Category: IT (Page 10 of 11)

How to delete Hyper-V snapshots (checkpoints)

October 26, 2025 / Jim Smith

How to Delete a Snapshot Using Hyper-V Manager or PowerShell

Updated: May 23, 2023

Snapshots, which are known as checkpoints in Hyper-V, come in handy when you need to retain the last properly running state of a VM before deploying new software or installing an update. However, you have to be careful while deleting snapshots otherwise, you might lose important data.

In this post, we explain the mechanism of Hyper-V checkpoints. We will cover when to use these checkpoints and show how to delete snapshots from the Hyper-V Manager interface and by using PowerShell.

NAKIVO for Hyper-V Backup

Agentless, application-aware backups for Hyper-V. Anti-ransomware protection, instant VM boot from backup, other virtual/physical platform support and more.

DISCOVER SOLUTION

Hyper-V Checkpoints Mechanism

Before we go into detail about how Hyper-V checkpoints work, let me clear up any confusion related to the terms snapshots and checkpoints.

Snapshots and checkpoints represent the same capability of saving the state of a VM at a particular point in time. This state can be reverted to in the future if an issue occurs with the VM. Microsoft refers to the feature of saving the state of a VM as snapshots for releases before Windows Server 2012 R2. In subsequent releases, Microsoft uses the term checkpoints. In addition, snapshots is the term used in VMware environments. In this post, we are using both terms interchangeably as the covered mechanism and procedures apply to both snapshots and checkpoints. So, how do checkpoints/snapshots work?

How Hyper-V checkpoints are saved

Hyper-V VM data is saved in the form of a .vhdx file. When a checkpoint is created, the .vhdx file becomes a read-only file. New modifications applied to the VM are saved in a differencing virtual hard disk. This differencing virtual hard disk is saved in the form of a .avhdx file in the same folder as that containing the .vhdx file.

You can create a chain of checkpoints. Each checkpoint represents the state of the VM at a specific point in time. Each checkpoint is represented by an .avhdx file.

The mechanism of Hyper-V checkpoints is efficient with storage utilization. However, the performance of virtual disk reading operations is significantly reduced. The reason is that reading files would require checking the whole chain of checkpoints (.avhdx files) until the VM’s .vhdx file is reached.

In the screenshot below, you can see one parent .vhdx virtual disk and two .avhdx disks after creating two Hyper-V checkpoints for a VM.

the VM files after creating two checkpoints

According to this mechanism, deleting a .avhdx file does not delete the checkpoint. Instead, this kind of deletion breaks the chain and leads to data loss.

To delete a checkpoint without losing data, the .avhdx file should be merged with another (parent) .avhdx file (or .vhdx file) in the chain. If this checkpoint is the only checkpoint for the VM, the .avhdx file is merged with the .vhdx file, and the .vhdx file becomes writable again.

In the next section, we will show how to delete snapshots (checkpoints) from the Hyper-V Manager interface without losing data.

Delete Snapshots by Using the Hyper-V Manager Interface

Hyper-V Manager is a free GUI tool for managing Hyper-V hosts and VMs. It can be used to provision VMs, allocate RAM, create snapshots or delete them.

To delete the Hyper-V snapshot (checkpoint) from the Hyper-V Manager interface:

Select the host from the left pane.
Select the VM from the Virtual Machines pane.
Right-click the checkpoint to be deleted from the Checkpoints pane. Select Delete Checkpoint…

deleting a Hyper-V snapshot or checkpoint in Hyper-V Manager

In the screenshot below, you can see a parent .vhdx virtual disk and an .avhdx snapshot file after deleting the second Hyper-V checkpoint.

The deleted checkpoint’s .avhdx is merged automatically with another .avhdx

Delete Snapshots by Using PowerShell

To perform bulk actions on Hyper-V VMs, Windows PowerShell is more efficient than the Hyper-V Manager GUI as you can use commands to delete multiple snapshots at once. Besides, some actions, such as deleting a checkpoint that has no delete option in the GUI, can only be accomplished via PowerShell.

The delete option is unavailable in the Hyper-V Manager interface for a Hyper-V checkpoint

A checkpoint that cannot be deleted from the Hyper-V Manager is called a lingering checkpoint. Lingering checkpoints happen when a VM backup job fails.

When a VM backup job begins using a backup solution, the VM is placed into read-only mode. The new data submitted by VM users is saved to a special type of checkpoint called a recovery checkpoint. When the backup job completes successfully, the recovery checkpoint’s .avhdx file is merged with the VM .vhdx file, and the checkpoint is automatically deleted. However, if the backup job fails, the recovery checkpoint is not deleted automatically and remains as a lingering checkpoint.

To delete a checkpoint by using PowerShell:

Open the Windows PowerShell ISE as administrator.
Get the checkpoint exact name with the command Get-VMSnapshot. Provide the VMName when prompted.
Run the command:Get-VM -Name <VMName> | Get-VMSnapShot -Name <CheckpointName> | Remove-VMSnapshot
Verify that the checkpoint has been successfully deleted with the command:Get-VMSnapshot

Deleting a recovery checkpoint from Windows PowerShell ISE

Final Thoughts

Creating checkpoints is a good practice for the sake of testing and creating an acceptance environment. However, keeping checkpoints is not recommended in a production environment. Checkpoints adversely impact the Hyper-V performance of reading operations.

Deleting checkpoints’ files from the disk directly leads to data loss. Checkpoints should be deleted from the Hyper-V Manager. The PowerShell can be used as well to delete them specially if they have no delete option in the Hyper-V Manager GUI.

Adopting a backup and replication solution is crucial for your data and application protection.

Extracting IRST Drivers from the EXE file

October 26, 2025 / Jim Smith

**************************************************************************

* 6. INSTALLING THE SOFTWARE

**************************************************************************

6.1 General Installation Notes

a. If you are installing the operating system on a computer configured for RAID or AHCI

mode, you may pre-install the Intel(R) Rapid Storage Technology driver using the

“F6” (Load Driver) installation method described in section 6.3 below.

b. If you’re installing the operating system on a computer configured for ‘Intel(R) Smart

Response Technology’ or ‘System Acceleration with Intel(R) Optane(TM) Technology’, you

must pre-install the Intel(R) Rapid Storage Technology driver using the

“F6” (Load Driver) installation method described in section 6.3 below. The Intel(R) RST pre-OS version must support the Intel(R) RST technology that you are installing to.

c. To install Intel(R) Rapid Storage Technology from within the OS during runtime,

double-click on the self-extracting and self-installing setup file and answer all

prompts presented.

6.2 Intel(R) RST Windows Automated Installer*. Installation from HDD, USB, or CD-ROM

Note: This method is applicable to computers configured for RAID or AHCI mode.

a. Obtain the Intel(R) Rapid Storage Technology setup file name: SetupRST.exe and

double-click to self-extract and to begin the setup process.

b. The Welcome window appears. Click ‘Next’ to continue.

c. For systems running in RAID mode, the Uninstallation Warning window appears. You will

not be able to uninstall the driver in this mode. Click ‘Next’ to continue.

d. The Software License Agreement window appears. If you agree to these terms, click the

check box then click ‘Yes’ to continue.

e. Select the check box to install Intel(R) Optane(TM) Memory and Storage Management application if required then click ‘Next’ to continue.

f. If the Windows Automated Installer* Wizard Complete window is shown without a prompt

to restart the system, click ‘Finish’ and proceed to step “g”. If it is shown with a

prompt to restart the system, select ‘I want to restart my computer now.’

(selected by default) and click ‘Finish’. Once the system has restarted, proceed to

step “g”.

g. To verify that the driver was loaded correctly, refer to section 7.

6.3 Pre-Installation of INTEL(R) RST driver using the “Load Driver” Method.

a. Extract driver files from SetupRST.exe:

– Open terminal in the directory with SetupRST.exe by right-clicking the directory

and selecting “Open in Terminal” or “Open PowerShell here”

– Enter the following command:

./SetupRST.exe -extractdrivers SetupRST_extracted

b. Copy all driver files from the SetupRST-extracted to a USB key media.

c. For Microsoft Windows OS*:

– During the operating system installation, after selecting the location to install

Windows, click ‘Load Driver’ to install a third party SCSI or RAID driver.

d. When prompted, insert the USB media and press Enter.

e. Follow the prompts and browse to the location of the installation files. Select the

appropriate ‘.inf’ file (64 or 32 bit). If a supported controller is detected there

will be no error message. Follow prompts to continue and complete the installation.

How to disable multi-factor authentication MS365

October 26, 2025 / Jim Smith

Some customers want multi-factor app access turned off.

For those that want it. You need to ensure that the users have disabled multi-factor authentication.

AND

From the 365 account go to Identity/Entra.

Select Overview

Choose Properties

Scroll to the bottom and look for a small print says “Manage Security Defaults”

Change the option to Disabled (Not recommended).

Accept past the warning.

The 365 accounts are now set to not enforce multifactor authentication for everyone. Unless it is enabled at the individual level.

Entra and Intune Research Notes

October 26, 2025 / Jim Smith

Entra and Intune Research Notes

What I need to know:

What do I gain security wise on MS365 premium and how do I make it happen?

Entra vs intune, and what does the oobe do instead of enrollment?

ALL 24H2

———————————————————————

T1- no network connection, default key.

Logged in as local user

Went to work or school account page, used main button, then main box

Logged in, then rebooted computer

Device is now enrolled in ENTRA, and after a few extra minutes, intune as well

DOES show up in defender portal

Does not allow you to log in to machine as company user

Edge does Sync auto- no login needed

Start menu is updated to company

Onedrive not auto logged in, but I signed in

Activation is still not active – relies on device key, not taking from MS365 license

So very clearly this method gives the company control, but it’s still your device, your users, and your

Windows licensing

RESULT :

This is likely the best option for BYOB Organizations

———————————————————————

T2- no network connection, default key

Went to join to work or school, main connect button, and then clicked option to join Entra bottom of that

box.

Initially login is still main user (local account)

Adding onedrive- first login still required PW/MFA

Left allow my org to manage this device checked

After this: edge has my account, no login required.

Word/office is logged in auto

Windows not showing active, including still running pro

Restart and sign in as Jim@Ultrex.com on login page

Signing in as Jim@Ultrex- start menu still personal mode

Rebooted- went back to local user as default

Logged in with company email again

Had to go to activation page, then click to log in again- now device shows proper on all activation settings

In Intone and Entra dashboards- these two machines (oobe and this) appear fully equal on that front

After a power down and turn back on, activation has popped out again and wants me to sign back in on

the activation page

Device IS on the defender premium page

Further reboots still default to local user

Logged in as Jim@Ultrex then deleted local user

Still logs in as now deleted user by default.

T oo Messy- Don’t like this option

RESULT :

If someone has an existing user, and doesn’t want to start over with a new user profile, they can join Entra

and Intune, and just leave their current user. When they want to log into the device as an email, they’ll

need to reload/lose the current user profile

———————————————————————

T3- Still on OOBE. Untouched post-install

Runs oobebypassnro and login with a local offline user

Plug machine into network post loading in

MS store- company portal

Device shows up in Entra Dashboard

Search box is company

Edge is logged in, no auth needed, bookmarks ext etc all there

Device now shows up in intune as well. BEFORE onedrive login (maybe 5 minutes)

Onedrive signs in, auth required

Still local user

Sign out

OOBEd again, going back to OOBE enviro

Can’t re-enroll the device, fails on OOBE so would need wiped and reloaded at this point

Based on later findings, I could have deleted from the panel for Entra and Intune, and Joined again.

Even without that- DID show up in Defender portal for security- doesn’t need email login for security

———————————————————————

T4- Logging in with MS365 account from main oobe page (installed pro in the first place)

Very first login, start menu is Ultrex tied (company logo search etc)

Initial one drive sign in needed no pw

Edge was pre logged into my account

Edge was signed into outlook.com from my very first opening. No MFA, No anything

RESULT :

No surprise- if you can do OOBE on pro in the first place, the world is an infinitely better place

———————————————————————

T8 – windows 24H2 Home installed fresh

Local user, 11 Home

Accounts/COnnect to work account, main option

Device is enrolled in Entra

Device shows up in intune

T ook offline, used 3v66t key and upgraded to pro

Gave back network conection

OOBE/Sysprep can’t generalize

Ran Normal OOBE

Set up for work or school, but can’t because the device is already enrolled

Can go into intune and Entra and delete the device from both dashboards, then click try again

no sooner than 60 seconds later

Onedrive automatic (No auth needed), edge sync auto, start menu company

Device shows in Intune and Entra perfectly

Defender not showing up? (see note below)

ACTIVATION STATUS: PERFECTION DAMMIT

This works!

RESULT :

If someone has a machine on home, you can join it to Entra and Intune, and then only upgrade

to pro if they need it for some other reason, and if they do need to upgrade to pro, you’ll have to

go delete the device from intune and entra dashbpoards. If you do that, then all works well

———————————————————————

Windows 11 Home

DIDN’T join to company Entra or Intune before upgrading

Just local user, logged in, upgraded using 3v66t code (like a new purchase)

Gave back network connection

Can’t generalize

Just ran main sysprep

On next bootup, chose set up for work or school, works perfect, logs in as email, and is

company controlled

Signing in to onedrive is fully auto- no pw or MFA needed

Search box is company info

Edge is synced auto

Device shows in Intune and Entra perfectly

Defender not showing up (see note below)

ACTIVATION STATUS: PERFECTION DAMMIT

Note from MS:

Windows 11 Home devices that have been upgraded to one of the below supported editions

might require you to run the following command before onboarding:

DISM /online /Add-Capability /CapabilityName:Microsoft.Windows.Sense.Client~~~~

. For more information about edition upgrades and features, see Features)

Was able to confirm that in OS’s upgraded from home, you can run this command, it had a 50%

success rate across 4 identical VM’s. (literally clones of each other). Even on the ones where it

ran, it did not bring them into defender management. SO our new default is use Entra and

Intune if that’s what’s wanted- and you can leave it on HOME. But if you want pro, just freaking

install Pro in the first place. I’ve also now updated an ISO of 24H2 so it will ALWAYS ask for the

key, AND let you not put a key, and still select what version of windows to install clean (even if

one is saved in the EFI or BIOS). From now on, we use that one, please update your ventoy

soon as possible.

Final Notes:

Company portal app is enrolling device in entra/intune

Entra and intune can both be done with windows home

Entra is access to stuff based on identity

Intune is device management

Defender portal is weak, and not worth much- but only comes on clean, initial W11 Pro installs.

Enrolling Devices in Entra with Local Admin Privileges

October 26, 2025 / Jim Smith

Enrolling Devices in Entra with Local Admin Privileges

Important Considerations

Security: Ensure that only trusted users are added to the local administrators group to maintain device security.

Audit: Regularly audit the membership of the local administrators group to ensure compliance with your organization’s policies.

Documentation: Keep documentation of all changes made to user privileges for accountability and troubleshooting purposes.
Common things that need Configured in Entra for Device Admin Privileges:
1. You can specify if global admins are allowed to be local device admins AT ENROLLMENT ONLY.
2. You can and should specify if permitted Entra users are added as local admin AT ENROLLMENT ONLY. Add selected users.
3. You can and should also add those same users from previous step the the next line – “Manage Additional local administrators on all Microsoft Entra joined devices.” That’s the key one to achieve the goal of key users having device admin privileges whether or not they have been signed into the device already.

Entra Admin:

To enroll a user as a local device admin upon device enrollment in Microsoft Entra (formerly Azure AD), follow these steps:

1. Sign in to the Microsoft Entra Admin Center:

a. Go to the Microsoft Entra Admin Center.

b. Sign in with an account that has at least the Privileged Role Administrator role.

2. Navigate to Device Settings:

a. In the left-hand menu, select Identity > Devices > All devices > Device settings.

3. Manage Additional Local Administrators:

a. Under Manage Additional local administrators on all Microsoft Entra joined devices, click Add assignments.

b. Select the users or groups you want to add as local administrators and click Add.

c. Tests that verified this (based on CFM #3292)

I enrolled the laptop with an admin user (we’ll call this Admin 1; we’ll use ours for this often).

Signed into the laptop as a separate profile from Admin user with another account (Admin 2), which also had full admin permissions on the device according to Entra.

Signed into Non-Admin 1’s account which is NOT permitted admin rights over any PC, and could not perform admin level tasks.

From Non-Admin 1’s profile, tried installing a program and permitted installation using Admin 2’s authority successfully.

This one’s the kicker – without having signed into the PC with Admin 3’s account, but having given it local admin permissions for all devices through Entra as above without being a full Microsoft Global Admin like Ultrex’s user, I was able to permit removal of that same program from Non-Admin 1’s profile successfully.

4. Use Intune for More Granular Control:

a. If you need more granular control, you can use Intune to manage local admin rights.

b. Sign in to the Intune Admin Center.

c. Go to Endpoint Security > Account protection.

d. Click Create Policy and select Platform: Windows 10 and later and Profile: Local user group membership.

e. Configure the policy to add the desired users or groups to the local administrators group.

5. Assign the Policy:

a. Assign the policy to the relevant devices or user groups.

Important Notes for Assigning Policies:

In Microsoft Intune, policies are assigned to groups rather than directly to individual users or devices. However, you can achieve per-user or per-device targeting by creating a group that contains only the specific user or device you wish to target.

🎯 Assigning a Policy to a Single User or Device

Create a Group for the User or Device:
- For a User:
  - Navigate to the Microsoft Entra admin center.
  - Go to Groups > New group.
  - Choose Security as the group type.
  - Provide a name (e.g., “Single User Group”) and description.
  - Add the specific user to this group.
- For a Device:
  - Similarly, create a new security group.
  - Add the specific device to this group.
Assign the Policy to the Group:
- In the Intune admin center, navigate to the policy you wish to assign.
- Go to the Assignments section and click “Edit“.
- Under Included groups, add the group you created.
- Save the changes.

By creating a group with only the desired user or device, the policy effectively targets just that entity.

🔍 Additional Considerations

User vs. Device Groups:
- Assign policies to user groups when settings should follow the user across multiple devices.
- Assign to device groups when settings should apply regardless of who is using the device.
Using Filters:
- Filters allow for more granular targeting within groups. For example, you can apply a policy only to devices with a specific OS version or tag.Microsoft Learn+2Microsoft Learn+2Microsoft Learn+2
Policy Sets:
- For deploying multiple policies and applications together, consider creating a Policy Set. This groups various configurations into a single assignment for streamlined deployment.

Command Line

Check Users currently listed in the local admin group

Steps:

Open Command Prompt as Administrator:

Right-click on the Start menu and select “Command Prompt (Admin)” or “Windows PowerShell (Admin)”.

Run the Command:

Enter the following command

net localgroup administrators

Remove AzureAD User from Admin Group

Steps:

Open Command Prompt as Administrator:

Right-click on the Start menu and select “Command Prompt (Admin)” or “Windows PowerShell (Admin)”.

Run the Command:

Enter the following command, replacing user@domain.com with the actual email address of the AzureAD user:

net localgroup administrators /delete "AzureAD\user@domain.com"

Restart the Device:

Restart the device to apply the changes.

Add AzureAD User to Admin Group Through Command Line

Steps:

Open Command Prompt as Administrator:

Right-click on the Start menu and select “Command Prompt (Admin)” or “Windows PowerShell (Admin)”.

Run the Command:

Enter the following command, replacing user@domain.com with the actual email address of the AzureAD user:

net localgroup administrators /add "AzureAD\user@domain.com"

Restart the Device:

Restart the device to apply the changes.

Graphical Interface:

To remove an Azure AD user from the local administrators group on a Windows machine, follow these steps:

1. Open Computer Management:

a. Press Windows + X and select Computer Management.

b. Alternatively, you can press Windows + R, type compmgmt.msc, and press Enter.

2. Navigate to Local Users and Groups:

a. In the Computer Management window, expand Local Users and Groups.

b. Click on Groups.

3. Open Administrators Group:

a. Double-click on Administrators to open the group properties.

4. Remove the Azure AD User:

a. In the Administrators Properties window, you will see a list of members.

b. Select the Azure AD user you want to remove and click Remove.

c. Confirm the removal if prompted.

5. Restart the Computer (if necessary):

a. Some changes might require a restart to take effect

Device Cap Reached

October 26, 2025 / Jim Smith

Occasionally, you will reach your device cap when entra joining devices. There are TWO places to check this- intune.microsoft.com and entra.microsoft.com.

Intune will tell you device limit per user is 5 by default, and you can modify it to 15. theres also options for DEM accounts. I tried with no success.

The alternative- Entra settings allow you to change the device cap to unlimited. Yeehaw

Use Entra

SWCD and SonicWall Cloud App Security portal for SonicWall quarantined or flagged emails – How to get there and what to do

October 26, 2025 / Jim Smith

SWCD and SonicWall Cloud App Security portal for SonicWall quarantined or flagged emails – How to get there and what to do

Raised from ticket #3381

Steps provided by WesternNRG

If you receive a notification about a quarantined email, follow these steps to determine if it is safe to release:

Check the sender’s email address carefully. Ensure it matches the expected domain.
Verify if you were expecting an email from that sender.
Access the CAS Admin Portal to review the quarantined email:
- Log in to the CAS Admin Portal.
- Navigate to Quarantine > Quarantine Items.
- Find the email in question and click on the subject header.
- Review the Security Stack on the right side to see the analysis of the email.
- Check for any flagged attachments and their details.
If an attachment is flagged as potentially malicious, do not release the email immediately.
Consider downloading the attachment to an isolated computer with strong antivirus software to scan it for threats.
Based on the scan results, decide whether to release the email or not.

Always exercise caution when dealing with quarantined emails, especially if they contain attachments. If in doubt, consult your IT support team for further assistance.

SonicWall Whitelisting IP Address in Firewall

October 26, 2025 / Jim Smith

Hello Jim,

I spoke with Andrae and during the call we discussed the allow rule needed to be created. He mentioned it would be a penetration test-like event from the internet needing inbound access, but despite there being no inbound access rules existing for CISA he mentioned there was never any reports of the tests not working in the past.

We created address objects for the CISA IPs listed and then added them to a group. We then created an inbound access rule to allow those IPs in the group access any zone with any port/service. There was no NAT policy created since it doesn’t seem like they need access to a specific device at a specific private IP.

To create these address objects, in the top menu select Object

On the left menu select Addresses

Click Add towards the right side of the Addresses menu

Put a unique name, because the IPs are on the internet select WAN zone, for the first IP select Host because it’s a /32 (255.255.255.255)

For the other IPs, since they are a /29 and /28 network we chose Network and put the corresponding subnet masks under the network IP.

Click Save

To create an address group, or add new objects to an existing group, click Address Groups at the top left of the Adress Object menu

To create a group Click Add, to edit an existing group search for the group name, hover over it and click the Pencil icon to edit

Search for the address objects you want to add on the left side by the unique name

Select each address object by clicking on each or holding down left click while dragging the cursor over the group of Address objects you wish to select

Click the right facing arrow in the middle to move the selected objects into the group

Click Save

To create access rules, on the top menu navigate to Policy and on the left side menu select Access Rules

Click the +Add option on the bottom left to bring up the screen below.

Since we created an inbound access rule from the internet, we selected WAN for the Source Zone

For the Source Address we selected the group we created which contains the address objects we created.

This locks the rule down to only allow traffic with a source IP from the IP pool in the “G – CISA IPs” group

We left the Destination as Any to allow them open access to the network.

As discussed, I’ll close this ticket for you now but if you have any questions in the future feel free to reach out anytime.

Thank you and have a great rest of your day!

Kind Regards,

	Josh Littaua
	Western NRG, Inc. \| Total Internet Security
	(805) 658-0800 \| Fax: (805) 465-8480
	j.littaua@westernnrg.com \| www.WesternNRG.com

CFM MFA Letter

October 26, 2025 / Jim Smith

Subject: From your Friends at Ultrex – Multi-Factor Authentication (MFA) Setup for Account Security

Hey there CFM Team 🙂 this is Andrae with Ultrex IT!

As we help you all transition to Microsoft accounts in the coming months (today for many of you), to ensure we are maintaining the highest standards of data protection and complying with HIPAA requirements, we are fully implementing multi-factor authentication (MFA) for all user accounts.

Why MFA Is Important

As a reminder, MFA adds an essential layer of security by requiring not just a password but also a verification code generated by an app on your phone. This helps prevent unauthorized access, even if someone has your login credentials.

Default MFA App: Google Authenticator

We ask users to install the Google Authenticator app if you don’t already have it (looks like a multi-colored asterisk), as it offers a secure and user-friendly option without requiring a Google account. Here are a few key points:

No Google account needed: You can use it without signing in or linking your Google profile. Please do NOT sign in with your CFM email address within the Authenticator app.

Minimal permissions: The app only requests camera access to scan QR codes when setting up MFA. It does not allow us (Ultrex or CFM) to access to your phone’s camera or data. If you’d still prefer to not allow camera access, we can help you get the complex setup key typed in instead 🙂

No work access to your phone: Installing this app does not give us (Neither CFM nor Ultrex) any control over or visibility into your device.

Optional Account Syncing

If you would like to sign in to the app with a Google account, doing so will allow the codes you set up to sync with your account. Please only do this with a personal gmail account- many items use MFA in the modern age, and we don’t want to one day have you locked out of personal items if you work status changes. Signing in is helpful if your phone is lost, damaged, or replaced—signing back in with the same Google account will allow your authentication codes to carry over to the new device.

If you choose not to sign in and something happens to your device, just let your supervisor know your code isn’t working and we’ll assist in setting up a fresh code for your account.

Questions or Concerns?

We understand that some users may be hesitant about installing work-related apps on personal phones. While Google Authenticator is the default choice, there are other secure MFA options available. If you have any questions or would like to explore alternatives, please reach out to Deb so we can make a plan that works for you while keeping your account secure. 🙂

Checking Domain Function level and upgrading if needed

October 26, 2025 / Jim Smith

Upgrade Domain Controller from Server 2016 to Server 2022

Windows Server 2022 Datacenter: WX4NM-KYWYW-QJJR4-XV3QB-6VM33

Windows Server 2022 Standard: VDYBN-27WPP-V4HQT-9VMD4-VMK7H

Run the following PowerShell command (in elevated mode) to verify :

Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion

Compare to:

AD version

Windows Server 2000

Windows Server 2003

Windows Server 2003 R2

Windows Server 2008

Windows Server 2008 R2

Windows Server 2012

Windows Server 2012 R2

Windows Server 2016

Windows Server 2019

Windows Server 2022

CMD

Open command prompt (elevated rights) on Domain controller and

navigate to source directory of Windows Server ISO. In my case the

location was d:\support\adprep\adprep.exe.

cd..

cd DVD (assuming you copied the DVD contents to a folder on the C drive called DVD

cd support

cd adprep

Run the command adprep.exe /forestprep

Run adprep.exe /domainprep

	Josh Littaua
	Western NRG, Inc. \| Total Internet Security
	(805) 658-0800 \| Fax: (805) 465-8480
	j.littaua@westernnrg.com \| www.WesternNRG.com