remember may be: vssadmin delete shadows /all
2. The more comprehensive, probably: wmic shadowcopy delete /nointeractive
3. Every once in a while on a server, the above two don’t get it done, and this is needed:
   
   diskshadow
   then within diskshadow’s command line: delete shadows all
   

Any of these can take a while, especially if SVI is big, e.g., more than 20-30 gigabytes. It can get huge occasionally, hundreds of gigabytes. I recently saw 1,022 shadow copies deleted (the first and third methods tell you the count) from one server.

Special case cleanup steps

Special cases do occur. Here are steps which can help a lot.

• Sometimes the steps above quit in the middle. Start them over again. Often they’ll complete.
• If the above does not completely solve the situation (if the SVI folder is still huge), do vssadmin resize shadowstorage for the relevant drive(s) (try /? for syntax…), first to 10%, then back to whatever it was. Sometimes Windows will do a lot of steady cleanup for you, sometimes over hours of time. You’ll see it by watching File Explorer.
• Run CHKDSK /F at reboot.

To disable SentinelOne:

1. First get the Passphrase for the machine, from the S1 console. It’s under Actions, you can choose Show Passphrase. Do be aware that your S1 admin may receive a notice that you have asked for this.
2. cd "C:\Program Files\SentinelOne\Sentinel*"
3. Please put the actual passphrase in, and the quotes are necessary:
   .\sentinelctl.exe unload -slam -k "<passphrase>"

Then, and only then, will the cleanup commands above work.

To reenable S1:

4. .\sentinelctl.exe load -slam

If you should need to reenable S1 and your command prompt is not where you need it, here’s a paste:

cd "C:\Program Files\SentinelOne\Sentinel*"
.\sentinelctl.exe load -slam

Here’s a search which got me to it, once logged into HPE.com.

You’ll also need a driver, which does not come with the SPP.

This can be helpful for Windows 10 and 11, and probably newer server OSes as well. There are risks of problems being caused large and small, you have been warned :-)

Get-AppxPackage -allusers | foreach {Add-AppxPackage -register "$($_.InstallLocation)\appxmanifest.xml" -DisableDevelopmentMode}

To get the link speed of all NICs in Powershell:

Get-NetAdapter | select interfaceDescription, name, status, linkSpeed.

This one makes sure general settings are likely helpful, and also deals with two common troublemakers:

# General
powercfg /change monitor-timeout-ac 0
powercfg /change monitor-timeout-dc 15
powercfg /change standby-timeout-ac 0
powercfg /change standby-timeout-dc 120
powercfg /change hibernate-timeout-ac 0
powercfg /change hibernate-timeout-dc 180
powercfg /change disk-timeout-ac 0
powercfg /change disk-timeout-dc 60

# Unhides and zeroes hidden "System unattended sleep timeout" which can cause problems
# including, sometimes, automatic unwanted logoff
powercfg -attributes sub_sleep 7bc4a2f9-d8fc-4469-b07b-33eb785aaca0 -ATTRIB_HIDE
powercfg -setacvalueindex scheme_current sub_sleep 7bc4a2f9-d8fc-4469-b07b-33eb785aaca0 0

# Disable hybrid sleep both AC powered and DC
powercfg -setacvalueindex scheme_current sub_sleep 94ac6d29-73ce-41a6-809f-6363ba21b47e 0
powercfg -setdcvalueindex scheme_current sub_sleep 94ac6d29-73ce-41a6-809f-6363ba21b47e 0

# Reapply current power scheme
powercfg -setactive scheme_current

One can disable using UI and registry, but the processes still run and take more RAM than is obvious in Task Manager. Removal takes this:

Get-AppxPackage -Name MicrosoftWindows.Client.WebExperience -AllUsers | Remove-AppxPackage -AllUsers