🛡Secure Boot is a UEFI security feature that is designed to prevent the execution of unsigned or malicious code before the operating system is initialized. The certificates used in the Secure Boot trust chain (Microsoft Corporation UEFI CA 2011) were issued in 2011 and will begin expiring in June 2026.

➡️ Microsoft has been rolling out updates via Windows Update for supported OS versions in order to replace certificates that will expire in 2026. These updates will replace legacy Secure Boot certificates automatically with ones signed by Windows UEFI CA 2023. In some cases, a UEFI firmware update may also be required.

❓ What would happen if you didn't update the certificates before they expired?
If your computer doesn't receive the update for some reason, or if the new certificates are not installed before the old ones expire, this will not cause problems with Windows boot or prevent machines with old certificates from being used. However, Secure Boot will lose a valid trust chain and will no longer provide full protection for the boot process. As a result:
🔹Systems become vulnerable to bootkit attacks
🔹Devices may miss future boot-level security updates

🔍 Check if UEFI Secure Boot is enabled:

Confirm-SecureBootUEFI

🔍 Here's how to check if Windows has applied the new Secure Boot certificates:

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI -Name db).Bytes) -match "Windows UEFI CA 2023"

✅ This article explains how to manually initiate the update of Secure Boot certificate and the Windows bootloader signed with the Windows UEFI CA 2023, without waiting for automatic updates.

➡️ Updating Windows Secure Boot UEFI certificates expiring in June 2026

🏆 Testing Disk Performance in Windows Using WinSAT (WEI)

Many remember the Windows Experience Index (WEI), a built-in tool from the Windows Vista, 7, and 8 era that rated system performance on a scale from 1.0 to 9.9. Although the WEI GUI was removed starting with Windows 8.1, the underlying assessment tools are still available in all newer Windows versions.

For example, you can use PowerShell to retrieve the results of the last WEI assessment:

Get-CimInstance Win32_WinSAT

While these scores don’t accurately reflect the performance of modern hardware (the test algorithms haven’t been updated in years), the tool is still useful for some quick checks.

✅ Quick disk performance test
The built-in WinSAT.exe command allows you to quickly measure disk read/write performance:

winsat disk -drive C

This runs a series of sequential and random I/O tests against a specific disk and returns the results:
🔹 Throughput (MB/s)
🔹 Latency (ms)
🔹 A WEI-based performance score

⚠️ To perform real load testing on the
storage subsystem, it is better to use specialized tools, such as DiskSpd. However, for quick validation (e.g., checking whether a disk meets expected performance), winsat disk is a simple and effective option.

➡️ How to Measure Disk Performance on Windows: Throughput, Latency, and IOPS

🌐 Stop Disabling IPv6 in Windows

⚠️ When anomalous network or application behavior is encountered, many admins have the practice of disabling IPv6 in the network adapter properties. In the majority of cases, this action is not only unnecessary but may actually degrade system performance.

🔹 Microsoft explicitly states: “We do not test Windows Server without IPv6.”

We don't recommend unbinding IPv6 from an Ethernet or WiFi network adapter without a justifiable need. Windows is tested with, and some products and features expect, IPv6 to be bound and functional. Unbinding IPv6 from a network adapter can result in an unsupported Windows configuration.

Many Windows components rely on IPv6 (including link-local addresses) for internal communication.

🔹 Even if IPv6 is disabled, Windows will still attempt to resolve AAAA DNS records, wait for a timeout, and only then fall back to IPv4 (A records). This results in additional connection delays when accessing the network resource.

💡 What to do instead
If you’re dealing with a legacy app that doesn’t support IPv6, avoid disabling the protocol entirely. Instead, prioritize IPv4 over IPv6 by adjusting the prefix policy via the registry:

reg add HKLM\system\currentcontrolset\services\tcpip6\parameters /v DisabledComponents /t REG_DWORD /d 0x20 

✅ This approach only changes the address selection preference while ensuring that IPv6 remains fully functional within the OS kernel.

➡️ Key considerations for properly disabling IPv6 in Windows
https://woshub.com/disabling-ipv6-windows/

🗑 How to Force Remove Apps that Won't Uninstall Using the Usual Methods

This post covers methods for properly removing applications in Windows when the standard removal tools fail (via ms-settings:appsfeatures, appwiz.cpl, or PowerShell).
Although the post primarily focuses on applications deployed via Windows Installer (MSI) packages, though many of the techniques discussed can also be used to remove software installed using custom installers.

⚙️ Common causes that prevent software uninstallation include:
- Missing or corrupted original MSI installer files in the system cache
(%windir%\Installer)
- Missing or broken registry entries in the Uninstall registry key that contain application metadata.

We will explore how to:
🔹 Extract the correct UninstallString value from the registry
🔹 Find the source MSI package that was used to install the app
🔹 Use the Microsoft Program Install and Uninstall Troubleshooter to scan and fix the registry, and repair installer dependencies

✅ How to Force Uninstall Any Program in Windows That Won't Delete

🛡 Protecting Windows Against Brute-Force and DDoS Attacks with IPBan

The open-source IPBan tool is essentially the Windows equivalent of the popular Linux tool Fail2Ban.

IPBan can analyze application log files and/or Windows Event Logs, detect suspicious or unwanted activity, extract IP addresses from logs, and temporarily block those IPs using Windows Firewall.

Install the IPBan service in Windows:

$ProgressPreference = 'SilentlyContinue'; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/DigitalRuby/IPBan/master/IPBanCore/Windows/Scripts/install_latest.ps1'))

ℹ️ Out of the box, IPBan monitors sign-in logs of:
- RDP
- OpenSSH
- Microsoft SQL
- Exchange
- RDWeb
- RRAS
IP addresses associated with repeated authentication failures or brute-force password attempts are automatically blocked.
IPBan can also be configured to analyze logs from any Windows service or application that writes access events to text log files or Event Viewer.
 
✅ This article demonstrates how IPBan can be used to mitigate a real DDoS attack on an IIS web server running on Windows Server.
The guide covers:
🔹 Identifying anomalies in IIS logs
🔹 Creating custom regular expression (RegEx) detection patterns for IPBan
🔹 Automatically block suspicious IP addresses using Windows Firewall rules
As a result, the configured IPBan policies automatically blacklisted around 3,000 unique IP addresses, effectively mitigating the attack.
  
➡️ https://woshub.com/protect-windows-ddos-brute-force-attacks-ipban/

⚙️ Monitoring File Changes in a Folder with PowerShell

⚙️ One of my production tasks required me to monitor a specific folder on a computer for changes and automatically run an handler when a new file appears. This can be implemented quickly and efficiently in Windows using PowerShell and the built-in .NET class, FileSystemWatcher.

➡️ Here is an example PowerShell script for monitoring new files, logging events, and triggering custom processing:

$fs_watch = New-Object System.IO.FileSystemWatcher 
$fs_watch.IncludeSubdirectories = $true 
$fs_watch.Path = "C:\Reports" 
$fs_watch.EnableRaisingEvents = $true 
# Event handler triggered when a file is created
$action = { 
    $changeType = $Event.SourceEventArgs.ChangeType 
    $path = $Event.SourceEventArgs.FullPath 
    $date = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
    # Create a properly formatted log entry
    $logLine = "[$date] $changeType: $path"
    # Append the entry to the log file
    $logLine | Out-File -FilePath "$env:USERPROFILE\watch.log" -Append 
}
# Bind the action to the Created event
Register-ObjectEvent -InputObject $fs_watch -EventName "Created" -Action $action

✅ When a new file appears in C:\Reports directory, the actions defined in $action are executed automatically. The monitoring works in real time and reacts to file system events without continuously polling the directory contents.
🚫 To stop monitoring:

Unregister-Event -SourceIdentifier FSCreate

 
📚 The article explains how to monitor file creation, deletion, renaming and modification events using FileSystemWatcher from PowerShell.

➡️ Monitoring file changes in a directory with PowerShell and FileSystemWatcher class

📚 Installing Remote Server Administration Tools (RSAT) in Windows

The Remote Server Administration Tools (RSAT) package includes a set of MMC snap-ins, command-line tools, and PowerShell modules used for remote administration of Windows Server roles and features from another machine, including Windows workstations.

🛠 Starting with Windows 10 version 1809, RSAT components are distributed as Features on Demand (FoD) and downloaded online from Windows Update servers.
In isolated environments where there is no Internet access or when using WSUS, installing RSAT features on a management machine can become problematic.

✅ This article covers all available methods for installing RSAT on Windows 10/11 and Windows Server, including offline installation from the Languages and Optional Features ISO image containing FoD components.

➡️ How to Install Remote Server Administration Tools (RSAT) on Windows 11 and Windows Server

📚 Restricting User Logons to Specific Computers in Active Directory
 
By default, Active Directory users are permitted to sign in locally to any domain-joined computer within their domain. This works because all newly created AD users are automatically assigned to the Domain Users group, which in turn is added to the local Users group on domain-joined machines.

Administrators may restrict the specific computers to which users are allowed to log on to by using:
🔹 The userWorkstations attribute
🔹 Group Policy settings:
- Allow log on locally
- Deny log on locally

✅ This article covers practical scenarios for configuring allowed logon workstations, as well as restricting user logon times using the logonHours attribute.

➡️ How to allow or deny user logons to specific computers in an Active Directory domain

👥 Duplicate SID Issues in Windows (Sysprep-less Cloning Environments)

📚For over a decade, a common IT shortcut was to clone a hard drive image across thousands of machines without running Sysprep to randomize the machine local security identifier (SID). This shortcut was historically brushed off as a harmless "myth" because Active Directory assigns each machine its own unique domain SID.

In autumn 2025, Microsoft released security updates for Windows 11 25H2, 24H2, and Windows Server 2025 that enforce block Kerberos/NTLM authentication and network communication between machines sharing security identifiers (SIDs).
These Microsoft updates enforce strict SID uniqueness for security compliance during network authentication handshakes. This means that computers cloned from the same image (captured without using Sysprep /generalize ), which have identical SIDs, will fail to authenticate via NTLM or Kerberos. This prevents affected devices from accessing each other's network file shares, Remote Desktops or network printers, or from being managed via remote administrative tools.

➡️ In my environment, I have not encountered this issue, likely because the business context does not involve direct workstation-to-workstation access. However, it is still easy to run into this scenario, especially given the widespread misconceptions about local SID uniqueness.

The situation is further complicated by the fact that the only officially supported Microsoft method for changing a local machine SID is running Sysprep with the /generalize option, which, while not equivalent to a full OS reinstallation, is close in terms of operational overhead and the post-configuration effort required to restore usability for end users.

This post covers how to:
🔹 Find computers with duplicate local machine SIDs in the Active Directory.
🔹 Apply a temporary workaround to disable SID uniqueness checks and allow network access between affected machines.
🔹 Regenerate the local SID and update dependent registry entries and ACLs using the third-party tool SIDCHG64 (not supported by Microsoft and not recommended for production environments ⚠️)

Duplicate SIDs Cause Authentication Failures in Windows 11 and Windows Server 2025

📋 Restricting the directions and data types that can be copied via RDP session clipboard
 
📚 Clipboard redirection in Remote Desktop session allows users to copy and paste content, such as text, images, and files between the user's device and the remote session in either direction.
Windows admins can disable clipboard redirection in RDP sessions to prevent data leakage or the transfer of potentially malicious files.
In previous Windows versions, clipboard redirection could only be fully enabled or disabled using the GPO setting Do not allow Clipboard redirection or the fDisableClip registry parameter.

🆕 Starting with Windows 11 and Windows Server 2022, Microsoft introduced new Group Policy options that provide granular control over clipboard usage in Remote Desktop sessions. These policies allow administrators to restrict clipboard access by direction. For example:
- Allow copying only from the local client to the remote session
- Allow copying only from the remote session back to the client
- Completely block clipboard redirection in one direction

The new policies are located under:
Computer Configuration (or User Configuration) → Policies → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Device and Resource Redirection:
🔹 Restrict clipboard transfer from client to server
🔹 Restrict clipboard transfer from server to client
 
📌 In addition to directional restrictions, administrators can now define which data types are allowed to be copied through the clipboard. For example, you could only allow plain text to be copied, but not graphics or hidden metadata.

Available options:
➖ Disable clipboard transfers from client to server
➖ Allow plain text only (most secure option)
➖ Allow plain text and images
➖ Allow text, images, and RTF formatting
➖ Allow all formats, including HTML

This functionality allows the risk of data leakage to be reduced while maintaining limited RDP clipboard functionality for users.

➡️ Configure clipboard redirection over the Remote Desktop Protocol

📚 Monitoring Windows Hosts with Zabbix Agent

We’ve updated our guide on basic Windows host monitoring using Zabbix, starting from agent installation and connecting a Windows machine to the Zabbix server, to collecting advanced metrics, configuring triggers and alerts.

⚙️ The guide also explains how to collect custom data from a Windows machine using PowerShell scripts, and how to process this data as Zabbix monitoring metrics.

Custom PowerShell commands or scripts that return the required values can be defined through UserParameter in the Zabbix agent configuration file:

UserParameter=custom_metric_name,powershell -NoProfile -ExecutionPolicy bypass -File "C:\Program Files\Zabbix Agent 2\Script\sample_script.ps1"

This approach allows you to integrate virtually any PowerShell-based check into Zabbix monitoring.

➡️ Monitoring Windows Infrastructure with Zabbix Agent

▶️ (Video): Using Offline PowerShell Repository in Disconnected Environments

https://www.youtube.com/watch?v=FwJ1wp7H4eY

📚 Viewing Active TCP Connections and Open Ports with PowerShell

As an alternative to the classic netstat CLI command, PowerShell provides the Get-NetTCPConnection cmdlet for viewing active TCP sessions and open ports and the Get-NetUDPEndpoint for UDP protocol endpoints.

Unlike Netstat, which returns plain text that requires parsing with text filters, PowerShell returns structured objects. This makes it much easier to filter, sort, group, and automate the analysis of network connections with PowerShell pipelines 💪.

🔹 View listening TCP ports:

Get-NetTCPConnection -State Listen

🔹 Display TCP sessions with a specific local port:

Get-NetTCPConnection -LocalPort 443 | Format-Table -AutoSize

🔹 Count the number of active TCP sessions.

(Get-NetTCPConnection -LocalPort 443 -State Established).Count

🔹 Display the name of the process that is listening on a specific TCP port and the name of the user running the process:

Get-Process -Id (Get-NetTCPConnection -LocalPort 8080).OwningProcess -IncludeUserName

🔹 The top 10 remote IP addresses, ordered by the number of active connections:

Get-NetTCPConnection -State Established |
    Group-Object RemoteAddress |
    Sort-Object Count -Descending |
    Select-Object -First 10 Count, Name

🔹 Continuous monitoring of connections to a specific port:

while ($true) {
    Clear-Host
    Get-NetTCPConnection -LocalPort 443 -State Established
    Start-Sleep -Seconds 5
}

✅ The article covers these and other practical examples of using Get-NetTCPConnection to view active TCP sessions, enumerate open ports, and identify the processes responsible for network activity in Windows.

➡️ Exploring the Powershell Alternative to NetStat: Get-NetTCPConnection & Get-NetUDPEndpoint

⌛️ Windows Sandbox: Built-in Sandboxed Environment in Windows 11

Windows 11 includes Windows Sandbox, a native feature utilizing containerization technology to operate a lightweight virtual machine within an isolated environment. The sandbox environment leverages a Dynamic Base Image that references the host's existing system files, thereby achieving significantly reduced disk space and resource consumption compared to traditional virtual machines.

✅ Windows Sandbox is ideal for running untrusted or unknown software, testing application behavior, and validating deployment scripts in a clean environment. A Hyper-V NAT virtual switch is automatically generated on the host system, permitting the Sandbox to access the network and the Internet.

⚠️ Any modifications made within the sandbox are discarded upon closure. Each time Windows Sandbox is launched, it initializes from a clean, pristine state.

To enable Windows Sandbox, run rhe following PowerShell command:

Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -Online

📚 The sandbox window behaves much like an RDP session. Clipboard redirection is supported, local folders can be mapped into the sandbox, and GPU acceleration can be enabled.

✅ Only one Windows Sandbox instance can run at a time. However, by using WSB configuration files, you can create multiple sandbox profiles with different settings and environments. The article includes a sample WSB configuration file and startup scripts for automatically installing WinGet and any other required applications upon sandbox launch.

Windows Sandbox in Windows 11: How to Enable and Configure It

Device Lockdown with Unified Write Filter (UWF) in Windows

📚 Unified Write Filter (UWF) is a built-in feature available in the Enterprise editions of Windows 10 and Windows 11 that can protect a protect a partition against write accesses and therefore unintentional system changes. When UWF is enabled, all changes to files and folders are redirected to a virtual overlay stored in RAM (or on disk). This works because the UWF driver intercepts all write operations to the file system and transparently redirects them to the overlay. Any changes made during a user session are discarded after a reboot when the overlay is cleared.

Add the UWF feature in Windows using PowerShell:

Enable-WindowsOptionalFeature -Online -FeatureName "Client-UnifiedWriteFilter" –All

UWF is managed through the uwfmgr.exe command-line tool.

Enable UWF protection and protect a volume from writes:

uwfmgr.exe filter enable

uwfmgr.exe volume protect c:

 View the current UWF configuration and status:

uwfmgr.exe get-config

You can add specific files, folders, or registry keys to the UWF exclusion list. Changes to these objects will persist across reboots:

Uwfmgr.exe file add-exclusion c:\labs\report.docx

If you need to permanently commit changes to a specific file without disabling UWF:

uwfmgr file commit C:\Labs\MyApp.log

Disable UWF protection:

uwfmgr.exe volume unprotect C:

uwfmgr.exe filter disable

 

The UWF is not suitable for continuous operation (24/7). The overlay will grow continually up to the maximum preset size even in excluded areas. If the overlay run full the system will automatically be restarted by Windows.

✅ UWF allows you to "freeze" the state of a Windows device while still permitting normal operation. Any files, settings, or changes made by users are automatically removed after a restart. Typical use cases include public kiosks, training labs, embedded systems, and shared computers that need protection from accidental misconfiguration or unwanted user changes.

Unified Write Filter (UWF): Disk Write Protection for Windows