What to do when a Windows 11 Remote Desktop keeps freezing

Copyright TechTarget - All rights reserved https://cyber.law.harvard.edu/rss/rss.html Techtarget Feed Generator en Sun, 15 Mar 2026 22:59:15 GMT https://www.techtarget.com/searchwindowsserver editor@techtarget.com <p>When Windows 11 Remote Desktop sessions freeze, the impact extends beyond individual users. For IT leaders responsible for endpoint management and hybrid workforce productivity, frozen remote sessions can interrupt access to business-critical applications and delay operational workflows.</p> <p>Problems with the Remote Desktop client -- MSTSC.EXE -- on Windows 11 can lead to freezing and hanging sessions. When sessions hang, employees can lose access to line-of-business applications, internal systems and enterprise data hosted in remote environments.</p> <p>Some general remote desktop best practices, such as making sure remote desktop users have a strong network connection with low latency and accounting for external peripheral hardware, can resolve some of these issues. However, a recent Remote Desktop Protocol (<a href="https://www.techtarget.com/searchenterprisedesktop/definition/Remote-Desktop-Protocol-RDP">RDP</a>) issue has made frozen sessions much more common.</p> <p>This freezing on Windows 11 is tied to the Windows 11 22H2 release. While Microsoft addressed the underlying bug in later cumulative updates, organizations with inconsistent endpoint patch levels or mixed device configurations can still encounter the issue.</p> <section class="section main-article-chapter" data-menu-title="How to fix an RDP session that keeps freezing"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to fix an RDP session that keeps freezing</h2> <p>Microsoft RDP can <a href="https://www.techtarget.com/searchvirtualdesktop/answer/What-are-the-differences-between-TCP-and-UDP">run on TCP or UDP</a>, with UDP delivering a more stable connection. However, UDP is tied to the Windows 11 22H2 release issue. Remote desktop administrators can disable UDP with Group Policies as a workaround if they cannot apply the KB5022360 update to all of their clients.</p> <p>To do this, create a <a href="https://www.techtarget.com/searchwindowsserver/definition/Group-Policy-Object">Group Policy Object </a>and browse to Computer Configuration > Administrative templates > Windows components > Remote Desktop Services > Remote Desktop Connection client.<b> </b>Here, select the group policy <b>Turn Off UDP On Client </b>and enable the policy (Figure 1).</p> <p>This fix is just a workaround for the underlying problem, however, so running <strong data-end="725" data-start="707">Windows Update</strong> is the preferred and more permanent option.</p> <figure class="main-article-image half-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/windows_remote_desktop_freezing_fix-h.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/windows_remote_desktop_freezing_fix-h_half_column_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/windows_remote_desktop_freezing_fix-h_half_column_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/windows_remote_desktop_freezing_fix-h.jpg 1280w" alt="Group Policy Editor showing the Turn Off UDP On Client setting for the Remote Desktop Connection client." height="158" width="280"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 1. Group Policy setting Turn Off UDP On Client in the Remote Desktop Connection client configuration. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="Consider desktop environments beyond traditional RDP"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Consider desktop environments beyond traditional RDP</h2> <p>Many organizations now rely on hosted desktop environments such as <a href="https://www.techtarget.com/searchvirtualdesktop/tip/Comparing-Windows-365-vs-Azure-Virtual-Desktop">Azure Virtual Desktop or Windows 365</a> instead of connecting directly to physical machines. While these platforms still rely on the Remote Desktop Protocol, the infrastructure supporting the connection is managed in the cloud. If freezing issues occur in these environments, administrators should review host session health, client versions and endpoint network conditions to determine whether the issue originates from the endpoint device or the hosted desktop environment.</p> <p>Troubleshooting remote desktops in these environments often starts with the same fundamentals as traditional RDP sessions: validating endpoint connectivity, confirming the client software version and verifying that recent Windows updates have been applied. Administrators should also check platform-specific monitoring tools to determine whether the issue stems from the endpoint device, the session host or the broader remote desktop infrastructure.</p> </section> <section class="section main-article-chapter" data-menu-title="How to deploy the latest Windows updates to all remote desktops"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to deploy the latest Windows updates to all remote desktops</h2> <p>Maintaining consistent Windows update levels across a distributed device fleet can be challenging, especially in hybrid environments where laptops often operate outside the corporate network for extended periods. This is especially true for the common hybrid work environment with laptops that aren't domain-joined but <a href="https://www.techtarget.com/searchwindowsserver/tip/What-should-admins-know-about-Microsoft-Entra-features">Microsoft Entra ID hybrid-joined</a>.</p> <p>Windows administrators used to roll out Windows updates with <a href="https://www.techtarget.com/searchwindowsserver/definition/Windows-Server-Update-Services-WSUS">Windows Server Update Services</a> on all machines, but now they need new methods to ensure all machines have the updates. This is especially important for updates that have a significant effect on performance and UX, such as the update that fixed the freezing issue.</p> <p>Windows Update for Business, which integrates with Microsoft Intune endpoint management, allows administrators to monitor update compliance across Windows devices and verify that clients are running builds that address stability issues. With Windows Update for Business, it's possible to run reports <a href="https://www.techtarget.com/searchenterprisedesktop/tip/How-to-add-and-enroll-devices-to-Microsoft-Intune">on all Intune-enrolled Windows 11 client devices</a> and check if they are running the latest Windows 11 build with the issue fixed. IT administrators should use Intune or a management tool with similar capabilities to Windows Update for Business to <a target="_blank" href="https://learn.microsoft.com/en-us/mem/intune/protect/windows-update-reports" rel="noopener">check</a> the compliance of end-user devices.   </p> <p>In hybrid work environments, consistent patching and endpoint configuration management are critical to maintaining reliable remote access experiences for distributed employees.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> Frozen remote sessions can interrupt access to business-critical applications and delay operational workflows. </figure> <i class="icon" data-icon="z"></i> </div> </blockquote> </section> <section class="section main-article-chapter" data-menu-title="How to manage Windows updates to prevent version inconsistency"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to manage Windows updates to prevent version inconsistency</h2> <p data-end="774" data-start="544">To proactively prevent these version consistency issues, admins can manage Windows update rollouts. This way, if Windows releases a harmful or malfunctioning Windows build, desktop administrators can block it from being installed.</p> <p data-end="1476" data-start="776">Admins should also test every release and Windows update before deploying it within their organization. Make sure a test script can run on a test device when a new update is released and keep the RDP client open for an extended period during testing.</p> <p data-end="1476" data-start="776">While this process can be time-consuming, testing new Windows builds against remote access workflows and critical enterprise applications helps IT teams identify stability issues early and maintain reliable remote connectivity across the organization. As remote access continues to support hybrid work environments, maintaining consistent endpoint configurations and update policies is essential to ensuring remote desktop reliability at scale.</p> <p data-end="1476" data-start="776"><em><strong data-end="268" data-start="250">Editor's note:</strong> This article was updated to reflect current Windows Remote Desktop environments and expanded to include guidance for cloud-hosted desktop platforms. </em></p> <p><i>Chris Twiest works as a technology officer at RawWorks in the Netherlands, focusing on the standardization and automation of IT services.</i></p> </section> Windows 11 Remote Desktop sessions can freeze due to updates, configuration issues or network problems. Learn how IT admins can troubleshoot and prevent RDP freezes. https://cdn.ttgtmedia.com/rms/onlineimages/check_g1268128622.jpg https://www.techtarget.com/searchvirtualdesktop/tip/What-to-do-when-a-Windows-11-remote-desktop-keeps-freezing Thu, 05 Mar 2026 19:25:00 GMT What to do when a Windows 11 Remote Desktop keeps freezing <p>What exactly is the Microsoft Applied Skills program -- a certificate, a badge, a bootcamp? Not quite. This program's credentials, as Microsoft refers to them, sit alongside traditional certifications but serve a different purpose.</p> <p>Introduced in 2023 as a complement to Microsoft's existing certification programs, Applied Skills are designed for users with hands-on experience in Microsoft technologies. Rather than providing broad, role-based knowledge, these credentials focus on specific, scenario-based tasks that professionals encounter in day-to-day <a href="https://www.techtarget.com/searchitoperations/definition/IT-operations">IT operations</a>.</p> <p>In this article, we'll explore what you can learn through the Applied Skills program, how it stands apart from Microsoft's certifications program and why it's quickly gaining traction among IT professionals.</p> <section class="section main-article-chapter" data-menu-title="Overview of the Microsoft Applied Skills program"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Overview of the Microsoft Applied Skills program</h2> <p>Microsoft's Applied Skills program offers a quicker, more targeted alternative to traditional certifications. These credentials are meant to validate practical skills, proving an applicant has the ability to apply hands-on knowledge to real-world tasks -- particularly within Azure.</p> <p>While not a replacement for full certifications, Applied Skills credentials can serve as a bridge to help individuals <a href="https://www.techtarget.com/searchcloudcomputing/infographic/By-the-numbers-How-upskilling-fills-the-IT-skills-gap">upskill in specific areas</a>, explore new technologies or reinforce existing expertise.</p> <p>For hiring managers, these credentials provide a quick way to identify candidates with proven abilities in relevant skill areas, offering insight into an individual's practical expertise in niche tasks. For individuals, Applied Skills credentials can be a way to learn new skills in their current role or to validate skills they already have. The program is also well suited for anyone <a href="https://www.techtarget.com/whatis/feature/Best-entry-level-tech-jobs">starting out in a career</a> or moving into a role where they don't have experience.</p> </section> <section class="section main-article-chapter" data-menu-title="Microsoft Applied Skills learning pathways"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Microsoft Applied Skills learning pathways</h2> <p>The Applied Skills program has expanded rapidly since it was publicly launched in October 2023 with eight credentials. As of December 2025, it now certifies 40 skills across six subject areas: application development, artificial intelligence, business applications, data management, security and technical infrastructure. Note that some skills apply to more than one subject.</p> <p>The following table provides an overview of the subject areas and example skills within each.</p> <p><iframe title="Microsoft Applied Skills overview" aria-label="Table" id="datawrapper-chart-XwXhz" src="https://datawrapper.dwcdn.net/XwXhz/1/" scrolling="no" frameborder="0" style="width: 0; min-width: 100% !important; border: none;" height="475" data-external="1"></iframe></p> <p> <script type="text/javascript">window.addEventListener("message",function(a){if(void 0!==a.data["datawrapper-height"]){var e=document.querySelectorAll("iframe");for(var t in a.data["datawrapper-height"])for(var r,i=0;r=e[i];i++)if(r.contentWindow===a.source){var d=a.data["datawrapper-height"][t]+"px";r.style.height=d}}});</script> </p> </section> <section class="section main-article-chapter" data-menu-title="Microsoft Applied Skills vs. Microsoft Certifications: Key differences"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Microsoft Applied Skills vs. Microsoft Certifications: Key differences</h2> <p>Applied Skills are more specialized than Microsoft's <a target="_blank" href="https://learn.microsoft.com/en-us/credentials/browse/?credential_types=certification" rel="noopener">traditional certifications</a>, which tend to cover the broader aspects of a job role. Here's how they compare in a few key areas:</p> <ul class="default-list"> <li><b>Cost.</b> At this time, Applied Skills are free, which makes them an easy choice for exploring new areas.</li> <li><b>Time.</b> Certifications might require 20-plus hours of study, but Applied Skills learning paths typically take only 4-5 hours.</li> <li><b>Scope.</b> While Applied Skills are targeted in scope, certifications cover a broad range of knowledge. Think of it as a skill vs. a skillset: The scope of Applied Skills is a scenario, whereas the scope of a certification encompasses many skills and contextualized knowledge.</li> <li><b>Application.</b> Applied Skills can be extremely valuable for people working in deployments and similar technical projects, as well as for those in operational roles that involve building and maintaining technologies. Certifications might involve broader content, wider context, interactions with other technologies and governance. This makes certifications beneficial to a broader variety of roles, including managers or those with a large technical remit, such as architects.</li> <li><b>Assessment.</b> The evaluation process also differs between the two options. Certifications use the traditional assessment exam, administered either at a testing center or using a remote proctored exam. The Applied Skills program provides a virtual lab where keyboard and mouse strokes are captured as certain tasks are completed.</li> <li><b>Expiry.</b> As of now, Applied Skills do not have an expiration date, making them a lasting credential for targeted expertise.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Benefits of earning Applied Skills credentials"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Benefits of earning Applied Skills credentials</h2> <p>Since Applied Skills are a new offering and market familiarity is not yet fully established, they might not be as in-demand or listed in job descriptions as many traditional certifications are. But these credentials still offer some solid benefits. The scenario-specific nature of Applied Skills credentials means they're better suited for <a href="https://www.techtarget.com/searchitoperations/feature/IT-operations-manager-vs-specialist-Compare-roles-and-skills">project-based or specialized roles</a> rather than positions requiring a broader technical foundation. However, these credentials provide hands-on, practical knowledge that's immediately useful for day-to-day tasks.</p> <p>This program has also grown rapidly, so the scope of offerings is likely to expand -- as will industry awareness. Applied Skills are also a great way to validate specific abilities, which can help professionals stand out when applying for specialized roles, promotions or salary increases. Because they're easily shareable on platforms such as LinkedIn, these credentials are convenient for professionals looking to showcase their skills to a wider audience.</p> </section> <section class="section main-article-chapter" data-menu-title="Preparing for and completing the online lab assessments"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Preparing for and completing the online lab assessments</h2> <p>Getting started with Applied Skills is straightforward. Microsoft Learn offers learning paths for each skill. There are no prerequisites for these, but related certifications or familiarity with the tools involved can be beneficial for understanding the content and passing the labs, as the skills are generally aimed at intermediate and advanced users.</p> <p>Once you're ready to take the assessment, you will have two hours to complete approximately 12-16 tasks within the interactive lab. The exact passing score varies based on the difficulty of the questions asked. Note that the labs are scored based on the result rather than the methods used, unless specifically stipulated. For example, a lab might include an option to use either a web portal or PowerShell, and the user's choice would have no influence on the lab score.</p> <p>Once the lab is closed, pass/fail grading commences immediately, and you will receive either a pass or fail result with a breakdown of your performance across various areas. This will not show exact answers, but it will suggest follow-up learning to help you improve in weaker areas. This can take up to 24 hours to appear in your Microsoft Learn profile.</p> <p>In summary, Microsoft's Applied Skills program is a practical tool for IT professionals designed to fit into a busy schedule and can help IT teams and managers <a href="https://www.techtarget.com/searchitoperations/feature/The-most-in-demand-tech-skills-for-IT-ops-careers">keep pace with changing technology</a> without the commitment of full certification.</p> <p><i>Dwayne Rendell is a senior technical customer success manager for an Australian cybersecurity MSP. He has more than 15 years of experience in IT and specializes in service delivery, value realization and operations management of digital service portfolios. Dwayne has experience in multiple sectors, including health and government. He holds an MBA from the Australian Institute of Business.</i></p> </section> Microsoft's Applied Skills help IT pros validate hands-on technical expertise and real-world skills. But what sets these credentials apart from traditional certifications? https://cdn.ttgtmedia.com/rms/onlineimages/certification_g1134366943.jpg https://www.techtarget.com/searchwindowsserver/tip/Microsoft-Applied-Skills-program-puts-expertise-to-the-test Thu, 18 Dec 2025 09:40:00 GMT Microsoft Applied Skills program puts expertise to the test <p>Although AD traditionally serves as the central authority for managing users, computers and security within an organization's network, Entra ID provides similar functionalities in the cloud, focusing on managing access to cloud applications and resources.</p> <p>Microsoft hybrid identity gives IT admins the best of both worlds, combining on-premises identity infrastructure with <a href="https://www.techtarget.com/searchsecurity/tip/Top-cloud-IAM-best-practices-to-implement">cloud-based identity management</a>.</p> <p>Hybrid identity is a simplified, secure and user-friendly identity and access management (<a href="https://www.techtarget.com/searchsecurity/definition/identity-access-management-IAM-system">IAM</a>) system. But it also comes with unique implementation challenges and prerequisites IT admins must thoroughly understand before deploying it for their organization.</p> <p>This article covers the components involved in Microsoft hybrid identity, how to prepare for its deployment and an implementation roadmap for launching hybrid identity for your IT environment.</p> <section class="section main-article-chapter" data-menu-title="What is Microsoft hybrid identity?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is Microsoft hybrid identity?</h2> <p><i>Hybrid identity</i> refers to Microsoft's integration of on-premises and cloud-based identity infrastructure and management.</p> <p>This system enables users to use a single identity, such as username and password, to access both on-premises resources managed by AD and cloud resources <a href="https://www.techtarget.com/searchwindowsserver/tip/What-should-admins-know-about-Microsoft-Entra-features">managed by Entra ID</a>, formerly Azure AD. For example, users can use the same credentials to log on to local AD resources that they would use for cloud-based applications, such as Microsoft 365 and other SaaS applications.</p> <p>Hybrid identity is commonly used in environments transitioning to the cloud, as it enables coexistence between legacy systems and modern cloud services. It provides several benefits to IT administrators, including centralized IAM and access to enhanced features, such as conditional access and multifactor authentication (MFA) from Entra ID.</p> </section> <section class="section main-article-chapter" data-menu-title="Key concepts of Microsoft hybrid identity"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Key concepts of Microsoft hybrid identity</h2> <p>The following components comprise a hybrid identity system:</p> <ul class="default-list"> <li><b>On-premises AD.</b> AD manages user identities, groups and access to internal resources.</li> <li><b>Entra ID.</b> This extends identity capabilities to cloud apps and services.</li> <li><b>Entra Connect or Cloud Sync.</b> These tools synchronize identities between on-premises AD and Entra ID.</li> <li><b>Authentication model.</b> Choose from password hash synchronization (PHS), pass-through authentication (PTA) or <a href="https://www.techtarget.com/searchsecurity/definition/federated-identity-management">federated authentication</a> with AD Federation Service (AD FS).</li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/hsearlejones_hybridid_1-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/hsearlejones_hybridid_1-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/hsearlejones_hybridid_1-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/hsearlejones_hybridid_1-f.jpg 1280w" alt="A diagram showing how the Entra ID Connect tool syncs user identities between AD and Microsoft Entra ID." height="508" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Entra ID Connect links the on-premises AD with the cloud-based Microsoft Entra ID to let users work with a single identity for seamless access to local and cloud resources. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Microsoft Entra Connect, formerly known as Azure AD Connect, and Microsoft Entra Cloud Sync are two tools used to synchronize on-premises AD with Microsoft Entra ID. Although both achieve similar outcomes -- syncing identities to the cloud -- they differ in architecture, capabilities and use cases.</p> <h3>Microsoft Entra Connect overview</h3> <p>This comprehensive tool, which is installed on an on-premises Windows Server, provides robust sync and authentication features. Key features include the following:</p> <ul class="default-list"> <li>Directory synchronization, including users, groups and passwords.</li> <li>Password hash sync, pass-through authentication or federation.</li> <li>Custom filtering, such as by organizational unit or attribute values.</li> <li><a href="https://www.techtarget.com/searchwindowsserver/tip/Follow-these-steps-to-remove-the-last-Exchange-Server">Exchange hybrid configuration</a> support.</li> <li>Writeback features, including password, device and group writeback.</li> </ul> <p>Entra Connect's architecture requires a SQL database and runs as a full server application. It comes with a heavier footprint and requires more ongoing maintenance compared to Entra Cloud Sync. Given this, Entra Connect is best for complex enterprise environments, including those with Exchange hybrid deployments, and scenarios that require writeback capabilities.</p> <h3>Microsoft Entra Cloud Sync overview</h3> <p>This lightweight, cloud-managed agent-based tool is designed for simpler and more scalable synchronization. The following are some of its key features:</p> <ul class="default-list"> <li>Lightweight agent-based sync.</li> <li>Password hash sync only.</li> <li>Multiple AD forests supported (with multiple agents).</li> <li>Managed entirely from the cloud with no on-premises UI.</li> </ul> <p>Entra Cloud Sync's architecture uses cloud-based configuration and doesn't require a SQL database. It can be easier to deploy and maintain than Entra Connect, which makes it a good fit for modern, cloud-first organizations, including ones with multiple AD forest environments, and scenarios without the need for writeback.</p> <p><iframe title="Entra Connect vs. Entra Cloud Sync" aria-label="Table" id="datawrapper-chart-uBqFs" src="https://datawrapper.dwcdn.net/uBqFs/1/" scrolling="no" frameborder="0" style="width: 0; min-width: 100% !important; border: none;" height="401" data-external="1"></iframe></p> <p> <script type="text/javascript">window.addEventListener("message",function(a){if(void 0!==a.data["datawrapper-height"]){var e=document.querySelectorAll("iframe");for(var t in a.data["datawrapper-height"])for(var r,i=0;r=e[i];i++)if(r.contentWindow===a.source){var d=a.data["datawrapper-height"][t]+"px";r.style.height=d}}});</script> </p> <h3>Authentication models</h3> <p><b>Password hash synchronization.</b> With PHS, hashes of user passwords are synced from on-premises AD to Microsoft Entra ID, and the user authenticates directly with Entra ID in the cloud.</p> <p>The advantages of PHS are that it's simple to deploy and manage, and there is no dependency on on-premises servers at logon. It supports single sign-on (<a href="https://www.techtarget.com/searchsecurity/definition/single-sign-on">SSO</a>), although there is a sync delay when changing user passwords. Some organizations might choose to use other methods because password hashes are stored in the cloud.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Single sign-on for hybrid identity</h3> <p>SSO in a hybrid identity environment enables users to access both on-premises and cloud-based applications and resources using a single set of credentials -- typically their AD username and password -- without being prompted to sign in again each time. In a hybrid identity implementation, SSO authenticates the user once, typically at the time of device login using AD credentials. It automatically passes authentication tokens to cloud applications, such as Microsoft 365 or SharePoint Online. Admins can maintain centralized IAM using AD or Entra ID.</p> </div> </div> <p><b>Pass-through authentication.</b> In this model, users enter credentials in the cloud, and the authentication request is securely passed to an on-premises agent, which validates it against the local AD instance. The advantages of this method are that no password hashes are stored in the cloud, and the agent is lightweight, making it easier for IT administrators to implement than AD FS. It does require the on-premises infrastructure to be online.</p> <p><b>Federation.</b> Microsoft Entra redirects the user to AD FS, an on-premises federation service, for authentication. IT administrators have full control over authentication policies and can implement custom login branding, multifactor options and smart card support. Federation is more complex to deploy and maintain, and it requires multiple servers. However, this authentication method is typically required to satisfy government and regulatory requirements.</p> <p><iframe title="Compare PHS vs. PTA vs. AD FS for authentication" aria-label="Table" id="datawrapper-chart-X8JJv" src="https://datawrapper.dwcdn.net/X8JJv/3/" scrolling="no" frameborder="0" style="width: 0; min-width: 100% !important; border: none;" height="544" data-external="1"></iframe> <script type="text/javascript">window.addEventListener("message",function(a){if(void 0!==a.data["datawrapper-height"]){var e=document.querySelectorAll("iframe");for(var t in a.data["datawrapper-height"])for(var r,i=0;r=e[i];i++)if(r.contentWindow===a.source){var d=a.data["datawrapper-height"][t]+"px";r.style.height=d}}});</script> </p> </section> <section class="section main-article-chapter" data-menu-title="Why implement hybrid identity?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why implement hybrid identity?</h2> <p>Organizations should implement hybrid identity to bridge the gap between on-premises infrastructure and the cloud. This enables a secure, seamless and scalable identity experience across all environments.</p> <p>Here are some key reasons why hybrid identity is beneficial.</p> <h3>Familiarity for users</h3> <p>The use of a single identity for your organization's users lowers frustration, improves productivity and reduces password fatigue. Users often find that their login experience is improved, as it reduces repeated sign-ins. For example, a user can log into their Windows device using AD credentials and open Outlook or Microsoft Teams. Thanks to Entra ID's SSO option and the user's on-premises identity, access is granted without another login.</p> <h3>Simplified management</h3> <p>Most organizations already use on-premises AD. Hybrid identity incorporates existing AD users, groups and policies without the need to recreate them in the cloud. It simplifies user management, <a href="https://www.techtarget.com/searchsecurity/tip/User-provisioning-and-deprovisioning-Why-it-matters-for-IAM">provisioning and deprovisioning</a>, while also ensuring consistent access policies, auditing and role assignments.</p> <h3>Enhanced security</h3> <p>Hybrid identity uses cloud-based conditional access, MFA and risk-based access. It reduces the risk of account compromise from reused or weak passwords. Conditional access policies enable IT administrators to create rules that control how, when and under what conditions users can access corporate resources -- especially cloud apps, such as Microsoft 365. These policies play a key role in <a href="https://www.techtarget.com/searchsecurity/definition/zero-trust-model-zero-trust-network">zero-trust security</a> by enforcing the "never trust, always verify" principle. Admins can set specific conditions based on location, device compliance, IP address, the application accessed or user group membership.</p> <p>Conditional access is the gatekeeper of the hybrid identity environment. It analyzes the context of each sign-in and enforces real-time decisions -- allow, block, challenge or restrict access -- to protect corporate data without hindering user productivity.</p> </section> <section class="section main-article-chapter" data-menu-title="Planning for hybrid identity"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Planning for hybrid identity</h2> <p>Planning and implementing Microsoft hybrid identity using Entra ID requires understanding your current infrastructure and IAM methods, preparing your environment and carefully deploying it.</p> <p>You must decide which authentication strategy -- PHS, PTA or AD FS -- best suits your organization and its security requirements. Design the identity architecture, including sync scope, domains and forests, and create an implementation roadmap.</p> <p>Implementation requires several technical and organizational prerequisites to ensure a smooth deployment. These cover your on-premises environment, cloud configuration, security planning and infrastructure readiness.</p> <p>The on-premises AD requirements include the following:</p> <ul class="default-list"> <li>At least one <a href="https://www.techtarget.com/searchwindowsserver/definition/Active-Directory-forest-AD-forest">AD forest</a> or domain with a functional level of Windows Server 2008 R2 or later.</li> <li>A routable User Principal Name suffix. For example, the UPN must be user@company.com instead of user@localdomain.</li> <li>Consistent and unique user attributes, such as UPN, mail and SAM account name.</li> <li>Cleanup of stale accounts, duplicates and nonstandard naming conventions.</li> </ul> <p>The following infrastructure requirements must be in place:</p> <ul class="default-list"> <li>A dedicated Windows Server to install Microsoft Entra Connect.</li> <li>Administrative access to both on-premises AD and Entra ID tenant.</li> <li>Required network ports open for sync and authentication, such as HTTPS, LDAP or Kerberos.</li> <li>A valid Microsoft Entra ID tenant, either as part of your Microsoft 365 subscription or standalone.</li> <li>At least one verified custom domain in Entra ID.</li> </ul> <p>Then, ensure security and compliance readiness with these steps:</p> <ul class="default-list"> <li>Plan to implement MFA.</li> <li>Define conditional access policies, such as those based on device, location or risk.</li> <li>Prepare to handle identity protection, user risk detections and reporting.</li> </ul> <p>Your deployment strategy should incorporate operational and user readiness. Communicate hybrid identity plans to stakeholders, train IT staff and prepare user education materials for any sign-in behavior changes.</p> <p>The following outlines a typical implementation roadmap:</p> <p><b>Phase 1: Planning</b></p> <ul class="default-list"> <li>Define business goals for hybrid identity.</li> <li>Choose your authentication model (PHS, PTA or AD FS).</li> <li>Design identity architecture (sync scope, domains, forests).</li> </ul> <p><b>Phase 2: Preparation</b></p> <ul class="default-list"> <li>Prepare AD with cleanup and UPN standardization.</li> <li>Prepare server infrastructure for Entra Connect.</li> <li>Review security and compliance requirements.</li> </ul> <p><b>Phase 3: Deployment</b></p> <ul class="default-list"> <li>Install and configure Microsoft Entra Connect.</li> <li>Configure selected authentication method.</li> <li>Set up SSO or seamless SSO (optional).</li> <li>Run initial directory sync (test with pilot users).</li> </ul> <p><b>Phase 4: Testing and validation</b></p> <ul class="default-list"> <li>Validate the following components: <ul class="default-list"> <li>User sign-ins to Microsoft 365 and Entra-protected apps.</li> <li>Password changes and sync behavior.</li> <li>MFA and conditional access, if configured.</li> </ul> </li> <li>Monitor logs and sync health.</li> </ul> <p><b>Phase 5: Rollout</b></p> <ul class="default-list"> <li>Expand sync scope to include all users/groups.</li> <li>Communicate changes to end users.</li> <li>Begin enabling cloud services, such as Teams or SharePoint</li> </ul> <p><b>Phase 6: Optimization</b></p> <ul class="default-list"> <li>Deploy MFA, conditional access and self-service password reset.</li> <li>Consider group writeback or hybrid device join.</li> <li>Monitor and fine-tune performance and logs using Microsoft Entra admin center.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Potential issues with on-premises AD"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Potential issues with on-premises AD</h2> <p>Although hybrid identity offers flexibility and control by integrating on-premises AD with Microsoft Entra ID, it also introduces technical and operational challenges that organizations must plan for.</p> <p><b>AD health issues.</b> Replication errors, DNS issues or corrupt AD objects can lead to failed synchronization or incomplete user provisioning in Entra ID. Run <span style="font-family: 'courier new', courier, monospace;">dcdiag</span>, <span style="font-family: 'courier new', courier, monospace;">repadmin</span> and Entra Connect Health checks regularly. Clean up AD objects before sync.</p> <p><b>Password or authentication inconsistencies.</b> Password changes might not sync quickly, especially with PHS. If not redundant, PTA agents or AD FS servers can become single points of failure. Clock drift in AD can cause Kerberos or auth token issues. Use redundant agents, ensure accurate time sync and monitor authentication services.</p> <p><b>Synchronization failures.</b> Microsoft Entra Connect might fail to sync due to connectivity issues, outdated schema or object attribute mismatches -- especially if UPNs don't match verified domains. Be sure to review sync rules, use consistent UPNs and monitor Entra Connect sync logs.</p> <p><b>Security gaps.</b> On-premises AD might not enforce MFA, conditional access or sign-in risk detection. To mitigate security concerns, <a href="https://www.techtarget.com/searchwindowsserver/tip/Using-Azure-AD-conditional-access-for-tighter-security">use Microsoft Entra conditional access and identity protection</a> and enforce cloud policies.</p> <p>Hybrid identity is the cornerstone of a secure, flexible and user-friendly IT environment in the cloud era, especially for organizations transitioning from legacy systems.</p> <p><i>Helen Searle-Jones holds a group head of IT position in the manufacturing sector. She draws on 30 years of experience in enterprise and end-user computing, utilizing cloud and on-premises technologies to enhance IT performance.</i></p> </section> Microsoft hybrid identity combines on-premises AD resources and cloud-based Entra ID capabilities to create a seamless access experience across environments. https://cdn.ttgtmedia.com/rms/onlineimages/cloud_g943065362.jpg https://www.techtarget.com/searchwindowsserver/tip/Understand-the-basics-of-Microsoft-hybrid-identity Thu, 20 Nov 2025 11:00:00 GMT Understand the basics of Microsoft hybrid identity <p>GitHub Copilot has evolved from an autocomplete novelty into a capable, chat-assisted development partner that can accelerate day-to-day scripting for IT professionals.</p> <p>For PowerShell administrators, GitHub Copilot can draft modules and scripts from natural language prompts, refactor legacy Windows PowerShell 5.1 code to PowerShell 7, generate documentation and tests and assist in orchestrating Azure operations.</p> <p>Still, <a href="https://www.techtarget.com/searchenterpriseai/tip/GitHub-Copilot-vs-ChatGPT-How-do-they-compare">GitHub Copilot is an assistant</a> -- not an authority. Because it learns from public code and patterns, it can surface outdated APIs or inefficient approaches, so you should verify outputs, require modern module usage and keep security and compliance guardrails in place.</p> <p>When paired with Visual Studio Code (VS Code), GitHub Copilot becomes particularly effective: you describe the intent in comments or chat, and it proposes context‑aware snippets you can accept, edit or reject as you iterate.</p> <section class="section main-article-chapter" data-menu-title="How GitHub Copilot works"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How GitHub Copilot works</h2> <p>Copilot applies generative AI models trained on public source code to predict and propose the next lines, blocks or entire functions based on your current file, project context and prompts.</p> <p>In VS Code, you can give a descriptive comment or string, such as "what should this script accomplish?", and GitHub Copilot will offer a draft that you can refine. The clearer your intent, constraints and environment details -- PowerShell version, module names and versions, target OS -- the better its suggestions. A grounding in PowerShell helps you steer GitHub Copilot toward correct, efficient scripts and away from deprecated patterns.</p> <p>GitHubCopilot is responsive to feedback in the flow of work. If it suggests an outdated cmdlet or API and you replace it with the modern equivalent, subsequent completions will typically align with your correction.</p> <p>For example, when <a href="https://www.techtarget.com/searchcloudcomputing/tip/Why-and-how-to-create-Azure-service-principals">drafting an Azure automation script,</a> GitHub Copilot might initially propose a deprecated <span style="font-family: 'courier new', courier, monospace;">AzureRM</span> login cmdlet; using <span style="font-family: 'courier new', courier, monospace;">Connect‑AzAccount</span> guides it back to use cmdlets in the current Az module -- also called the Azure PowerShell Account module -- in later suggestions. This adaptability is valuable, but it doesn't eliminate the need for expert review.</p> <p>A few practical tips to keep in mind:</p> <ul class="default-list"> <li>Quality varies with the clarity of your prompts. Explicitly state "target PowerShell 7," specify modules, such as Az.Accounts or Az.Compute, and call out required properties to reduce rework.</li> <li>Suggestions might draw on patterns that are out of date or suboptimal. Validate correctness, performance and security before adopting them. GitHub Copilot is not a replacement for domain expertise or review processes.</li> <li>GitHub Copilot learns general coding conventions from public repositories; it doesn't copy your private code unless you explicitly allow it to use your content for product improvements. You can also control whether suggestions may match public code patterns during setup.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Prepare to use GitHub Copilot"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Prepare to use GitHub Copilot</h2> <p>A little upfront configuration significantly improves outcomes, especially in enterprise environments.</p> <h3>Choose your plan and enable GitHub Copilot</h3> <ol class="default-list"> <li>You'll need a GitHub account. Enable Copilot from your GitHub settings (Settings > Copilot). Trial options and pricing are available there. Organizations can provision GitHub Copilot for teams with policy controls; confirm current terms before rollout.</li> <li>During sign‑up, you can choose whether to allow suggestions that may match public code and whether to share your snippets for product improvement. Both settings are optional and should align with your organization's policies.</li> </ol> <h3>Install and configure in VS Code</h3> <ol class="default-list"> <li>Install the GitHub Copilot extension for VS Code and sign in with your GitHub identity; you'll see a Copilot status indicator in the editor once it's active.</li> <li>Add GitHub Copilot Chat to unlock chat‑based workflows: explain and refactor code, request tests and docs and apply multi‑file changes. This chat‑first loop is often the fastest path to high‑quality results.</li> <li>Ensure the <a href="https://www.techtarget.com/searchwindowsserver/tutorial/How-to-use-the-PowerShell-extension-for-Visual-Studio-Code">PowerShell extension for VS Code is installed</a> so GitHub Copilot works with language‑aware syntax, formatting and debugging.</li> </ol> <h3>Prepare your PowerShell and Azure environment</h3> <ol class="default-list"> <li>Standardize on a supported PowerShell 7.x runtime and keep core modules updated, such as Az modules for Azure. Ask Copilot for PS7‑compatible code and to avoid deprecated cmdlets such as the legacy AzureRM family; make inline corrections if it suggests otherwise so future completions follow suit. Using a centrally defined and distributed container for local development is a good way to ensure everyone is using the same PowerShell version, cmdlets and tools.</li> <li>Adopt basic quality gates in your workspace, such as PSScriptAnalyzer for linting and Pester for testing, so you can quickly validate GitHub Copilot's output as you iterate.</li> </ol> <h3>Set security and governance guardrails</h3> <ol class="default-list"> <li>For individual use, review the "public code matching" and "content sharing" toggles during setup and choose the most conservative posture that still enables productivity.</li> <li>For organizations, enforce policies centrally, define data boundaries and decide when to enable repository‑ or workspace‑aware assistance. Treat GitHub Copilot output like any code contribution: scan for secrets, review for least‑privilege patterns and check for module or API deprecations before merging.</li> </ol> <h3>Prime GitHub Copilot with effective prompts</h3> <ol class="default-list"> <li>State the goal, constraints and environment: PowerShell version, OS, modules and performance or security requirements.</li> <li>Ask explicitly for modern patterns: "Use <span style="font-family: 'courier new', courier, monospace;">Get‑CimInstance</span>, not <span style="font-family: 'courier new', courier, monospace;">Get‑WmiObject,</span>" "Target <span style="font-family: 'courier new', courier, monospace;">Connect‑AzAccount,</span> not <span style="font-family: 'courier new', courier, monospace;">AzureRM</span>," "Return structured objects; avoid <span style="font-family: 'courier new', courier, monospace;">Write‑Host"</span> and "Include error handling and <span style="font-family: 'courier new', courier, monospace;">-WhatI</span>f support." GitHub Copilot responds best to that level of specificity.</li> </ol> <p>With these preparations, GitHub Copilot becomes a dependable accelerator for PowerShell admins: it drafts the first 80% and you apply expert judgment to refine and solidify the result. The feedback you provide guides its next suggestions without losing sight of correctness, security and maintainability.</p> <div class="btt-thumbnailContainer alignLeft"> <span class="btt-thumbnailTitle">GitHub Copilot for PowerShell</span> <a class="btt-thumbnailLink" data-video-id="652487" data-channel-id="18865"> <div class="btt-thumbnailImgContainer"> <img class="btt-videoBtThumbnail" src="https://cdn.brighttalk.com/ams/california/images/communication/652487/image_1071268.jpg?width=640&height=360" height="169" width="300"> </div></a> <time class="btt-video-duration" datetime="PT4M56S">4:56</time> </div> <div class="btt-modal"> <div class="btt-modal-content"></div> </div> </section> <section class="section main-article-chapter" data-menu-title="How to write PowerShell with GitHub Copilot"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to write PowerShell with GitHub Copilot</h2> <p>GitHub Copilot functions at its best when you provide it with precise intent, a clear execution environment and quality guardrails. <a href="https://www.techtarget.com/searchenterpriseai/tip/Compare-top-AI-coding-tools">Treat it like a junior pair‑programmer</a>: you specify the "what" and the constraints; it drafts the how. And together you review, refine and test. GitHub Copilot needs direction from you to understand how it should proceed. Explicit prompts produce markedly better results.</p> <h3>Work iteratively in VS Code</h3> <ul class="default-list"> <li>Seed with a descriptive comment or a minimal function skeleton -- CmdletBinding, parameters, try/catch, ShouldProcess. GitHub Copilot will propose completions that follow your intent and style.</li> <li>If a suggestion is close but not perfect, accept it and edit inline. GitHub Copilot's subsequent completions in that file usually follow your corrections, such as switching from AzureRM to Az, or from WMI to CIM.</li> <li>Use GitHub Copilot Chat to:</li> <li style="list-style: none;"> <ul class="default-list"> <li>  Explain or refactor a block.</li> <li>  Add Pester tests and comment‑based help.</li> <li>  Enforce PSScriptAnalyzer rules.</li> <li>  Request multi‑file edits, such as update a module and its tests.</li> </ul> </li> </ul> <h3>Aim for correctness, performance and maintainability</h3> <ul class="default-list"> <li>Return rich objects from the pipeline; avoid <span style="font-family: 'courier new', courier, monospace;">Write-Host</span> in library code.</li> <li>Prefer a single, well‑scoped query over per‑item lookups. For example, calling a cmdlet inside a loop when you already have the data is unnecessary and inefficient.</li> <li>Validate module versions and cmdlet availability. Ask GitHub Copilot to pin or check versions when relevant.</li> <li>Add error handling and ShouldProcess so you can run with <span style="font-family: 'courier new', courier, monospace;">-WhatIf</span> or <span style="font-family: 'courier new', courier, monospace;">-Confirm</span> during testing.</li> </ul> <h3>Example: List running services and their logon accounts</h3> <p>Prompt to GitHub Copilot -- as a comment or in chat:</p> <p>"PowerShell 7. Get all running Windows services and show service name, display name and the account the service runs as. Use <span style="font-family: 'courier new', courier, monospace;">Get-CimInstance</span> (not <span style="font-family: 'courier new', courier, monospace;">Get-WmiObject</span>). Return objects; no <span style="font-family: 'courier new', courier, monospace;">Write-Host</span>."</p> <p>Resulting approach -- concise, PS7‑compatible:</p> <p>Query once via CIM and select the properties you need:</p> <pre class="language-powershell"><code>$services = Get-CimInstance -ClassName Win32_Service | Where-Object { $_.State -eq 'Running' } $services | Select-Object Name, DisplayName, State, StartName </code></pre> <p>This code avoids per‑service WMI calls and relies on Win32_Service.StartName for the logon account. It also avoids implying properties that don't exist on Get-Service in PS 7.x, such as a UserName property.</p> </section> <section class="section main-article-chapter" data-menu-title="Use GitHub Copilot to improve code quality"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Use GitHub Copilot to improve code quality</h2> <p>GitHub Copilot helps you implement PowerShell best practices beyond basic functionality. It can refine a script if you request further enhancements by asking for:</p> <ul class="default-list"> <li>Pester tests covering error conditions.</li> <li>Comment‑based help and parameter validation attributes.</li> <li>Remediation of <a href="https://www.techtarget.com/searchwindowsserver/feature/5-PowerShell-tools-to-help-simplify-admin-tasks-and-support">PSScriptAnalyzer findings</a>.</li> <li>Safer patterns, such as credentials via Get-Credential or managed identity; least‑privilege RBAC.</li> <li>Iterate until the script meets your style and reliability standards, then run tests and a <span style="font-family: 'courier new', courier, monospace;">-WhatIf</span> dry run before applying changes.</li> </ul> <p>Common pitfalls GitHub Copilot can make and how to fix them:</p> <ul class="default-list"> <li>Suggesting deprecated cmdlets or modules, such as <span style="font-family: 'courier new', courier, monospace;">AzureRM</span> and <span style="font-family: 'courier new', courier, monospace;">Get-WmiObject</span>. Correct them and continue; GitHub Copilot will usually follow your lead in later completions.</li> <li>Using inefficient loops that re‑query the state on every iteration. Consolidate into a single query and project only the fields you need.</li> <li>Emitting strings via <span style="font-family: 'courier new', courier, monospace;">Write-Host</span> instead of returning objects. Ask GitHub  Copilot to output PSCustomObjects or select specific properties.</li> </ul> <p>By combining clear intent, environment constraints and iterative review, you'll get accurate, PowerShell 7‑friendly and maintainable code from GitHub Copilot: it's much faster than starting from a blank file and safer than accepting the first suggestion at face value.</p> </section> <section class="section main-article-chapter" data-menu-title="Examples of PowerShell prompts for GitHub Copilot"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Examples of PowerShell prompts for GitHub Copilot</h2> <p>Below is a practical "prompt pack" you can paste into GitHub Copilot Chat and adapt. Use placeholders, such as <FILE>, <FUNCTION>, <MODULE>, <RESOURCE_GROUP>, <PS_VERSION>, <RULESET> and <TARGET>.</p> <p>Here are some quick tips:</p> <ul class="default-list"> <li>Be explicit about PowerShell version, modules and constraints; GitHub Copilot performs better with clear direction and current APIs, such as PS7, Az modules and <a href="https://www.techtarget.com/searchstorage/definition/Common-Information-Model">CIM</a> instead of WMI.</li> <li>If GitHub Copilot suggests deprecated patterns, such as <span style="font-family: 'courier new', courier, monospace;">AzureRM</span> or <span style="font-family: 'courier new', courier, monospace;">Get-WmiObject</span>, correct it once; subsequent completions typically follow your change.</li> <li>Favor single, well-scoped queries and return objects. Avoid per-item re-queries and <span style="font-family: 'courier new', courier, monospace;">Write-Host</span> in library code.</li> </ul> <h3>Foundation/constraints priming</h3> <p>"You are my PowerShell pair programmer. Constraints: PowerShell 7.x only; cross-platform safe; avoid legacy cmdlets; avoid <span style="font-family: 'courier new', courier, monospace;">AzureRM</span> (use Az modules, C<span style="font-family: 'courier new', courier, monospace;">onnect-AzAccount)</span>; return objects (no <span style="font-family: 'courier new', courier, monospace;">Write-Host</span>); add error handling (try/catch), parameter validation and <span style="font-family: 'courier new', courier, monospace;">ShouldProcess</span> with <span style="font-family: 'courier new', courier, monospace;">-WhatIf/-Confirm</span>; follow PSScriptAnalyzer defaults and PowerShell style best practices."</p> <h3>PowerShell 7-only refactor and modernization</h3> <p>"Refactor <FILE> to PowerShell 7-only: replace deprecated cmdlets, ensure cross-platform compatibility, remove <span style="font-family: 'courier new', courier, monospace;">Write-Host</span> in favor of pipeline-friendly output, add <span style="font-family: 'courier new', courier, monospace;">CmdletBinding</span> and <span style="font-family: 'courier new', courier, monospace;">ShouldProcess</span> and include comment-based help. Explain each breaking change and why it's needed for PS7."</p> <h3>PSScriptAnalyzer audit and fixes</h3> <p>"Run PSScriptAnalyzer on <FILE> using default rules (or this custom settings: <RULESET>). List violations with rule IDs and lines, then propose minimal, safe fixes. Apply fixes in an updated version of <FILE>. Where a justified exception is needed, add <span style="font-family: 'courier new', courier, monospace;">[Diagnostics.CodeAnalysis.SuppressMessage()]</span> with a rationale in comments."</p> <h3>Generate Pester tests</h3> <p>"Generate Pester v5 tests for <FUNCTION>/<MODULE>: include Arrange/Act/Assert structure, mocks for external calls (filesystem, registry, network, Az cmdlets), tests for <span style="font-family: 'courier new', courier, monospace;">-WhatIf/-Confirm</span>, error paths, parameter validation and at least one table-driven test. Target PS7. Output tests in a new file named <FUNCTION>.Tests.ps1 suitable for CI."</p> <h3>Comment-based help and docs</h3> <p>"Add comment-based help to <FUNCTION>: .SYNOPSIS, .DESCRIPTION, .PARAMETER (each), .EXAMPLE (3+ realistic examples), .NOTES, .LINK to docs. Then produce a README snippet describing usage, prerequisites (modules/versions) and examples."</p> <p>"For <MODULE>, generate a CHANGELOG entry for version <TARGET>, summarizing fixes, features and breaking changes, with links to related functions."</p> <h3>Secure-by-default hardening</h3> <p>"Review <FILE> for security issues: remove plaintext secrets, use Get-Credential or managed identity patterns, validate all external inputs, use least-privilege RBAC in examples, <span style="font-family: 'courier new', courier, monospace;">set $ErrorActionPreference = 'Stop'</span> inside critical sections and ensure sensitive data is not logged. Provide a diff-like summary of changes."</p> <h3>Azure script modernization and correctness</h3> <p>"Update this Azure script to current Az modules: authenticate with <span style="font-family: 'courier new', courier, monospace;">Connect-AzAccount,</span> select subscription/context, capture resource outputs in variables and use supported parameters for <span style="font-family: 'courier new', courier, monospace;">New-AzResourceGroup</span>. Replace any <span style="font-family: 'courier new', courier, monospace;">AzureRM</span> usage. Ensure idempotent behavior where practical and include tags. Explain any parameter changes due to module updates."</p> <h3>Performance and efficiency review</h3> <p>"Profile the logic in <FILE> for unnecessary loops and redundant cmdlet calls. Consolidate into single queries where possible (e.g., query services once, then project fields). Replace per-item calls with batched or pipeline operations. Return only required properties and avoid materializing unused data. Provide the optimized version and a short rationale for each change."</p> <h3>Refactor for module quality</h3> <p>"Turn <FILE> into a reusable module function: add [CmdletBinding()], [Parameter()] attributes (Mandatory, ValidateSet/Pattern/Range), supports ShouldProcess, pipeline input where appropriate, structured output (PSCustomObject or typed objects), verbose logging via Write-Verbose and comment-based help. Include a public/private function split if needed."</p> <h3>Documentation from code</h3> <p>"<a href="https://www.techtarget.com/searchsoftwarequality/tip/How-to-choose-the-best-Markdown-editor-for-your-use-case">Generate a Markdown README</a> for <MODULE> with: overview, installation, required module versions, usage examples for each public function, configuration and environment variables, troubleshooting and a section on security considerations. Cross-link to comment-based help."</p> <h3>Error handling and resiliency</h3> <p>"Add robust error handling to <FUNCTION>: <span style="font-family: 'courier new', courier, monospace;">set $ErrorActionPreference</span> within scope, use try/catch with specific exception types, clean up resources in finally and emit actionable error messages. Ensure all external cmdlets use <span style="font-family: 'courier new', courier, monospace;">-ErrorAction Stop</span> where appropriate."</p> <h3>Continuous integration-ready outputs</h3> <p>"Produce a CI checklist for this repo: run PSScriptAnalyzer, run Pester v5, verify no secrets committed, format with PowerShell extension settings and fail on analyzer or test errors. Provide a GitHub Actions workflow yaml that runs on push/PR to main."</p> <h3>Targeted property selection and correctness</h3> <p>"For this task, list running services with their logon accounts in PS7 using CIM (not WMI). Avoid looping and re-querying; return <span style="font-family: 'courier new', courier, monospace;">Name</span>, <span style="font-family: 'courier new', courier, monospace;">DisplayName</span>, <span style="font-family: 'courier new', courier, monospace;">State</span>, <span style="font-family: 'courier new', courier, monospace;">StartName</span> as objects. Provide the minimal, efficient snippet and a one-line explanation."</p> <h3>Prompt patterns for iterative editing</h3> <p>"Explain what this function does, identify risks and deprecated APIs and propose a safer, PS7-compatible rewrite. Then apply the rewrite."</p> <p>"Propose a small, incremental refactor to improve readability and testability (max 10 lines changed), then show a larger refactor that improves structure (max 50 lines)."</p> <h3>House style and formatting</h3> <p>"Reformat <FILE> to match PowerShell style: 2-space indents, PascalCase for functions, singular nouns for functions, approved verbs, consistent parameter ordering (-Name, -Id, -Path, etc.) and one pipeline per line. Do not alter logic; only formatting and naming where safe."</p> <p>When asking Copilot to modify code, supply the file or selection and say "apply changes to this file" so it proposes an inline edit. If it drifts, restate constraints and correct once. Its next suggestion usually aligns with your guidance.</p> </section> <section class="section main-article-chapter" data-menu-title="How to get the most out of GitHub Copilot"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to get the most out of GitHub Copilot</h2> <p>GitHub Copilot is now a credible accelerator for PowerShell work. It's capable of drafting <a href="https://www.techtarget.com/searchenterpriseai/opinion/Can-AI-write-code-A-developer-experiments-in-two-languages">scripts from natural language descriptions</a>, refactoring legacy code and stitching together Azure automation -- so long as you keep an expert's hand on the wheel.</p> <p>For day‑to‑day administration, VS Code combined with GitHub Copilot can collapse hours of boilerplate coding into minutes. Even when GitHub Copilot's first draft isn't perfect, it often gets you most of the way there, translating into meaningful time savings on common tasks.</p> <p>With precise prompts, careful review and routine testing, GitHub Copilot becomes a reliable force multiplier for <a target="_blank" href="https://github.com/orgs/community/discussions/144674" rel="noopener">scripting</a>, troubleshooting and Azure orchestration when working under deadline pressure.</p> <p><i>James Bannan is a principal security consultant with more than 25 years of industry experience, specializing in Microsoft Azure architecture, security and automation. He is a published author and journalist, as well as a former Microsoft MVP and a current Microsoft Certified Trainer.</i></p> </section> Learn how to work with GitHub Copilot to write scripts, refactor legacy code and streamline Azure automation with best practices in mind. https://cdn.ttgtmedia.com/rms/onlineimages/chatbot_g1150454068.jpg https://www.techtarget.com/searchwindowsserver/tip/How-to-use-GitHub-Copilot-for-PowerShell-coding-projects Tue, 18 Nov 2025 12:46:00 GMT Using GitHub Copilot to accelerate PowerShell scripting <p>Network nodes require an IP address configuration that typically includes the IP address, subnet mask, default gateway IP address for the router, name servers and other values.</p> <p>Administrators can manually set this information, resulting in a static configuration. A Dynamic Host Configuration Protocol (DHCP) server can also dynamically provide the information.</p> <p>Generally, servers, routers, network printers and other comparable devices have a static configuration. Workstations, laptops, phones, tablets and other end-user devices receive their configuration using DHCP.</p> <p>Client devices lease their IP address configuration by using the following four-step DORA process:</p> <ol class="default-list"> <li><b>Discover</b>. The client broadcasts an attempt to discover a DHCP server.</li> <li><b>Offer.</b> DHCP servers that receive the client broadcast offer an IP address configuration.</li> <li><b>Request</b>. The client formally requests the IP configuration from the first DHCP server to respond.</li> <li><b>Acknowledge</b>. The DHCP server acknowledges the lease and doesn't offer that same address to another client.</li> </ol> <p>The client must renew the lease periodically.</p> <p>Now that we've briefly reviewed <a href="https://www.techtarget.com/searchnetworking/tip/Static-IP-vs-dynamic-IP-addresses-Whats-the-difference">how IP addresses are allocated</a> and the lease generation process, let's delve into more detail on Windows DHCP server configuration. Follow these steps to manage deployment.</p> <section class="section main-article-chapter" data-menu-title="1. Install DHCP on Windows Server"> <h2 class="section-title"><i class="icon" data-icon="1"></i>1. Install DHCP on Windows Server</h2> <p>The DHCP service is not automatically installed on Windows Server. It is easy to add, however, using either Server Manager or Windows PowerShell.</p> <p>Ensure that you deploy essential services such as DHCP on the most current version of Windows Server for the most up-to-date features and security enhancements. Older versions of Windows Server do not support DHCP failover and other crucial capabilities.</p> <p>DHCP is a relatively lightweight service, but if the server manages thousands of clients, its DHCP database and log file structure can become cumbersome. Plan the following minimum hardware specifications:</p> <ul class="default-list"> <li><b>8GB RAM.</b> Increase this to 16GB for larger networks.</li> <li><b>120GB SSD.</b> Storage for logs, DHCP database and the OS. Increase this if the server hosts other services, such as <a href="https://www.techtarget.com/searchwindowsserver/definition/Active-Directory">Active Directory</a> (AD) or DNS.</li> <li><b>One 1-gigabit Ethernet network adapter. </b>Consider implementing a dual network adapter configuration with <a href="https://www.techtarget.com/searchnetworking/tip/Configure-NIC-teaming-in-Windows-Server">network interface card (NIC) teaming</a> for redundancy and performance.  </li> </ul> <p>To add DHCP using Server Manager, select <b>Add Roles and Features</b>, and then choose <b>DHCP</b> in the Roles list.</p> <p>To add the DHCP role using the CLI, open Windows PowerShell, and type the following:</p> <pre><span style="font-family: 'courier new', courier, monospace;">Install-WindowsFeature DHCP -IncludeManagementTools</span></pre> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/screenshot_install_dhcp_using_windows_powershell.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/screenshot_install_dhcp_using_windows_powershell_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/screenshot_install_dhcp_using_windows_powershell_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/screenshot_install_dhcp_using_windows_powershell.jpg 1280w" alt="Windows PowerShell DHCP installation screenshot" data-credit="Damon Garn" height="137" width="558"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 1. Install the DHCP role by using Windows PowerShell. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>The installation takes about one minute to complete.</p> <p>Once admins install the DHCP service, they can manage it by selecting <b>Server Manager > Tools > DHCP</b>.</p> </section> <section class="section main-article-chapter" data-menu-title="2. Authorize DHCP in AD"> <h2 class="section-title"><i class="icon" data-icon="1"></i>2. Authorize DHCP in AD</h2> <p>You must register Windows-based DHCP servers with AD before they can offer IP address configurations to clients.</p> <p>Right-click on the server node in the DHCP console and select <b>Authorize</b> to complete this authorization. You need Enterprise Admin privileges to authorize DHCP.</p> <p>Trouble authorizing DHCP in AD often indicates connectivity and replication issues. Use the following troubleshooting steps to correct authorization challenges:</p> <ul class="default-list"> <li>Confirm you have sufficient privileges to authorize the server in AD.</li> <li>Confirm connectivity to one or more domain controllers.</li> <li>Verify firewall settings are not blocking Lightweight Active Directory Protocol queries.</li> <li>Wait a few minutes for AD replication to occur.</li> <li>Confirm AD replication health.</li> <li>Check Event Viewer for entries indicating authorization failure, such as Event ID 1046.</li> <li>Verify DNS functionality and confirm resource records exist for the domain controllers and the DHCP server.</li> </ul> <p>Windows Server DHCP servers deployed in a workgroup configuration do not need authorization. Windows Server Workgroups are typically 10 or fewer computers, requiring no centralized administration or security. You might find these deployments in small businesses, lab environments or non-essential areas<i>.</i></p> </section> <section class="section main-article-chapter" data-menu-title="3. Create a scope"> <h2 class="section-title"><i class="icon" data-icon="1"></i>3. Create a scope</h2> <p>Before building the first pool of available IP addresses, you must plan the deployment. Devices, such as servers, routers and even printers, might have static IP address configurations. Ensure you have identified these addresses and that you allow for them in scope. Many administrators place all statically assigned IP addresses at the front of the IP range. These are not included in the DHCP scope to avoid conflicts.</p> <p>Keep growth and scalability in mind when configuring Windows DHCP servers. DHCP must be able to provide IP addresses as departments, branch locations or network segments expand within the company. Create a scope large enough to support any expected growth. Don't forget about new print devices, temporary or seasonal employees, VMs and business partner computers that join the network.</p> <p>This example design starts with a standard Class C reserved IP address range. It accounts for the static IP addresses assigned to network devices and the dynamically leased IP addresses for client systems:</p> <ul class="default-list"> <li>Scope address range: 192.168.2.0/24.</li> <li>Static IP addresses: 192.168.2.1 through 192.168.2.25. Be sure to leave some room for additional devices.</li> <li>Dynamic IP addresses: 192.168.2.26 through 192.168.2.254.</li> </ul> <p>You also need to decide on additional configuration details, including the following:</p> <ul class="default-list"> <li><b>Name and description.</b> The scope name and an optional description.</li> <li><b>Default gateway value</b>. The IP address of the NIC in the router attached to this network.</li> <li><b>Name resolution servers</b>. The IP address of one or more <a href="https://www.techtarget.com/searchsecurity/tip/The-3-types-of-DNS-servers-and-how-they-work">DNS servers</a>.</li> <li><b>Reservations.</b> Any IP addresses that are dynamically allocated to specific clients enable those clients to acquire a consistent IP configuration from DHCP.</li> <li><b>Lease time.</b> The period during which the IP address lease is valid. It needs to be renewed at the halfway point of the lease. The default Windows Server DHCP lease duration is eight days.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="4. Configure and activate the scope"> <h2 class="section-title"><i class="icon" data-icon="1"></i>4. Configure and activate the scope</h2> <p>Once you have documented the above values, you can configure the scope. Right-click the server node in the DHCP console, and then select <b>New Scope</b>. A wizard prompts you for the information you chose above. You can change these settings later.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/screenshot_create_new_dhcp_scope.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/screenshot_create_new_dhcp_scope_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/screenshot_create_new_dhcp_scope_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/screenshot_create_new_dhcp_scope.jpg 1280w" alt="Create a new DHCP scope " data-credit="Damon Garn" height="224" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 2. Create a new DHCP scope. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Once activated, the DHCP server begins responding to DHCP client discover messages by offering IP addresses. Use AD to deactivate the scope, stop or start the DHCP service or deauthorize the DHCP server itself.</p> <p>Windows Server DHCP servers can host <a href="https://www.techtarget.com/searchnetworking/tip/How-to-configure-multiple-DHCP-scopes-on-one-Windows-server">multiple scopes</a> to manage various subnets.</p> </section> <section class="section main-article-chapter" data-menu-title="5. Manage DNS registration"> <h2 class="section-title"><i class="icon" data-icon="1"></i>5. Manage DNS registration</h2> <p>DNS links easy-to-remember hostnames to difficult-to-remember IP addresses. You can populate this database in several ways.</p> <p>One method is to configure the DHCP server to create resource records for the client. The DHCP server can create the following:</p> <ul class="default-list"> <li><b>A records.</b> Hostname to IP address.</li> <li><b>Pointer records.</b> IP address to hostname. Also known as PTR records.</li> <li><b>Both record types.</b> A records and pointer records together.</li> </ul> <p>By default, the DHCP server creates the PTR record, while the client itself registers its A record with DNS.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/screenshot_configure_dns_options.jpg "> <img data-src="https://www.techtarget.com/rms/onlineimages/screenshot_configure_dns_options_mobile.jpg " class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/screenshot_configure_dns_options_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/screenshot_configure_dns_options.jpg 1280w" alt="Screenshot of DNS configuration for DHCP" data-credit="Damon Garn" height="642" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 3. Configure DNS options. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="Administrative DHCP tasks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Administrative DHCP tasks</h2> <p>The DHCP service is simple to configure. But sysadmins often find some additional settings to be useful, among them:</p> <h3>Create client reservations</h3> <p>In some cases, it's useful to allow a client machine to maintain a consistent IP address. While you could set the IP address configuration statically, it's often better to reserve the IP address for the client in DHCP. The client undergoes the DORA process to receive its settings, so values such as router and name resolution servers can still be updated using DHCP.</p> <ol class="default-list"> <li>Use the<span style="font-family: 'courier new', courier, monospace;"> ipconfig /all</span> command on the client to find the MAC address.</li> <li>Right-click the <b>Reservations</b> node in the DHCP Scope on the DHCP server. Choose <b>New Reservation</b>.</li> <li>Provide a reservation name, IP address to assign, the client's MAC address and a description that explains why this client needs an unchanging address.</li> <li>Click <b>Add</b> to save the configuration.</li> </ol> <p>You can also right-click on existing leases in the DHCP console and select <b>Add to Reservation</b>.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/screenshot_reserve_ip_address_for_devcomputer.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/screenshot_reserve_ip_address_for_devcomputer_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/screenshot_reserve_ip_address_for_devcomputer_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/screenshot_reserve_ip_address_for_devcomputer.jpg 1280w" alt="Screenshot of IP address reservation" data-credit="Damon Garn" height="552" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 4. Reserve an IP address for the Dev-Computer. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>Configure DHCP failover</h3> <p>Microsoft introduced <a target="_blank" href="https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn338983(v=ws.11)" rel="noopener">DHCP failover</a> with Windows Server 2012, more than a decade after the release of the first server OS. However, it appears many administrators are unaware of DHCP failover. Configuration is straightforward and requires no special software.</p> <p>To <a href="https://www.techtarget.com/searchnetworking/tip/Configure-DHCP-failover-for-Windows-Server">configure DHCP failover</a>, use the following steps:</p> <ol class="default-list"> <li>Ensure you've installed the DHCP role on both DHCP servers and that each has network connectivity with the other.</li> <li>Configure a DHCP scope on one of the servers.</li> <li>Right-click the scope and select <b>DHCP Failover</b> from the context menu.</li> <li>Complete the wizard.</li> <li>Select the second DHCP server and observe that the new scope appears.</li> </ol> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/screenshot_configure_dhcp_failover.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/screenshot_configure_dhcp_failover_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/screenshot_configure_dhcp_failover_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/screenshot_configure_dhcp_failover.jpg 1280w" alt="Screenshot of DHCP failover configuration" data-credit="Damon Garn" height="327" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 5. Configure DHCP failover. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>Manage logs</h3> <p>Managing service log files is a standard function for sysadmins. DHCP writes messages to Event Viewer and to text files.</p> <p>Sysadmins can check the system log for general DHCP and network messages. They can find DHCP entries by drilling down to <b>Applications and Services > Microsoft > Windows > DHCP-Server > Microsoft-Windows-DHCP-Server-Events > Operational</b>.</p> <p>DHCP also generates text-based log files stored at <span style="font-family: 'courier new', courier, monospace;">C:\Windows\System32\dhcp</span>. These logs are <a href="https://www.techtarget.com/searchnetworking/tip/Troubleshooting-a-DHCP-server">useful for troubleshooting</a>. They can display information on why the server was unable to lease configurations to clients.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/screenshot_dhcp_text_logs.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/screenshot_dhcp_text_logs_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/screenshot_dhcp_text_logs_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/screenshot_dhcp_text_logs.jpg 1280w" alt="Screenshot of DHCP text log" data-credit="Damon Garn" height="291" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 6. DHCP text logs. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Text file logs are named by day of the week and are overwritten weekly. If you want to retain these logs, you must rename them before the upcoming day of the week can overwrite them.</p> <h3>Manage DHCP lease durations</h3> <p>Maintaining reasonable lease durations is crucial to optimizing DHCP. Shorter lease times help recycle unused IP addresses, which is important in some venues.</p> <p>Begin by considering the type of DHCP environment you're supporting. For example, a coffee shop might provide wireless connectivity to customers. Chances are, these customers will only need to lease an IP address for an hour or less, meaning short lease durations will recycle addresses quickly as customers leave.</p> <p>Business offices, however, would see increased network traffic and server activity with such short lease durations in a relatively unchanging environment. Lease times in these settings would typically be at least one day, and likely far more than that.</p> <p>In addition, transient device types typically require shorter lease durations than more permanent systems, such as workstations. Consider the following lease durations for different types of devices:</p> <ul class="default-list"> <li><b>Laptops.</b> Up to eight hours.</li> <li><b>Smartphones.</b> Up to eight hours.</li> <li><b>Tablets.</b> Up to eight hours.</li> <li><b>Workstation.</b> Eight days. This is the default lease duration for Windows Server DHCP servers.</li> <li><b>VMs.</b> Varies depending on the VM's use; likely very short.</li> </ul> <p>Adjust these values to meet your organization's requirements.</p> <h3>Identify conflicting scopes</h3> <p>As more subnets -- and, therefore, more DHCP scopes -- are added to the network, it's imperative that sysadmins accurately document the IP address ranges. Overlapping scopes, where two DHCP servers offer the same IP addresses to clients, result in various network communication issues.</p> <p>Carefully document the following Windows DHCP server configuration settings:</p> <ul class="default-list"> <li><b>Static IP addresses.</b> Manually configured on servers and network devices.</li> <li><b>Reserved IP addresses. </b>Assigned by DHCP to clients that require unchanging addresses.</li> <li><b>IP address usage.</b> Available versus consumed IP addresses based on network inventory to ensure enough IP addresses exist when adding more clients to the subnet.</li> <li><b>MAC addresses. </b>DHCP reservations, MAC address filtering and switch troubleshooting.</li> </ul> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> DHCP must be able to provide IP addresses as departments, branch locations or network segments expand within the company. Create a scope large enough to support any expected growth. </figure> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>Avoiding conflicting scopes is one reason why Microsoft requires administrators to use AD to authorize DHCP servers. That authorization can only be implemented by enterprise admins, who should have enough broad <a href="https://www.techtarget.com/searchnetworking/definition/network-management">knowledge of network configuration</a> to prevent conflicting scopes.</p> <h3>Avoid duplicate IP address offers</h3> <p>One of the most serious misconfigurations is a client computer configured with a static IP address that falls within the DHCP server's assigned IP address range. In that case, the server can offer the IP address to a client because it is unaware of the static IP. This results in an <a href="https://www.techtarget.com/searchnetworking/tip/How-to-avoid-duplicate-IP-addresses-in-a-network">IP address conflict</a>.</p> <p>You can configure the Windows DHCP service to ping an IP address before offering it to a client. If the ping returns a response, the DHCP server knows the address is already in use and should not be offered. The server offers a different address to the client.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/screenshot_configure_conflict_detection_attempts.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/screenshot_configure_conflict_detection_attempts_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/screenshot_configure_conflict_detection_attempts_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/screenshot_configure_conflict_detection_attempts.jpg 1280w" alt="Screenshot of configuring conflict detection attempt" data-credit="Damon Garn" height="281" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 7. Configure conflict detection attempts. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>The ping request occurs between the Discover and Offer steps of the lease generation process. It introduces a significant delay, so only configure this setting if you have a genuine concern about undocumented static IP addresses on client devices.</p> <h3>Implement a maintenance schedule</h3> <p>Keeping your DHCP servers healthy is crucial for maintaining smooth, uninterrupted IP address management. Target these three areas for regular maintenance: Monitoring, optimization and security.</p> <p>Monitor the following areas:</p> <ul class="default-list"> <li>Review status and uptime records regularly.</li> <li>Audit log files regularly.</li> <li>Review scope settings to ensure availability.</li> <li>Review administrative privileges on the server.</li> </ul> <p>Implement the following performance improvements:</p> <ul class="default-list"> <li>Right-size DHCP scopes for the number of clients.</li> <li>Adjust lease times depending on scope and client type.</li> <li>Ensure sufficient quantities of static IP addresses remain available for network devices and servers.</li> <li>Document all settings and changes.</li> </ul> <p>Consider the following security settings:</p> <ul class="default-list"> <li>Harden the server and the DHCP service by removing unnecessary privileges and services.</li> <li>Update the server with the latest security patches.</li> <li><a href="https://www.techtarget.com/searchsecurity/tutorial/How-to-conduct-firewall-testing-and-analyze-test-results">Ensure firewall settings</a> protect the server from external connections.</li> <li>Implement MAC filtering to control client leases more effectively.</li> <li>Scan for <a href="https://www.techtarget.com/searchnetworking/tip/What-is-a-rogue-DHCP-server">rogue DHCP servers</a> that might result from misconfiguration or malicious intent.</li> </ul> <p>Windows DHCP server configuration is straightforward. Make sure you have a solid understanding of the entire network's <a href="https://www.techtarget.com/searchnetworking/answer/What-should-I-know-about-IP-address-management-systems">IP address configurations</a> before you begin, and plan your scope around both dynamic and static IP address assignments. Don't forget to create a structured maintenance schedule during your deployment.</p> <p>The DHCP role is not installed by default, so the first step is to add it. From there, create a new scope based on your plan. Add any options, such as DNS and reserved addresses. Review log files regularly. DHCP is simple, but critical for network communication.</p> <p><i>Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to TechTarget Editorial, The New Stack and CompTIA Blogs.</i></p> </section> Ensuring your Windows DHCP server is properly configured can be a significant undertaking. Here's what network admins can do to make the job easier. https://cdn.ttgtmedia.com/rms/onlineimages/arvr_g1226063726.jpg https://www.techtarget.com/searchnetworking/tip/A-guide-to-Windows-DHCP-server-configuration Fri, 14 Nov 2025 08:30:00 GMT A guide to Windows DHCP server configuration <p>AI took center stage at Microsoft Ignite 2025, this year's installment of the tech giant's annual conference.</p> <p>From Nov. 18-21, conference-goers gathered at San Francisco's Moscone Center for hundreds of live sessions, demonstrations and labs focusing on key topic areas. Key topics this year included cloud and AI platforms, AI-powered security and AI business tools.</p> <p>In a shakeup from years past, Microsoft CEO Satya Nadella did not make an appearance at this year's event. Judson Althoff, CEO of Microsoft's commercial business, delivered the opening keynote -- where he highlighted the company's AI innovations -- alongside senior Microsoft engineering leaders.</p> <p>Dive into our editorial coverage below to catch up on the major announcements and news analysis from this year's Microsoft Ignite conference, and stay tuned for future updates.</p> Our guide to Microsoft Ignite 2025 has everything you need to know about the annual conference, including live news updates, expert analysis and highlights from last year's show. https://www.techtarget.com/searchwindowsserver/conference/Microsoft-Ignite-conference-coverage Mon, 10 Nov 2025 00:00:00 GMT Microsoft Ignite 2025 conference coverage <p>As infrastructure grows, so does complexity. Automation with tools such as Terraform gives IT teams a way to scale more efficiently without adding to operational overhead.</p> <p>The goal of any automated provisioning process, such as using Terraform to configure a Windows Server in Azure, is to <a href="https://www.techtarget.com/searchwindowsserver/tutorial/How-PowerShell-can-automate-Hyper-V-deployments">automate as many of the configuration tasks</a> as possible to streamline infrastructure setup. In an AD environment, joining these new servers to the domain is a crucial step to enable management with centralized tools, enforce security and enable governance.</p> <p>This article will explain how to use Terraform to not only provision a Windows VM in Azure but also automatically <a href="https://www.techtarget.com/searchwindowsserver/tutorial/How-to-join-Linux-to-an-Active-Directory-domain">join it to an on-premises AD domain to</a> make sure the VM is ready for use immediately. This automation process also includes using Azure Key Vault to perform the server configuration securely.</p> <section class="section main-article-chapter" data-menu-title="How domain-join automation with Terraform works"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How domain-join automation with Terraform works</h2> <p>The domain-join process is often handled with a configuration management tool, such as Ansible, Puppet, Saltstack or Chef. But, as a popular infrastructure-as-code (IaC) tool, <a href="https://www.techtarget.com/searchitoperations/tutorial/Dive-into-Terraform-basics-with-this-tutorial">Terraform enables you to describe the infrastructure</a> in a declarative format and then deploy it with minimal manual effort. This raises the question: Should your configuration management tool handle domain joins, or should your IaC tool take care of it during provisioning?</p> <p>Although Terraform isn’t designed for detailed configuration jobs, such as a domain join, it can use Azure VM extensions for this purpose. Specifically, JsonADDomainExtension can be used to automatically join the VM to the AD domain after deployment. This approach lets you use just Terraform rather than multiple tools to both deploy the VM and execute the domain join to simplify the process and maintain consistency across environments.  </p> </section> <section class="section main-article-chapter" data-menu-title="Provisioning a Windows VM in Azure with Terraform"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Provisioning a Windows VM in Azure with Terraform</h2> <p>Before configuring the Azure VM extension for the domain join, let's provision the VM with Terraform. Start by defining the Azure provider.</p> <pre class="language-powershell"><code>provider "azurerm" {   features {} }</code></pre> <p>Next, attach the VM to a <a href="https://www.techtarget.com/searchnetworking/tip/Introduction-to-IP-addressing-and-subnetting">subnet with DNS settings</a> that point to the domain controller and the proper open ports. For this tutorial, we'll assume the configured subnet exists, so we'll import it with a data block.</p> <pre class="language-powershell"><code>data "azurerm_subnet" "example" {   name                 = "Subnet Name"   virtual_network_name = "vNet Name"   resource_group_name  = var.resource_group_name }</code></pre> <p>Next, create a network interface card (NIC) and connect it to the Azure subnet, then deploy a Windows Server VM in Azure. The code attaches the VM to the NIC so it can communicate on the private network with the domain controller.</p> <pre class="language-powershell"><code>resource "azurerm_network_interface" "example" {   name                = "${var.name}-nic"   location            = var.location   resource_group_name = var.resource_group_name   ip_configuration {     name                          = "internal"     subnet_id                     = data.azurerm_subnet.example.id     private_ip_address_allocation = "Dynamic"   } } resource "azurerm_windows_virtual_machine" "example" {   name                = var.name   resource_group_name = var.resource_group_name   location            = var.location   size                = "Standard_F2"   admin_username      = "adminuser"   admin_password      = var.admin_password   network_interface_ids = [     azurerm_network_interface.example.id,   ]   os_disk {     caching              = "ReadWrite"     storage_account_type = "Standard_LRS"   }   source_image_reference {     publisher = "MicrosoftWindowsServer"     offer     = "WindowsServer"     sku       = "2025-Datacenter"     version   = "latest"   } }</code></pre> <p>The NIC takes its name from the name of the VM. This naming convention clarifies the association between the NIC and its VM and reduces the number of variables in the Terraform configuration.</p> <p>Next, use the following Terraform code to add the Azure VM extension, JsonADDomainExtension, which automatically joins a Windows VM in Azure to the AD domain:</p> <pre class="language-powershell"><code>resource "azurerm_virtual_machine_extension" "example" {   name                 = "DomainJoin"   virtual_machine_id   = azurerm_windows_virtual_machine.example.id   publisher            = "Microsoft.Compute"   type                 = "JsonADDomainExtension"   type_handler_version = "1.3"   settings = <<SETTINGS     {       "Name": "domain.com",       "OUPath": "OU=Servers,DC=domain,DC=com",       "User": "domain\${var.domain_join_user}",       "Restart": "true",       "Options": "3"     }   SETTINGS   protected_settings = <<PROTECTED_SETTINGS     {       "Password": "${var.domain_join_password}"     }   PROTECTED_SETTINGS }</code></pre> <p>This extension is associated with the VM through the <b>virtual_machine_id</b> property, which references the deployed VM ID.</p> <p>The domain-related settings are in the <b>settings</b> and <b>protected_settings</b> sections. For your domain, you  must replace or use variables for the following settings:</p> <ul class="default-list"> <li><b>domain.com</b>: Replace with the AD domain name.</li> <li><b>OU=Servers,DC=domain,DC=com</b>: Replace with the organizational unit (OU) where you want to add the server.</li> <li>On the <b>User</b> line, replace <b>domain</b> with the short name of the login domain.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Using Azure Key Vault to securely handle domain-join credentials"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Using Azure Key Vault to securely handle domain-join credentials</h2> <p>It’s important to understand that the previous configuration requires passing the password as a variable. This value needs to either be in a .tfvars file or passed to the Terraform executable as a parameter.</p> <p>There are several ways to accomplish both approaches, but, when working in Azure, the recommendation is to manage the password in <a href="https://www.techtarget.com/searchwindowsserver/definition/Microsoft-Azure-Key-Vault">Azure Key Vault</a>. Assuming the identity used to deploy the configuration has read access to secrets in the Azure Key Vault, retrieve the password using Terraform data blocks and pass it to the domain-join extension.</p> <pre class="language-powershell"><code>data "azurerm_key_vault" "example" {   name                = "example-keyvault"   resource_group_name = var.resource_group_name } data "azurerm_key_vault_secret" "domain-join-pw" {   name         = "domain-join-pw"   key_vault_id = data.azurerm_key_vault.example.id } resource "azurerm_virtual_machine_extension" "example" {   name                 = "DomainJoin"   virtual_machine_id   = azurerm_windows_virtual_machine.example.id   publisher            = "Microsoft.Compute"   type                 = "JsonADDomainExtension"   type_handler_version = "1.3"   settings = <<SETTINGS     {       "Name": "domain.com",       "OUPath": "OU=Servers,DC=domain,DC=com",       "User": "domain\${var.domain_join_user}",       "Restart": "true",       "Options": "3"     }   SETTINGS   protected_settings = <<PROTECTED_SETTINGS     {       "Password": "${data.azurerm_key_vault_secret.domain-join-pw.value}"|     }   PROTECTED_SETTINGS }</code></pre> <p>In the script, the extension references a secret called <b>domain-join-pw</b> in the Azure Key Vault named <b>example-keyvault</b>. The code securely retrieves and passes the password to the VM extension using the <b>protected_settings</b> block to ensure encryption during deployment.</p> </section> <section class="section main-article-chapter" data-menu-title="How to test the Azure VM domain join"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to test the Azure VM domain join</h2> <p>After running the Terraform configuration and provisioning the VM, verify its domain-join status in the Azure portal.</p> <ul class="default-list"> <li>Navigate to the VM.</li> <li>Expand <b>Settings</b>.</li> <li>Click on <b>Extensions + applications</b>.</li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/howell_terraform_1-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/howell_terraform_1-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/howell_terraform_1-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/howell_terraform_1-f.jpg 1280w" alt="A screenshot of the Azure portal's Extensions + applications section that shows the DomainJoin extension. " height="200" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Check the appropriate section in the Azure portal to see if the VM successfully joined the Active Directory domain. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Click on the <b>DomainJoin</b> extension to open a modal window to review its status.</p> <p>If you don’t see the <b>Join completed </b>message, then the recommendation is to connect to the VM and troubleshoot the domain-join failure using standard Windows diagnostics. Once you have determined the root cause, you might need to adjust DNS or <a href="https://www.techtarget.com/searchcloudcomputing/answer/Compare-Azure-Firewall-vs-NSGs-for-network-security">network-security groups if you have network-security rules in</a> place.</p> </section> <section class="section main-article-chapter" data-menu-title="Scaling Windows VM deployments with domain join"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Scaling Windows VM deployments with domain join</h2> <p>It's simple enough to deploy multiple domain-joined Windows VMs <a target="_blank" href="https://developer.hashicorp.com/terraform/language/modules" rel="noopener">using</a> Terraform modules.</p> <p>The configuration used in earlier examples can be converted into a Terraform module by adding parameters to reduce hardcoded values. After defining the module, you create a new VM by calling the module. The following example shows how to call the module.</p> <pre class="language-powershell"><code>module "windowsvm-01" {   source               = "./modules/windowsvm"   name                 = "windowsvm-01"   resource_group_name  = "rg-01"   location             = "East US"   admin_pw_secret_name = "admin-pw"   domain_join_user     = "domainuser"   size                 = "Standard_F2" }</code></pre> <p>To create another VM, copy the module block and update the appropriate values, such as the VM name, resource group or size.</p> </section> <section class="section main-article-chapter" data-menu-title="Enlist automation to scale infrastructure securely"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Enlist automation to scale infrastructure securely</h2> <p>Automating Windows VM deployment and domain join not only saves administrators significant time and effort but also ensures consistency with configurations across the domain. The combination of Terraform modules and Azure Key Vault for managing sensitive credentials makes it possible to securely scale this process. This approach reduces the manual work that can introduce errors and <a href="https://www.techtarget.com/searchitoperations/tip/Infrastructure-as-code-principles-How-IaC-works-and-how-to-use-it">helps enforce IaC best practices.</a></p> <p><i>Anthony Howell is an IT strategist with extensive experience in infrastructure and automation technologies. His expertise includes PowerShell, DevOps, cloud computing, and working in both Windows and Linux environments.</i></p> </section> Streamline the provisioning of Windows VMs in Azure, then securely join them to the on-premises AD domain using Terraform in combination with Azure Key Vault. https://cdn.ttgtmedia.com/rms/onlineimages/ai_a264431831.jpg https://www.techtarget.com/searchwindowsserver/tutorial/Automating-domain-joins-for-Azure-VMs-with-Terraform Thu, 30 Oct 2025 17:05:00 GMT Automating domain joins for Azure VMs with Terraform <p>Exchange Online health checks aren't just for routine maintenance but to stay ahead of bigger problems and maintain order in Microsoft's hosted email platform.</p> <p>PowerShell elevates monitoring by automating tasks to cut down on manual work, and helps instill confidence in the system's reliability. A sophisticated script can give a clear view of Exchange Online to see where things are working properly and where help is needed. These insights let you act early to adjust resources or <a href="https://www.techtarget.com/searchwindowsserver/tutorial/Query-event-logs-with-PowerShell-to-find-malicious-activity">investigate unusual activity</a>. PowerShell is not just a tool -- it's your frontline defense mechanism.</p> <p>This article will show you how to set up and use PowerShell to automate Exchange Online health checks, detect issues and generate reports to keep the email system running reliably.</p> <section class="section main-article-chapter" data-menu-title="Advantages of using PowerShell to check Exchange Online"> <h2 class="section-title"><i class="icon" data-icon="1"></i><strong>Advantages of using PowerShell to check Exchange Online</strong></h2> <p>When it comes to monitoring Exchange Online, PowerShell offers multiple benefits:</p> <ol class="default-list"> <li><b>Automated scheduling. </b>You can <a href="https://www.techtarget.com/searchwindowsserver/tutorial/Learn-how-to-create-a-scheduled-task-with-PowerShell">schedule PowerShell scripts</a> to run at specific intervals, eliminating the need for manual intervention and ensuring consistent oversight.</li> <li><b>Detailed system insights.</b> PowerShell can access key metrics in Exchange Online, such as message tracking logs and mailbox statistics, to reveal anomalies and track usage trends in your Exchange Online infrastructure.</li> <li><b>Customized monitoring.</b> You can tailor scripts for specific locations, such as mailbox growth, user activity or delivery delays, for control over what to monitor and when to trigger alerts.</li> <li><b>Reporting features.</b> You can generate reports for auditing or sharing information with stakeholders.</li> </ol> <p>PowerShell provides comprehensive tools to monitor and manage your Exchange Online environment effectively.</p> </section> <section class="section main-article-chapter" data-menu-title="Prerequisites for using PowerShell with Exchange Online"> <h2 class="section-title"><i class="icon" data-icon="1"></i><strong>Prerequisites for using PowerShell with Exchange Online</strong></h2> <p>Before you can start monitoring Exchange Online using PowerShell, there are a few prerequisites to consider.</p> <p>First, ensure you have the necessary permissions to access and monitor Exchange Online. Typically, this involves being an Exchange Online administrator role member or assigning the necessary Exchange Online management roles to your account.</p> <p>Next, you must install the Exchange Online PowerShell V3 (EXO V3) module to connect to your Exchange Online environment and work within it.</p> <p>Lastly, <a href="https://www.techtarget.com/searchwindowsserver/definition/PowerShell">develop a basic understanding of PowerShell scripting</a>. You can find prebuilt scripts online but it's helpful to know how to customize and modify scripts. Learning the basics of PowerShell, such as variables, loops and conditional statements, will enable you to create more advanced monitoring scripts.</p> <p>To use PowerShell with Exchange Online, you must complete the following:</p> <ol class="default-list"> <li><b>Set up your environment</b>: You need a compatible Windows environment to use PowerShell with Exchange Online. The recommended OS is Windows 10 or 11.</li> <li><b>Install the required software</b>: <ol style="list-style-type: lower-alpha;" class="default-list"> <li><b>PowerShell</b>: Install the latest version of PowerShell. As of publication, PowerShell 7.4 or later is the latest version, but you should download the most recent one. Windows PowerShell 5.1 will also work but Microsoft recommends the newer open source version of PowerShell.</li> <li><b>Microsoft .NET Framework</b>: Exchange Online requires .NET Framework, specifically version 4.7.1 or later.</li> <li><b>PowerShellGet and PackageManagement modules</b>: <a href="https://www.techtarget.com/searchwindowsserver/tutorial/Use-PSResourceGet-to-manage-PowerShell-modules-and-scripts">These modules</a> are required for REST API-based connections used by the EXO V3 module.</li> </ol> </li> <li><b>Install the EXO V3 module</b>: The PowerShell module provides cmdlets for managing Exchange Online. You can install it using the PowerShell command: </li> </ol> <p><code>Install-Module -Name ExchangeOnlineManagement</code></p> <ol start="4" class="default-list"> <li><b>Set execution policy:</b> You might need to set the execution policy in PowerShell to allow the execution of scripts. You can do this using the <span style="font-family: 'courier new', courier, monospace;">Set-ExecutionPolicy</span> cmdlet. Be careful when setting this policy, as it can have security implications. A commonly used policy for this purpose is RemoteSigned.</li> <li><b>Connect to Exchange Online</b>: Use the <span style="font-family: 'courier new', courier, monospace;">Connect-ExchangeOnline</span> cmdlet to connect to Exchange Online. The system will prompt you to enter your Exchange Online credentials.</li> </ol> <p>As a reminder, always refer to the latest documentation from Microsoft for the most up-to-date instructions. Also, these steps might require administrative privileges. Be sure to understand the implications of each step, especially when changing system settings or execution policies.</p> </section> <section class="section main-article-chapter" data-menu-title="Monitor mail flow in Exchange Online with PowerShell"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Monitor mail flow in Exchange Online with PowerShell</h2> <p>Monitoring mail flow in Exchange Online is crucial to ensure that email is sent and received correctly. PowerShell provides several cmdlets that can help you <a href="https://www.techtarget.com/searchwindowsserver/tutorial/How-to-use-PowerShell-for-Exchange-Online-monitoring">check mail flow</a> and troubleshoot any issues that might arise. One of the key cmdlets for this work is <span style="font-family: 'courier new', courier, monospace;">Get-MessageTraceV2</span>, the replacement for the legacy <span style="font-family: 'courier new', courier, monospace;">Get-MessageTrace</span> cmdlet that Microsoft deprecated in September 2025.</p> <p><span style="font-family: 'courier new', courier, monospace;">Get-MessageTraceV2</span> lets you retrieve information about messages sent or received within a specific period. You can filter the results based on various criteria, such as sender, recipient, subject or message status. By regularly running <span style="font-family: 'courier new', courier, monospace;">Get-MessageTraceV2</span> and analyzing the results, you can identify any potential mail flow issues and take appropriate actions. The following are examples of using <span style="font-family: 'courier new', courier, monospace;">Get-MessageTraceV2</span>.</p> <pre class="language-powershell"><code># Retrieve information about messages sent or received in the last 24 hours Get-MessageTraceV2 ` -StartDate (Get-Date).AddDays(-1) ` -EndDate (Get-Date) # Retrieve messages sent by a specific sender in the last 24 hours Get-MessageTraceV2 ` -SenderAddress user@domain.onmicrosoft.com ` -StartDate (Get-Date).AddDays(-1) ` -EndDate (Get-Date) # Retrieve information about messages that failed in the last 24 hours Get-MessageTraceV2 ` -DeliveryStatus Failed ` -StartDate (Get-Date).AddDays(-1) ` -EndDate (Get-Date)</code></pre> <p>You can use <span style="font-family: 'courier new', courier, monospace;">Get-MessageTraceV2</span> to automate checks and export entries based on delivery failures. The following script retrieves the record of the last seven days of failed delivery entries, exports it as a CSV for further review, then disconnects from Exchange Online.</p> <pre class="language-powershell"><code>Connect-ExchangeOnline ` -UserPrincipalName user@domain.onmicrosoft.com ` -ShowProgress $true $endDate = Get-Date $startDate = $endDate.AddDays(-7) $failedMessages = Get-MessageTraceV2 ` -StartDate $startDate ` -EndDate $endDate | ` Where-Object { $_.DeliveryStatus -eq "Failed" } if ($failedMessages) { $failedMessages | Export-Csv ` -Path "C:\Temp\FailedMessages.csv" ` -NoTypeInformation } else { Write-Host "No failed messages found in the last seven days." } Disconnect-ExchangeOnline -Confirm:$false</code></pre> </section> <section class="section main-article-chapter" data-menu-title="Assess mailbox sizes using PowerShell"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Assess mailbox sizes using PowerShell</h2> <p>In addition to <span style="font-family: 'courier new', courier, monospace;">Get-MessageTraceV2</span>, PowerShell also offers other cmdlets such as <span style="font-family: 'courier new', courier, monospace;">Get-EXOMailboxStatistics</span> -- the replacement for the <span style="font-family: 'courier new', courier, monospace;">Get-MailboxStatistic</span>s cmdlet -- to monitor mailbox usage in Exchange Online.</p> <p><span style="font-family: 'courier new', courier, monospace;">Get-EXOMailboxStatistics</span> provides valuable information about mailbox sizes, item counts and last logon times. By monitoring these metrics, you can proactively address performance issues <a href="https://www.techtarget.com/searchstorage/tip/How-businesses-can-manage-Microsoft-365-storage-space">and storage limits</a> that can affect the user's experience.</p> <p>The following are examples of using the command <span style="font-family: 'courier new', courier, monospace;">Get-EXOMailboxStatistics.</span></p> <pre class="language-powershell"><code># Get mailbox statistics for a specific user Get-EXOMailboxStatistics ` -Identity user@domain.onmicrosoft.com # Get specific mailbox statistics for a user Get-EXOMailboxStatistics ` -Identity user@domain.onmicrosoft.com | ` Select DisplayName, LastLogonTime, TotalItemSize</code></pre> <p>You can also use <span style="font-family: 'courier new', courier, monospace;">Get-EXOMailboxStatistics</span> in a PowerShell script to automate the retrieval of mailboxes, then check whether the total item size exceeds a set threshold.</p> <p>The script exports the list of any mailboxes that exceed the threshold of 10 GB to a CSV file.</p> <pre class="language-powershell"><code>Connect-ExchangeOnline ` -UserPrincipalName user@domain.onmicrosoft.com ` -ShowProgress $true $mailboxStats = Get-EXOMailbox -ResultSize Unlimited | ForEach-Object { $stats = Get-EXOMailboxStatistics -Identity $_.UserPrincipalName [PSCustomObject]@{ DisplayName = $_.DisplayName TotalItemSizeMB = [math]::Round(($stats.TotalItemSize.ToMB()), 0) ItemCount = $stats.ItemCount LastLogonTime = $stats.LastLogonTime } } $sizeThreshold = 10240 # 10 GB $largeMailboxes = $mailboxStats | Where-Object { $_.TotalItemSizeMB -gt $sizeThreshold } if ($largeMailboxes) { $largeMailboxes | Export-Csv ` -Path "C:\Temp\LargeMailboxes.csv" -NoTypeInformation } else { Write-Host "No large mailboxes found." }</code></pre> </section> <section class="section main-article-chapter" data-menu-title="Tracking user activities in Exchange Online using PowerShell"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Tracking user activities in Exchange Online using PowerShell</h2> <p>Monitoring user activities on Exchange Online is crucial for security, compliance and troubleshooting purposes. PowerShell provides several cmdlets to monitor user activities and <a href="https://www.techtarget.com/searchwindowsserver/tip/Microsoft-Purview-Audit-helps-IT-flush-out-bad-behavior">track suspicious or unauthorized actions.</a></p> <p>The <span style="font-family: 'courier new', courier, monospace;">Search-MailboxAuditLog</span> cmdlet was previously used to search mailbox audit logs for specific user activities, such as message deletions, mailbox logins or access by external parties. But Microsoft deprecated this cmdlet in favor of the <span style="font-family: 'courier new', courier, monospace;">Search-UnifiedAuditLog</span> cmdlet, which provides a unified view of audit events across Microsoft 365 services.</p> <p>The following script checks for a range of mailbox-related activity by a user.</p> <pre class="language-powershell"><code># Search for Exchange mailbox audit events in the last seven days $startDate = (Get-Date).AddDays(-7) $endDate = Get-Date Search-UnifiedAuditLog ` -StartDate $startDate ` -EndDate $endDate ` -UserIds "user@domain.com" ` -RecordType ExchangeMailbox ` -Operations SendAs, HardDelete, SoftDelete `</code></pre> <p>PowerShell offers other cmdlets optimized for Exchange Online management, such as<br><span style="font-family: 'courier new', courier, monospace;">Get-EXOMailboxPermission</span> and <span style="font-family: 'courier new', courier, monospace;">Get-EXOMailboxFolderPermission</span>, which are used to retrieve information about mailbox and folder permissions. These cmdlets help ensure users have the appropriate access rights and privileges to mailboxes and the contents.</p> <pre class="language-powershell"><code># Get mailbox permissions for a specific user Get-EXOMailboxPermission -Identity user@domain.onmicrosoft.com # Get non-default mailbox permissions for a user Get-EXOMailboxPermission -Identity user@domain.onmicrosoft.com | ` Where-Object { ($_.IsInherited -eq $false) -and ($_.User -notlike "NT AUTHORITY\SELF") } # Get folder permissions for a specific folder in a user's mailbox Get-EXOMailboxFolderPermission -Identity user@domain.onmicrosoft.com:\Inbox # Get folder permissions for all folders in a user's mailbox $mailbox = "user@domain.onmicrosoft.com" $folders = Get-MailboxFolderStatistics -Identity $mailbox | ` Select-Object -ExpandProperty FolderPath foreach ($folder in $folders) { Get-EXOMailboxFolderPermission ` -Identity "$mailbox`:$folder" | ` Select-Object @{Name='FolderPath';Expression={$folder}}, User, AccessRights }</code></pre> </section> <section class="section main-article-chapter" data-menu-title="Generate an Exchange Online report with PowerShell"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Generate an Exchange Online report with PowerShell</h2> <p>Building reports of Exchange Online activities is valuable for auditing, compliance and communication purposes. PowerShell can generate customized reports based on specific criteria and requirements.</p> <p>To build a report of Exchange activities, you can use PowerShell cmdlets such as <span style="font-family: 'courier new', courier, monospace;">Get-MessageTraceV2,</span> <span style="font-family: 'courier new', courier, monospace;">Get-EXOMailboxStatistics</span> and <span style="font-family: 'courier new', courier, monospace;">Search-UnifiedAuditLog</span>. By combining the outputs of these cmdlets and formatting the data using PowerShell's formatting cmdlets, you can create comprehensive reports that include <a href="https://www.techtarget.com/searchwindowsserver/tip/Get-to-know-the-new-Exchange-admin-center-features">information, such as mail flow statistics</a>, mailbox sizes and user activities.</p> <p> PowerShell can export the reports in various formats, such as CSV or HTML, to make it easier to share the information with stakeholders or import it into other systems for further analysis. By regularly generating and reviewing these reports, you can learn about the usage and performance of your Exchange Online environment, identify trends or anomalies and make informed decisions to optimize operations.</p> <p> The following example script checks mail flow and mailbox statistics from the last seven days and exports it into a CSV file:</p> <pre class="language-powershell"><code>Connect-ExchangeOnline -UserPrincipalName admin@domain.com $mailboxes = Get-EXOMailbox -ResultSize Unlimited $report = foreach ($mailbox in $mailboxes) { $mailboxStats = Get-EXOMailboxStatistics -Identity $mailbox.UserPrincipalName | Select-Object DisplayName, TotalItemSize, ItemCount $messageTrace = Get-MessageTraceV2 ` -RecipientAddress $mailbox.UserPrincipalName ` -StartDate (Get-Date).AddDays(-7) ` -EndDate (Get-Date) | Measure-Object | Select-Object -Property Count $auditLogs = Search-UnifiedAuditLog ` -UserIds $mailbox.UserPrincipalName ` -StartDate (Get-Date).AddDays(-7) ` -EndDate (Get-Date) ` -RecordType ExchangeMailbox ` -Operations SendAs, HardDelete, SoftDelete | Measure-Object | ` Select-Object -Property Count [PSCustomObject]@{ UserPrincipalName = $mailbox.UserPrincipalName DisplayName = $mailboxStats.DisplayName TotalItemSize = $mailboxStats.TotalItemSize ItemCount = $mailboxStats.ItemCount MessagesLast7Days = $messageTrace.Count AuditLogsLast7Days = $auditLogs.Count } } $report | Export-Csv -Path "C:\Temp\ExchangeReport.csv" -NoTypeInformation Disconnect-ExchangeOnline -Confirm:$false</code></pre> <p>You could also change the PowerShell code to export the report as HTML:</p> <pre class="language-powershell"><code>$report | ConvertTo-Html ` -Title "Exchange Activities Report" ` -Body "<h1>Exchange Online Activities Report</h1>" | ` Out-File "C:\Temp\ExchangeActivitiesReport.html"</code></pre> <p>You can modify this script further to include other details within the report, such as the failed email delivery for the last seven days.</p> <pre class="language-powershell"><code>Connect-ExchangeOnline -UserPrincipalName admin@domain.com $mailboxes = Get-EXOMailbox -ResultSize Unlimited $report = foreach ($mailbox in $mailboxes) { $mailboxStats = Get-EXOMailboxStatistics ` -Identity $mailbox.UserPrincipalName | Select-Object DisplayName, TotalItemSize, ItemCount $messageTrace = Get-MessageTraceV2 ` -RecipientAddress $mailbox.UserPrincipalName ` -StartDate (Get-Date).AddDays(-7) ` -EndDate (Get-Date) | Measure-Object | Select-Object -Property Count $auditLogs = Search-UnifiedAuditLog ` -UserIds $mailbox.UserPrincipalName ` -StartDate (Get-Date).AddDays(-7) ` -EndDate (Get-Date) ` -RecordType ExchangeMailbox ` -Operations SendAs, HardDelete, SoftDelete | Measure-Object | Select-Object -Property Count [PSCustomObject]@{ UserPrincipalName = $mailbox.UserPrincipalName DisplayName = $mailboxStats.DisplayName TotalItemSize = $mailboxStats.TotalItemSize ItemCount = $mailboxStats.ItemCount MessagesLast7Days = $messageTrace.Count AuditLogsLast7Days = $auditLogs.Count } } $failedMessages = Get-MessageTraceV2 ` -StartDate (Get-Date).AddDays(-7) ` -EndDate (Get-Date) | Where-Object { $_.Status -eq "Failed" } $reportHtml = $report | ConvertTo-Html ` -Title "Exchange Activities Report" ` -Body "<h1>Exchange Online Activities Report</h1>" $failedMessagesHtml = $failedMessages | ConvertTo-Html ` -Title "Failed Messages" ` -Body "<h1>Failed Messages</h1>" -As List $finalHtmlReport = $reportHtml + $failedMessagesHtml $finalHtmlReport | Out-File "C:\Temp\ExchangeActivitiesReport.html"</code></pre> </section> <section class="section main-article-chapter" data-menu-title="PowerShell automation helps with Exchange Online health checks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>PowerShell automation helps with Exchange Online health checks</h2> <p>PowerShell is a powerful tool to maintain the health of Exchange Online thanks to its automation, flexibility and extensive reporting capabilities. The EXO V3 module is vital to streamline monitoring tasks, gather valuable insights and proactively address potential issues.</p> <p> Whether it's monitoring mail flow or user activities, PowerShell provides a comprehensive set of cmdlets to help you effectively monitor and manage your Exchange Online infrastructure. Invest your time to learn PowerShell and how to <a target="_blank" href="https://learn.microsoft.com/en-us/powershell/exchange/exchange-online-powershell-v2?view=exchange-ps" rel="noopener">use</a> the EXO V3 module to enjoy the benefits of efficient monitoring and management of Exchange Online.</p> <p> <i>Liam Cleary is the founder and owner of SharePlicity, a technology consulting company that helps organizations with internal and external collaboration, document and records management, business process automation, automation tool deployment and security controls and protection. Cleary's areas of expertise include security on the Microsoft 365 and Azure platforms, PowerShell automation and IT administration. Cleary is a Microsoft MVP and a Microsoft Certified Trainer.</i></p> </section> Learn how to use scripts to streamline Exchange Online monitoring, produce reports and address issues related to mail flow and other key areas before they affect your organization. https://cdn.ttgtmedia.com/rms/onlineimages/folder-files13.jpg https://www.techtarget.com/searchwindowsserver/tutorial/Checking-Exchange-Online-health-with-PowerShell-automation Mon, 27 Oct 2025 00:00:00 GMT Checking Exchange Online health with PowerShell automation <p>Traditional storage management in Windows file servers often depends on specialized hardware and relatively inflexible configuration options. These requirements don't fit the storage management needs of today's administrators, who expect highly configurable and easily scaled storage.</p> <p>Windows Storage Spaces offers administrators a software-defined approach with greater flexibility, reliability and scalability. It also provides the following benefits and features:</p> <ul class="default-list"> <li><a href="https://www.techtarget.com/searchstorage/definition/software-defined-storage">Software-defined storage</a> with no specialized hardware, enabling various disk combinations depending on requirements.</li> <li>Resiliency options for different use cases.</li> <li>Thin provisioning of disks to avoid wasted or overallocated space.</li> <li>Native Windows graphical management tools and <a href="https://www.techtarget.com/searchwindowsserver/tip/Top-PowerShell-commands-you-must-know-with-cheat-sheet">PowerShell cmdlets</a>.</li> <li>Support for mixed drive types, improving flexibility.</li> <li>Scalability with support for dynamic resizing.</li> <li>Redundancy through disk mirroring and/or data parity.</li> </ul> <p>While parity features sound similar to <a href="https://www.techtarget.com/searchstorage/feature/How-to-choose-and-configure-Windows-Server-RAID-levels">RAID</a>, Storage Spaces does not require the dedicated hardware and related support that RAID arrays call for. Storage Spaces more closely resembles Linux's <a href="https://www.techtarget.com/searchStorage/tutorial/Manage-storage-using-Linux-Logical-Volume-Manager">Logical Volume Manager</a> in terms of features, flexibility and resiliency.</p> <p>Simple server deployments might still rely on traditional partitioning, but modern Windows servers will almost certainly benefit from the advantages Storage Spaces offers. This article covers the processes to configure, modify and manage Storage Spaces, as well as best practices for using this Windows feature.</p> <section class="section main-article-chapter" data-menu-title="Configure Windows Storage Spaces for storage management"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Configure Windows Storage Spaces for storage management</h2> <p>Configuring Storage Spaces is straightforward once you understand the basic process and terminology. You'll begin by combining the capacity of two or more drives, creating a pool of available space. You then create virtual drives from that space. Partition the virtual drives, applying a file system, assigning a drive letter and configuring other settings. Users can then access the space as available storage in File Explorer.</p> <p>The detailed steps are as follows.</p> <h3>Attach storage devices</h3> <p>Install or attach at least two physical drives. These could be internal, external, USB, Serial Advanced Technology Attachment or Serial-Attached SCSI drives. Back up any data on these disks, as Windows formats them during the configuration process. Note that the drives do not have to be the same type, capacity or speed.</p> <p>After installing the drives, select Server Manager > File and Storage Services > Volumes > Disks. Right-click to bring each disk online so that Windows can work with it.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/disk-online-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/disk-online-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/disk-online-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/disk-online-f.jpg 1280w" alt="Screenshot of Windows Server Manager showing how to bring connected storage devices online through File and Storage Services." data-credit="Damon Garn" height="330" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 1. Bring storage drives online using Windows Server Manager. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>Create a storage pool</h3> <p>Follow these steps to create a storage pool that aggregates space on the attached drives:</p> <ol class="default-list"> <li>From Server Manager, go to File and Storage Services > Volumes > Storage Pools and open the New Storage Pool Wizard from the Tasks drop-down menu in the Physical Disks pane.</li> </ol> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/new-storage-pool-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/new-storage-pool-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/new-storage-pool-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/new-storage-pool-f.jpg 1280w" alt="Screenshot of the Storage Pools settings in Windows Server Manager showing where to locate the New Storage Pool button." data-credit="Damon Garn" height="238" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 2. Manage multiple physical drives as a single resource by creating a new storage pool. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <ol start="2" class="default-list"> <li>Once the New Storage Pool Wizard opens, click <b>Next</b> to proceed.</li> <li>Enter a name and description for the pool and then click <b>Next</b>.</li> </ol> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/name-description-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/name-description-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/name-description-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/name-description-f.jpg 1280w" alt="Screenshot of the New Storage Pool Wizard prompting the user to specify a storage pool name and system." data-credit="Damon Garn" height="371" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 3. The New Storage Pool Wizard requires a name and description for the pool. Then, select which drives to aggregate. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <ol start="4" class="default-list"> <li>Select the physical disks you want to include in the pool. You can configure multiple pools, so you don't need to select every available drive. Click <b>Next</b>.</li> <li>Confirm that the selections match your requirements and then click <b>Create</b>.</li> <li>After Windows creates the pool, close the interface. Note the option labeled "Create a virtual disk when this wizard closes." Check this box to proceed to the next steps automatically.</li> </ol> <h3>Create a virtual disk</h3> <p>The next task is to carve a virtual disk from the newly created storage pool. You'll use this virtual disk as if it were a physical disk. The following steps outline this process:</p> <ol class="default-list"> <li>Use the Tasks drop-down menu in the Virtual Disks pane to select <b>New Virtual Disk</b>.</li> <li>Select the storage pool from which to create the new virtual disk and click <b>OK</b>.</li> <li>The New Virtual Disk Wizard opens. Click <b>Next</b> to proceed.</li> </ol> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/new-virtual-disk-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/new-virtual-disk-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/new-virtual-disk-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/new-virtual-disk-f.jpg 1280w" alt="Screenshot of the Storage Pools settings in Windows Server Manager showing where to locate the New Virtual Disk button." data-credit="Damon Garn" height="283" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 4. After creating the storage pool, create a virtual disk using the New Virtual Disk Wizard. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <ol start="4" class="default-list"> <li>Enter a name and description for the virtual disk and then click <b>Next</b>.</li> <li>Configure enclosure awareness if your configuration supports it. Click <b>Next</b>.</li> <li>Select a storage layout to define resiliency and then click <b>Next</b>. There are three layout options: <ol class="default-list"> <li>Simple (no resiliency).</li> <li>Mirror.</li> <li>Parity (similar to RAID 5).</li> </ol> </li> <li>Select thin or fixed provisioning to allocate space to the virtual disk and then click <b>Next</b>.</li> <li>Specify the size of the new virtual disk. It does not have to consume the entire pool, as you can create multiple virtual disks from a single pool. Click <b>Next</b>.</li> </ol> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/virtual-disk-name-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/virtual-disk-name-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/virtual-disk-name-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/virtual-disk-name-f.jpg 1280w" alt="Screenshot of the New Virtual Disk Wizard prompting the user to specify the size of the virtual disk." data-credit="Damon Garn" height="300" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 5. Specify the size of the new virtual disk. Note that a single pool can have multiple virtual disks, so a single disk does not need to be the size of the entire pool. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <ol start="9" class="default-list"> <li>Confirm that the selections match your requirements and then click <b>Create</b>.</li> <li>After Windows creates the virtual disk, you can close the interface. Note the option labeled "Create a volume when this wizard closes." Check this box to proceed to the next steps automatically.</li> </ol> <h3>Create a volume</h3> <p>Think of the virtual disk as a physical disk. You must now create a volume on it using the following process, which resembles traditional partitioning:</p> <ol class="default-list"> <li>Right-click the new virtual disk in the Virtual Disks pane and then select <b>New Volume </b>to launch the New Volume Wizard.</li> </ol> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/new-volume-f.jpg "> <img data-src="https://www.techtarget.com/rms/onlineimages/new-volume-f_mobile.jpg " class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/new-volume-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/new-volume-f.jpg 1280w" alt="Screenshot of the Storage Pools settings in Windows Server Manager showing where to locate the New Volume button in the Virtual Disks pane." data-credit="Damon Garn" height="357" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 6. After creating the new virtual disk, access the New Volume Wizard through the Virtual Disks pane. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <ol start="2" class="default-list"> <li>Select the server and virtual disk. Click <b>Next</b>.</li> </ol> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/server-and-disk-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/server-and-disk-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/server-and-disk-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/server-and-disk-f.jpg 1280w" alt="Screenshot of the New Volume Wizard prompting the user to select the server and disk for the new volume." data-credit="Damon Garn" height="312" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 7. Start by choosing a server and disk to host the new volume. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <ol start="3" class="default-list"> <li>Choose a size for the new volume. It does not need to consume the entire virtual disk. Click <b>Next</b> to proceed.</li> <li>Choose a drive letter or folder path for the mount point. Click <b>Next</b>.</li> <li>Select the NTFS or ReFS file system and then choose an allocation unit size and volume label. Click <b>Next</b> to proceed.</li> <li>Confirm that the selections match your requirements and then click <b>Create</b>.</li> <li>Select <b>Close</b> to exit the New Volume Wizard.</li> </ol> <p>The wizard finishes by formatting and mounting the volume. It now appears as a drive in File Manager. You can create folders to share on the network or handle the volume just as you would a traditional drive.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/p-drive-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/p-drive-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/p-drive-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/p-drive-f.jpg 1280w" alt="Screenshot of Windows File Manager showing how a newly created volume appears as a drive in the " data-credit="Damon Garn" height="247" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 8. After creating the new volume, it will appear in File Manager using the drive letter or folder path selected in the New Volume Wizard. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="Modify the storage capacity"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Modify the storage capacity</h2> <p>Adding or removing storage capacity follows a similar procedure to creating a new pool. However, instead of creating new space, you will add it to existing storage. You also have the option to shrink storage. Follow these steps to modify the storage capacity:</p> <ol class="default-list"> <li>Install or connect a new physical drive.</li> <li>Use the Storage Pools menu to add the new drive to the necessary pool.</li> <li>Extend the virtual disk to include the new storage space.</li> </ol> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/extend-virtual-disk-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/extend-virtual-disk-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/extend-virtual-disk-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/extend-virtual-disk-f.jpg 1280w" alt="Screenshot of the Virtual Disk pane in Windows Server Manager showing where to locate the Extend Virtual Disk button." data-credit="Damon Garn" height="355" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 9. When adding capacity to the storage pool, extend the virtual disk to include the new physical storage drive. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <ol start="4" class="default-list"> <li>Extend the volume/partition using the Disk Management interface to utilize the additional capacity.</li> </ol> <p>Note that the drives do not have to be offline to modify capacity. This feature is essential for busy file servers that need more space but must remain available to users.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/modify-volume-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/modify-volume-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/modify-volume-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/modify-volume-f.jpg 1280w" alt="Screenshot of the Disk Management interface showing how to modify the volume of a virtual disk." data-credit="Damon Garn" height="223" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 10. The Disk Management interface enables users to extend, shrink or delete volumes from a virtual disk. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="Manage Storage Spaces"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Manage Storage Spaces</h2> <p>There are several interfaces for managing Storage Spaces, including graphical and command-line options, among others.</p> <p>The Server Manager interface offers an easy way to manage storage configurations. Access Storage Spaces by going to Server Manager > File and Storage Services > Storage Pools.</p> <p><a href="https://www.techtarget.com/searchwindowsserver/tip/Top-PowerShell-disk-management-commands-for-Windows-storage">Many PowerShell cmdlets exist</a> for managing storage capacity, including the following:</p> <ul class="default-list"> <li><samp>Get-PhysicalDisk</samp>: List available disks.</li> <li><samp>Add-PhysicalDisk</samp>: Add available disks to a pool.</li> <li><samp>New-StoragePool</samp>: Create a storage pool.</li> <li><samp>Get-StoragePool</samp>: Display storage pool information.</li> <li><samp>New-VirtualDisk</samp>: Create a virtual disk from a storage pool.</li> <li><samp>Get-VirtualDisk</samp>: Display virtual disk information.</li> <li><samp>Resize-VirtualDisk</samp>: Extend the virtual disk onto the newly installed space.</li> <li><samp>Resize-Partition</samp>: Extend the volume onto the extended virtual disk.</li> <li><samp>Optimize-StoragePool</samp>: Rebalances the physical disks in a pool to optimize space and performance.</li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/get-storagepool-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/get-storagepool-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/get-storagepool-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/get-storagepool-f.jpg 1280w" alt="Screenshot of a Windows PowerShell script running the Get-StoragePool cmdlet." data-credit="Damon Garn" height="129" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 11. The Get-StoragePool cmdlet displays information for all storage pools. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>You can create PowerShell scripts to automate storage administration and monitoring.</p> <p>The storage capacity is ready for standard management. You can now configure additional storage features, including <a href="https://www.techtarget.com/searchdatabackup/tutorial/How-to-deploy-Data-Duplication-on-Windows-Server">data deduplication</a>, <a href="https://www.techtarget.com/searchdatacenter/tip/Create-file-server-screens-and-quotas-in-FSRM">File Server Resource Manager</a> components and Windows Backups.</p> </section> <section class="section main-article-chapter" data-menu-title="Monitor Storage Spaces"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Monitor Storage Spaces</h2> <p>Windows logs Storage Spaces information in Event Viewer, including warnings and errors pertaining to physical disks, storage pools and virtual disks. The primary log file is the System log, though you also might find information in the Applications and Services Logs under the StorageManagement and StorageSpaces log folders.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/event-viewer-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/event-viewer-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/event-viewer-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/event-viewer-f.jpg 1280w" alt="Screenshot of Windows Event Viewer." data-credit="Damon Garn" height="228" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 12. Check Windows Event Viewer for warnings, errors and other events pertaining to Storage Spaces. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Review these logs if you suspect any issues with Storage Spaces.</p> <p>Select the <b>Volumes</b>, <b>Disk</b> and <b>Storage Pools</b> nodes in Server Manager to review status and health information for each component of the storage pool.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/summary-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/summary-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/summary-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/summary-f.jpg 1280w" alt="Screenshot of Windows Server Manager showing status and health information for the volume component of the storage pool." data-credit="Damon Garn" height="284" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 13. Revisit each component in Server Manager for updated status and health information. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>As mentioned above, PowerShell also includes various monitoring and information-gathering cmdlets.</p> </section> <section class="section main-article-chapter" data-menu-title="Storage Spaces best practices"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Storage Spaces best practices</h2> <p>Carefully document your Storage Spaces configurations, including any updates and changes to the capacity and drives.</p> <p>Monitor Storage Spaces regularly using the <samp>Get-StoragePool</samp> and <samp>Get-VirtualDisk</samp> cmdlets for drive health, capacity information and status. Replace disks and add capacity based on this information.</p> <p>Remember that the resiliency offered by Storage Spaces does not replace <a href="https://www.techtarget.com/searchDataBackup/tutorial/How-to-use-the-Windows-Server-Backup-tool">regular backups</a>. Storage Spaces should be only one of several data protection layers.</p> <p><a href="https://www.techtarget.com/searchwindowsserver/tip/Learn-how-the-Windows-Server-2025-editions-differ">Modern Windows servers</a> benefit from Storage Spaces, so begin the process of migrating your data today.</p> <p><i>Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to Informa TechTarget, The New Stack and CompTIA Blogs.</i></p> </section> Windows Storage Spaces is an alternative approach to traditional storage management that provides increased flexibility and scalability in a straightforward configuration process. https://cdn.ttgtmedia.com/rms/onlineimages/storage_g922017556.jpg https://www.techtarget.com/searchitoperations/tutorial/Guide-to-Windows-storage-management-using-Storage-Spaces Tue, 21 Oct 2025 13:47:00 GMT Guide to Windows storage management using Storage Spaces <p>Upgrading an Active Directory forest to run on Windows Server 2025 isn't overly difficult, but the process requires preparation.</p> <p>In its latest Windows Server release, Microsoft <a href="https://www.techtarget.com/searchwindowsserver/tip/See-whats-coming-in-Windows-Server-2025">introduced several Active Directory enhancements</a>, including new features and improved functionality that will appeal to organizations. Before they can implement these features, though, they'll need to migrate their domain controllers to Windows Server 2025.</p> <p>This article provides a walkthrough of the planning required before an AD domain controller migration and then covers the steps involved in performing the actual upgrade.</p> <section class="section main-article-chapter" data-menu-title="Why upgrade Active Directory?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why upgrade Active Directory?</h2> <p>One major development in Windows Server 2025 is the increased database page size. Since the days of Windows 2000, Active Directory has relied on an Extensible Storage Engine database with an 8 KB page size. While this might have been fine 25 years ago, today the page size limitations hinder overall AD scalability. Microsoft has removed these limitations by increasing the page size to 32 KB. Additionally, AD now takes advantage of <a href="https://www.techtarget.com/whatis/definition/NUMA-non-uniform-memory-access">non-uniform memory access</a> nodes and can support up to 64 CPU cores.</p> <p>Microsoft has also taken steps to improve AD security. As an example, the lightweight directory access protocol used by Active Directory now supports TLS version 1.3. Similarly, Active Directory blocks legacy Security Account Manager Remote Procedure Call protocols in favor of more secure alternatives, such as Kerberos. The Microsoft Learn website offers a <a target="_blank" href="https://learn.microsoft.com/en-us/windows-server/get-started/whats-new-windows-server-2025" rel="noopener">full list</a> of the latest AD enhancements.</p> </section> <section class="section main-article-chapter" data-menu-title="Prepare for your domain controller migration"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Prepare for your domain controller migration</h2> <p>Before upgrading your <a href="https://www.techtarget.com/searchwindowsserver/definition/domain-controller">domain controllers</a> to Windows Server 2025, take the following steps to help ensure a smooth and successful migration.</p> <h3>Assess replication process</h3> <p>The first step involves checking Active Directory to make sure the domain controllers are properly replicating with one another and that the replication process is healthy. This step will also need to be performed again later as part of the migration process. To check the replication status, open PowerShell and enter the command <samp>RepAdmin /ReplSummary</samp>. Make sure there are no replication errors, as shown in Figure 1.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/bposey_adupgrade_1-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/bposey_adupgrade_1-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/bposey_adupgrade_1-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/bposey_adupgrade_1-f.jpg 1280w" alt="Screenshot of Windows PowerShell displaying information generated by the RepAdmin tool." data-credit="Brien Posey" height="295" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 1. Check for replication errors by using the RepAdmin tool. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>Create an Active Directory backup</h3> <p>This backup should be done at the last minute to ensure capture of all the latest AD changes. Practice restoring your backups to a lab environment so that you can test their integrity. This process helps familiarize the recovery process in case anything goes wrong.</p> <h3>Audit legacy protocols, applications</h3> <p>Evaluate NT LAN Manager usage throughout your organization. NTLM is a legacy protocol that you should ideally phase out as part of the upgrade process. However, you might still have legacy applications that require NTLM, which might force you to continue using the protocol.</p> <h3>Evaluate hardware requirements</h3> <p>These requirements are relatively modest: 1.4 GHz 64-bit CPU; 2 GB of RAM, or 4 GB as recommended for the Desktop Experience; and 32 GB of storage.</p> <p>You should also review the hardware that your existing domain controllers currently use, since domain controllers will almost always require more than just the minimum hardware. This would be a good time to assess whether your existing hardware allocations are sufficient or if you need to allocate more hardware to your domain controllers.</p> <h3>Consider raising functional levels</h3> <p>Finally, decide whether you want to upgrade to the latest domain and forest <a href="https://www.techtarget.com/searchwindowsserver/definition/Active-Directory-functional-levels">functional levels</a>. Prior to Windows Server 2025, the highest available functional level was Windows Server 2016. Upgrading to the Windows Server 2025 domain functional level lets you take advantage of all the latest enhancements, but you cannot perform the upgrade until all of the domain controllers within the domain are running Windows Server 2025.</p> <p>Note that upgrading the domain functional level is a one-way operation. Once you upgrade the functional level, you will no longer be able to deploy domain controllers running older versions of Windows.</p> <p>The same basic concept also applies to forest functional level upgrades. Raising the forest functional level to Windows Server 2025 requires all of your domains to be operating at the Windows Server 2025 domain functional level. Once again, this is a one-way operation; once you raise the forest functional level, you can no longer deploy domains at lower functional levels.</p> <p>The importance of having a good AD backup increases exponentially when upgrading functional levels. It's a good idea to create a new one just before raising a functional level.</p> <div class="btt-thumbnailContainer"> <span class="btt-thumbnailTitle">Plan Your Domain Controller Migration to Windows Server 2025</span> <a class="btt-thumbnailLink" data-video-id="652475" data-channel-id="18865"> <div class="btt-thumbnailImgContainer"> <img class="btt-videoBtThumbnail" src="https://cdn.brighttalk.com/ams/california/images/communication/652475/image_1059089.png?width=640&height=360"> </div></a> <time class="btt-video-duration" datetime="PT14M40S">14:40</time> </div> <div class="btt-modal"> <div class="btt-modal-content"></div> </div> </section> <section class="section main-article-chapter" data-menu-title="Domain controller migration, step by step"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Domain controller migration, step by step</h2> <p>Once all the prep work has been completed, it's time for the actual domain controller migration. While you can perform an in-place upgrade from Windows Server 2012 R2 or newer Windows Server OSes, the following steps will be for a clean installation onto physical or virtual hardware, as this is usually the preferred option.</p> <h3>1. Install the OS and Domain Services</h3> <p>The first step is to install Windows Server 2025. You will need to join the machine to the AD domain where it will eventually serve as a domain controller before continuing. Take this opportunity to install any available updates.</p> <p>With the OS ready to go, next you will need to install <a href="https://www.techtarget.com/searchwindowsserver/definition/Microsoft-Active-Directory-Domain-Services-AD-DS">Active Directory Domain Services</a>. From the GUI, open Server Manager and then choose the <b>Add Roles and Features</b> command from the Manage menu. Work your way through the wizard until you reach the Roles screen. Here, you will need to select the Active Directory Domain Services role. When prompted, be sure to install any required dependency services.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/bposey_adupgrade_2-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/bposey_adupgrade_2-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/bposey_adupgrade_2-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/bposey_adupgrade_2-f.jpg 1280w" alt="Screenshot of the Add Roles and Features Wizard showing the server roles selection screen in Server Manager." data-credit="Brien Posey" height="400" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 2. Install the Active Directory Domain Services role from Server Manager. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>2. Deploy DNS services</h3> <p>Although not technically a requirement, consider where you plan to host the DNS services. Active Directory cannot function without DNS. As such, there is a strong possibility that some of your legacy domain controllers are also functioning as DNS servers. If you are completely doing away with these legacy servers, then you will need to deploy DNS elsewhere.</p> <p>One option is to run the DNS services on your new domain controllers. You can do so by selecting the DNS Server checkbox, shown in Figure 2. You will also need to install the dependency features when prompted. If you are migrating DNS to a new server, remember to modify the IP address configuration used throughout your organization so that it points to the new DNS server.</p> <h3>3. Promote new domain controllers</h3> <p>When the role deployment process is complete, click on the <b>Promote This Server to a Domain Controller</b> link. This will launch the Deployment Configuration Wizard. Select the option to add a new domain controller to an existing domain and then verify that the correct domain is selected. Click <b>Next</b>, and the following screen will ask you to select the capabilities for the new domain controller. Unless you are <a href="https://www.techtarget.com/searchwindowsserver/tutorial/Deploy-a-read-only-domain-controller-for-security-speed">deploying a read-only domain controller</a>, select the default options. While you are at it, you will need to enter and confirm a Directory Services Restore password. Click <b>Next</b> until you complete the wizard. At that point, the server will be configured to act as a domain controller. A reboot is required at the completion of this process.</p> <p>When the reboot is complete, give your new domain controller some time to receive copies of all the objects that currently exist within your Active Directory. Before moving forward, check the replication health using the same method discussed earlier. Make sure that AD replication is functioning properly and the initial replication process is complete before proceeding. If you encounter replication errors, verify that DNS name resolution is working properly and that all the domain controller clocks are correct.</p> <h3>4. Deprovision legacy domain controllers</h3> <p>If you plan to deprovision your legacy domain controllers, it's a good idea to <a href="https://www.techtarget.com/searchwindowsserver/tutorial/How-to-transfer-FSMO-roles-with-PowerShell">transfer Flexible Single Master Operation (FSMO) roles</a>. The role transfer should occur automatically as part of the deprovisioning process, but transferring roles ahead of time can help avoid any surprises. The easiest way to do this is to open an elevated PowerShell session and enter the following command:</p> <pre class="language-powershell"><code>Move-ADDirectoryServerOperationMasterRole -Identity $env:COMPUTERNAME -OperationMasterRole 0,1,2,3,4 -Confirm:$False</code></pre> <p>This command, shown in Figure 3, will transfer all of the operation master roles to your new domain controller. If you only wish to transfer some of the roles, you can change the numbers listed at the end of the command. Each of these numbers represents a role:</p> <ul class="default-list"> <li>0: Primary domain controller emulator.</li> <li>1: Relative identifier master.</li> <li>2: Infrastructure master.</li> <li>3: Schema master.</li> <li>4: Domain naming master.</li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/bposey_adupgrade_3-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/bposey_adupgrade_3-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/bposey_adupgrade_3-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/bposey_adupgrade_3-f.jpg 1280w" alt="Screenshot of Windows PowerShell displaying a command that transfers FSMO roles to the local system." data-credit="Brien Posey" height="344" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 3. Use PowerShell to transfer all FSMO roles to your new domain controller. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>You can verify that the roles have been successfully transferred with the <samp>netdom query fsmo</samp> command.</p> <p>The next step in the process is to begin deprovisioning your legacy domain controllers. The exact steps involved will vary slightly depending on the version of Windows Server in use. At a high level, however, the deprovisioning process involves opening Server Manager and removing the AD Domain Services role.</p> <p><i>Brien Posey is a former 22-time Microsoft MVP and a commercial astronaut candidate. In his more than 30 years in IT, he has served as a lead network engineer for the U.S. Department of Defense and a network administrator for some of the largest insurance companies in America.</i></p> </section> Windows Server 2025 offers a slew of new Active Directory features, but users must migrate their domain controllers before they can realize the benefits. https://cdn.ttgtmedia.com/rms/onlineimages/security_a244600171.jpg https://www.techtarget.com/searchwindowsserver/tip/Plan-your-domain-controller-migration-to-Windows-Server-2025 Fri, 17 Oct 2025 14:28:00 GMT Plan your domain controller migration to Windows Server 2025 <p>When you learn to write PowerShell functions, you might start by solving a specific problem. But as your projects grow more complex, adding flexibility to your scripts will help in the future.  </p> <p>As you use PowerShell functions more and <a href="https://searchwindowsserver.techtarget.com/Comprehensive-PowerShell-guide-for-new-and-seasoned-admins">gain more scripting experience</a>, you'll see ways the function would be more useful if it had the versatility to solve the same problem but in a slightly differently way. Learning how to use default values in parameters makes your code both able to adapt to different situations and simpler to understand. This article will explain how to set default values to make your scripts smarter while showing you how to avoid common pitfalls that can introduce issues or unnecessary complexity.  </p> <section class="section main-article-chapter" data-menu-title="Introduction to default parameter values"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Introduction to default parameter values</h2> <p>A parameter default value is the value given to a parameter if an explicit value isn’t specified. For example, if <a href="https://www.techtarget.com/searchwindowsserver/tip/Top-PowerShell-commands-you-must-know-with-cheat-sheet">you run Get-ChildItem</a> without any parameters, it defaults to using your current working directory as if you had executed Get-ChildItem -Path .\.</p> <p>Another example is using the Copy-Item cmdlet to copy a file. If you don't specify a value to the Destination parameter, then PowerShell automatically copies the item to the current working directory. These two commands produce the same result of copying the file to the same directory where the command is executed:</p> <pre class="language-powershell"><code>Copy-Item -Path C:\path\file.txt</code></pre> <pre class="language-powershell"><code>Copy-Item -Path C:\path\file.txt -Destination .\</code></pre> <p>As a PowerShell user, you have the power to define default parameters for both functions that you write and functions that you consume.</p> <h3>Define default values</h3> <p>PowerShell lets users define default values for parameters in two ways:</p> <ol class="default-list"> <li>In the function by the function author.</li> <li>In a script or interactively by a user.</li> </ol> <p>In the <a href="https://www.techtarget.com/searchwindowsserver/tip/Understanding-the-parameters-of-Windows-PowerShell-functions">param block of a function</a>, any parameter can declare a default value by using the assignment operator, which is the equal sign, and specifying a value. For example:</p> <pre class="language-powershell"><code>Function Test-DefaultValues {     [CmdletBinding()]     param (         [string]$String = "Default String"     )     Write-Host $String }</code></pre> <p>The code gives the $String parameter a default value of "Default String." Running this function without parameters will generate the output that text<b>.</b></p> <p>You can also use the subexpression operator $() to execute PowerShell code to assign a default value. In the following example, the function calculates how many days there are until Friday:<br><br></p> <pre class="language-powershell"><code>Function Test-DefaultValues {     [CmdletBinding()]     param (         [int]$DaysUntilFriday = $(switch ($([DateTime]::Now.DayOfWeek)) {             'Monday' { 4 }             'Tuesday' { 3 }             'Wednesday' { 2 }             'Thursday' { 1 }             'Friday' { 0 }             'Saturday' { 6 }             'Sunday' { 5 }         })     )     Write-Host "There are $DaysUntilFriday days until Friday." }</code></pre> <p>If you run this function with no parameters and enter Test-DefaultValues on the command line on a Monday, then the output will show: <b>There are 4 days until Friday.  </b> </p> <div class="btt-thumbnailContainer"> <span class="btt-thumbnailTitle">Try default values in PowerShell parameters for flexibility</span> <a class="btt-thumbnailLink" data-video-id="652814" data-channel-id="18865"> <div class="btt-thumbnailImgContainer"> <img class="btt-videoBtThumbnail" src="https://cdn.brighttalk.com/ams/california/images/communication/652814/image_1059819.png?width=640&height=360"> </div></a> <time class="btt-video-duration" datetime="PT4M48S">4:48</time> </div> <div class="btt-modal"> <div class="btt-modal-content"></div> </div> <p> </p> </section> <section class="section main-article-chapter" data-menu-title="Using $PSDefaultParameterValues for user-defined defaults"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Using $PSDefaultParameterValues for user-defined defaults</h2> <p>Default parameter values can also be defined not only by the author of the function but also by the user. PowerShell has a built-in <a target="_blank" href="https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_parameters_default_values?view=powershell-7.5" rel="noopener">variable</a> called $PSDefaultParameterValues that lets users specify default values for parameters across cmdlets, functions and scripts.</p> <p>The $PSDefaultParameterValues variable is <a href="https://www.techtarget.com/searchwindowsserver/tip/These-PowerShell-script-examples-help-tidy-up-code">a hashtable</a> with extra validation. The key must follow the CommandName:ParameterName format. The value assigned to the key will be the default value for that parameter. For example, if you use the Test-DefaultValues function with a new parameter, then you can set the default value for that function with the same syntax used to edit hashtables:</p> <pre class="language-powershell"><code>$PSDefaultParameterValues['Test-DefaultValues:WriteWelcomeMessage'] = $false</code></pre> <p>To test the function to see how PowerShell handles default values, set a default value for a switch parameter:</p> <pre class="language-powershell"><code>Function Test-DefaultValues {     [CmdletBinding()]     param (         [switch]$WriteWelcomeMessage = $true     )     if ($WriteWelcomeMessage) {         Write-Host "Welcome!"     } else {         Write-Host "No welcome message."     } }</code></pre> <p>When executed without setting the $PSDefaultParameterValues variable, the output is <b>Welcome!</b></p> <p>If you set the $PSDefaultParameterValues variable, the output is <b>No welcome message.</b></p> <p>This shows user-defined default values via the $PSDefaultParameterValues variable have higher priority over defaults defined in the function.</p> <p>You can define parameter values more broadly using the asterisk wildcard in $PSDefaultParameterValues to apply default values to multiple commands that match a pattern. For example, to automatically pass the Verbose switch to all cmdlets that start with Get-, use the following:  </p> <pre class="language-powershell"><code>$PSDefaultParameterValues['Get-*:Verbose'] = $true</code></pre> <p>The result ensures any Get- command will run in verbose mode by default.</p> <p>It's also possible to scope parameters to specific modules, assuming the module uses a standard naming convention. For example, to specify a set of properties to all Get-Mg* <a href="https://www.techtarget.com/searchwindowsserver/tip/Whats-new-in-Microsoft-Graph-PowerShell-v2">commands in the Microsoft.Graph module,</a> you can use:</p> <pre class="language-powershell"><code>$PSDefaultParameterValues['Get-Mg*:Properties'] = @(     'displayName',     'id',     'userPrincipalName',     'mail',     'accountEnabled' )</code></pre> <h3>Mandatory vs. optional vs. conditional parameters</h3> <p>When writing an advanced function in PowerShell, parameters are optional by default. You can make a parameter mandatory by adding the Mandatory attribute. PowerShell will prompt the user if a mandatory parameter isn't provided.</p> <p>When <a target="_blank" href="https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_parameter_sets?view=powershell-7.5" rel="noopener">using</a> parameter sets, parameters can be conditional. It's important to understand how default values operate with the optional, mandatory and conditional types.</p> <p>In the previous examples, all the parameters in the Test-DefaultValues function were optional because they had no Mandatory attribute. Even though the parameters were essential to the function's operation, default values allowed the function to run without user input. This is similar to how the Path parameter in Get-ChildItem or the Destination parameter in Copy-Item works.</p> <p>If you mark a parameter as Mandatory, then you can't specify a default value. For example, if you test this function, then you'll still get a prompt to supply a value for $String even though it has a default value because the Mandatory attribute overrides default value behavior:</p> <pre class="language-powershell"><code>Function Test-DefaultValues {     [CmdletBinding()]     param (         [Parameter(Mandatory)]         [string]$String = "Default String"     )     Write-Host $String }</code></pre> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/ahowell_pwshdefault_1-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/ahowell_pwshdefault_1-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/ahowell_pwshdefault_1-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/ahowell_pwshdefault_1-f.jpg 1280w" alt="A command window shows the results of PowerShell script." height="140" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>If a parameter is marked as mandatory, it cannot be assigned a default value. The user must provide an input if the function is called. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>If you develop the function in <a href="https://www.techtarget.com/searchwindowsserver/tutorial/How-to-use-the-PowerShell-extension-for-Visual-Studio-Code">Visual Studio Code with the PowerShell extension</a>, then the PSScriptAnalyzer will underline $String as a warning because assigning a default value to a Mandatary parameter goes against best practices</p> <p>Default values work the same way within parameter sets as they do outside of them. If an optional parameter inside of the parameter set has a default value, then that value will be used when the function is called.</p> <p>If a Mandatory parameter inside of the parameter set has a default value, then PowerShell will ignore it and prompt the user for input. This can cause confusion, especially when PowerShell tries to infer which parameter set to use.</p> <p>Consider the following example:</p> <pre class="language-powershell"><code>Function Test-DefaultValues {     [CmdletBinding()]     param (         [Parameter(             ParameterSetName = "Default"         )]         [string]$String,         [Parameter(             ParameterSetName = "Custom"         )]         [string]$CustomString = "Custom String Value"     )     if ($PSCmdlet.ParameterSetName -eq "Default") {         $String = "Default String Value"     }     else {         $String = $CustomString     }     Write-Host $String }</code></pre> <p>It might appear PowerShell would choose the Custom parameter set because $CustomString has a default value, but PowerShell will output an error message. PowerShell can't determine which parameter set to use when no arguments are passed and a Mandatory parameter exists without a clear default set</p> <p>To resolve this, declare a default parameter set inside the CmdletBinding block:</p> <pre class="language-powershell"><code>Function Test-DefaultValues {     [CmdletBinding(         DefaultParameterSetName = "Custom"     )]</code></pre> <p>With that change, PowerShell will default to the Custom parameter set.</p> <h3>Using default values makes parameters more useful </h3> <p>To use PowerShell to generate passwords, then you can write a simple function to make a moderately complex 12-character password:</p> <pre class="language-powershell"><code>Function New-Password {     [char[]]$chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()'     (1..12 | ForEach-Object {         $chars | Get-Random -Count 1     }) -join '' }</code></pre> <p>Running the function will produce a reasonably secure password, such as <b>6Qh%2MVDkUP6</b>.</p> <p>However, this is a single-purpose function with no flexibility. To improve it, add a Length parameter with a sensible default value:</p> <pre class="language-powershell"><code>Function New-Password {     param (         [int]$Length = 12     )     [char[]]$chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()'     (1..$Length | ForEach-Object {         $chars | Get-Random -Count 1     }) -join '' }</code></pre> <p>Now, you can customize the password length without compromising the sensible default value:<br><b>New-Password -Length 30</b></p> <p>This command will output a password, such as <b>apIA!vcp0d0sQ%gIl5IrMhM2S1YG1).</b></p> <p>To make the password generation function more versatile, you can add support for additional scenarios, such as making a simple password:</p> <pre class="language-powershell"><code>Function New-Password {     [CmdletBinding()]     param (         [int]$Length = 12,         [switch]$Simple     )     [char[]]$simpleChars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'     [char[]]$complexChars = '!@#$%^&*()'     $chars = if ($Simple) {         $simpleChars     } else {         $simpleChars + $complexChars     }     (1..$Length | ForEach-Object {         $chars | Get-Random -Count 1     }) -join '' }</code></pre> <p>Then run the command:</p> <pre class="language-powershell"><code>New-Password -Length 20 -Simple</code></pre> <p>This will output a simple password of 20 characters, such as <b>zsB1AmdOmTwk0LT3ysgx.</b></p> <p>Add a parameter set to let the user input a custom set of characters:</p> <pre class="language-powershell"><code>Function New-Password {     [CmdletBinding(         DefaultParameterSetName = 'default'     )]     param (         [Parameter(             ParameterSetName = 'default'         )]         [Parameter(             ParameterSetName = 'customChars'         )]         [int]$Length = 12,         [Parameter(             ParameterSetName = 'default'         )]         [switch]$Simple,         [Parameter(             Mandatory,             ParameterSetName = 'customChars'         )]         [char[]]$CustomChars     )     [char[]]$simpleChars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'     [char[]]$complexChars = '!@#$%^&*()'     $chars = if ($PSCmdlet.ParameterSetName -eq 'customChars') {         $CustomChars     } elseif ($Simple) {         $simpleChars     } else {         $simpleChars + $complexChars     }     (1..$Length | ForEach-Object {         $chars | Get-Random -Count 1     }) -join '' }</code></pre> <p>Run the command:</p> <pre class="language-powershell"><code>New-Password -Length 25 -CustomChars 'abc123!@#'</code></pre> <p>PowerShell will output a 25-character password using only the specified characters, such as <b>bc1ca3@cc323acb2b22bc!ac3</b>.</p> <p>All these additions don't take away from our original goal to run New-Password without parameters to generate a reasonably secure, 12-character password.</p> </section> <section class="section main-article-chapter" data-menu-title="Default value helps handle remote and local connections"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Default value helps handle remote and local connections</h2> <p>Another practical PowerShell technique is to write a function that works on local and remote computers. To capture the machine name, write a function that uses a ComputerName parameter and assign it a default value that corresponds to the local machine.</p> <p>In this example, the function <a href="https://searchwindowsserver.techtarget.com/tip/Filter-and-query-Windows-event-logs-with-PowerShell">searches through the event logs</a> of the local machine and returns all events that are failed login attempts (event ID 4648).</p> <pre class="language-powershell"><code>Function Get-ExplicitLogins {     Get-WinEvent -FilterHashtable @{         LogName = 'Security'         Id = 4648     } }</code></pre> <p>To make the function more useful, add a ComputerName parameter and set its default value to the local computer name.</p> <pre class="language-powershell"><code>Function Get-ExplicitLogins {     param (         [string]$ComputerName = $env:COMPUTERNAME     )     Get-WinEvent -ComputerName $ComputerName -FilterHashtable @{         LogName = 'Security'         Id = 4648     } }</code></pre> <p>You can call the<b> </b>Get-ExplicitLogins function without any parameters and to query the local computer.</p> <p>To <a href="https://www.techtarget.com/searchwindowsserver/tutorial/PowerShell-7-remoting-expands-management-horizons">specify a remote computer</a>, pass the function to a computer name:</p> <pre class="language-powershell"><code>Get-ExplicitLogins -ComputerName 'Test-PC01'</code></pre> <h3>Smart defaults for complex functions</h3> <p>"Smart defaults" is a common concept in software development that refers to building functions that are useful even when no parameters are given. It's helpful to consider them when writing PowerShell functions that might be used by other people, especially someone who is less familiar with PowerShell.</p> <p>An excellent example of this concept is the Out-File cmdlet. <a href="https://www.techtarget.com/searchwindowsserver/feature/Editing-content-with-Windows-PowerShell">This cmdlet lets you save output to a file</a>. One of its parameters is Encoding, which controls text formatting in the file. If PowerShell required the user to always specify the encoding, that would be a frustrating experience. Instead, PowerShell uses default encoding automatically when one isn't specified.</p> <h3>Common mistakes when working with default values</h3> <p>As with all scripting in PowerShell, it's possible to make mistakes while using default values. Here are some common pitfalls and how to avoid them:</p> <ul class="default-list"> <li><b>Overly broad definitions in </b><b>$PSDefaultParameterValues</b>. It is quite common to set default values using the $PSDefaultParameterValues variable in a PowerShell profile so they load every time you open PowerShell. If you happen to set a broad default value, such as setting the Property parameter on all Get-Mg* cmdlets, then you might run into some unexpected behavior and forget that a default value had been set.</li> <li><b>Performance loss from complex default values</b>. Avoid elaborate scripts to generate default values, particularly when they involve external systems. For example, you could write a function that <a href="https://www.techtarget.com/searchwindowsserver/tip/How-to-fix-Active-Directory-account-lockouts-with-PowerShell">interacts with AD</a> and each default value requires a separate call to AD to populate. This can significantly reduce performance and should be avoided except where needed.</li> <li><b>Hardcoding credentials</b>. It's always a pain to type in credentials, especially on the days that require remoting into lots of different servers. One workaround is to set a default value for the Credential parameter in New-PSSession. If you choose to do that, use a secure method to retrieve your password rather than hardcoding it. The same goes for setting any authentication parameters for any other modules.</li> <li><b>Unintentionally superseding important settings</b>. Be sure to fully understand any default values that you choose to use, especially as a user of a cmdlet or function. Some cmdlets were designed to run a certain way with no provided value; overriding that can break expected behavior.</li> <li><b>Introducing unnecessary complexity</b>. The example of the New-Password function shows how trying to support multiple scenarios makes it harder to maintain a function. Consider breaking down a complex function into multiple simple ones, such as New-SimplePassword and New-ComplexPassword.</li> </ul> <p><i>Anthony Howell is an IT strategist with extensive experience in infrastructure and automation technologies. His expertise includes PowerShell, DevOps, cloud computing, and working in both Windows and Linux environments.</i></p> </section> Learn how to build PowerShell functions that work in multiple scenarios and stay easy to manage, even as your scripts grow more complex. https://cdn.ttgtmedia.com/rms/onlineimages/toolGearArrow_g103332398.jpg https://www.techtarget.com/searchwindowsserver/tutorial/Try-default-values-in-PowerShell-parameters-for-flexibility Thu, 09 Oct 2025 00:00:00 GMT See PowerShell parameter default values in action <p>Conditional access policies have become a cornerstone to secure organizational resources within Microsoft Entra and have formed a crucial part of Microsoft's zero-trust security model.</p> <p>These policies act as gatekeepers, ensuring only authorized users can access sensitive data and applications under the right conditions. However, <a href="https://www.techtarget.com/searchwindowsserver/tutorial/Build-your-knowledge-of-Azure-AD-conditional-access-policies">managing these policies</a> can become challenging as organizations implement increasingly complex security measures. Administrators often face the daunting task of predicting how multiple policies interact, which could lead to unintended access blocks or security gaps.</p> <p>The What If tool in the Microsoft Entra admin center simulates policy scenarios and previews how policies will behave. This discovery process helps admins adjust configurations and prevent conflicts between policies or overly restrictive access controls.</p> <section class="section main-article-chapter" data-menu-title="Overview of conditional access policies"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Overview of conditional access policies</h2> <p>Microsoft designed its zero-trust security model to protect customer resources in an increasingly complex threat landscape. Unlike traditional security models that rely on perimeter defenses, zero-trust assumes that every access request, whether from inside or outside the network, is a potential threat. This model requires continuous verification of user identity, device health and other risk factors before granting access to resources.</p> <p>Microsoft has adopted the zero-trust approach to provide robust security for its cloud services, including Microsoft Entra, the umbrella term for the company's cloud-based identity and access management offering. The What If tool is part of Microsoft Entra ID -- formerly Azure Active Directory -- which manages identity and access through conditional access policies.</p> <p>By implementing a <a href="https://www.techtarget.com/searchsecurity/definition/zero-trust-model-zero-trust-network">zero-trust model</a>, organizations can ensure that only authenticated and authorized users can access their resources, regardless of location or device. This approach is crucial in today's work environment, where remote access and mobile devices have become the norm.</p> </section> <section class="section main-article-chapter" data-menu-title="Role of conditional access policies"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Role of conditional access policies</h2> <p>Conditional access policies are an essential part of Microsoft's zero-trust strategy. They provide access controls to enforce the company's "verify explicitly" principle. Administrators use the policies to set specific conditions that users must meet to access resources.</p> <p>By combining assignments and access controls, admins can create a layered security model that adapts to the context of each access request. This approach ensures the system grants access based not only on the user's identity but also on their location, their device and the risk level associated with the sign-in attempt.</p> <p>For instance, an organization can establish a policy mandating <a href="https://www.techtarget.com/searchsecurity/tip/Multifactor-authentication-Examples-and-strategic-use-cases">multifactor authentication (MFA) for users</a> accessing sensitive data outside the corporate network. Another policy might restrict access from countries where the organization doesn't have operations. Admins can customize the adaptable policies to meet an organization's security needs, providing precise control over resource access.</p> </section> <section class="section main-article-chapter" data-menu-title="Types of assignments and access controls in policies"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Types of assignments and access controls in policies</h2> <p>There are two main components to creating or editing a policy in the Microsoft Entra admin center: assignments -- formerly called conditions -- and access controls.</p> <p>Assignments define the conditions under which a conditional access policy applies. These include:</p> <ul type="disc" class="default-list"> <li><b>Users or groups:</b> Admins can target policies at specific users, groups or organizational roles.</li> <li><b>Locations:</b> Configure policies to apply based on geographic location or IP range.</li> <li><b>Device platforms and state:</b> Control access based on whether the device is hybrid-joined, compliant or meets specific security requirements.</li> <li><b>Cloud apps or actions</b> Apply policies to specific cloud apps or user actions within those apps.</li> <li><b>Risk levels:</b> <a href="https://www.techtarget.com/searchwindowsserver/tip/What-should-admins-know-about-Microsoft-Entra-features">Integrate with Microsoft Entra ID Protection to enforce policies</a> based on user or sign-in risk levels. Using Microsoft Purview adaptive protection also checks for insider risk.</li> </ul> <p>Access controls determine the actions taken when the policy applies:</p> <ul type="disc" class="default-list"> <li><b>Grant controls:</b> Define user requirements for access, such as requiring MFA, a compliant device or a <a href="https://www.techtarget.com/searchwindowsserver/tip/Understand-the-basics-of-Microsoft-hybrid-identity">Microsoft Entra hybrid-joined device</a>.</li> <li><b>Session controls:</b> Managing user sessions to protect sensitive data by applying app-enforced restrictions, enabling session monitoring with Microsoft Defender for Cloud Apps, setting sign-in frequency and configuring persistent browser session behavior.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Challenges in working with conditional access policies"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Challenges in working with conditional access policies</h2> <p>One of the main hurdles administrators face when working with conditional access policies is the inherent complexity and the potential for unintended interactions between policies. As organizations grow and their security needs evolve, they often end up with numerous policies to address specific scenarios.</p> <p>Although each policy might work well in isolation, the interaction between multiple policies can create unexpected results. For example, a policy requiring <a href="https://www.techtarget.com/searchwindowsserver/tutorial/How-to-track-Office-365-guest-users">MFA for external users</a> might conflict with another policy that blocks access from specific geographic locations. When these policies overlap, predicting the exact outcome of a user's access attempt can be difficult.</p> <p>This complexity increases with the number of assignments and access controls applied across different policies. Assignments combined with access controls and understanding how these interact during an access attempt is challenging. It often leads to policies becoming too restrictive and inadvertently blocking legitimate access or too lenient and exposing resources to security risks.</p> </section> <section class="section main-article-chapter" data-menu-title="Difficulty in foreseeing outcomes"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Difficulty in foreseeing outcomes</h2> <p>Due to the layered nature of conditional access policies, predicting how they will affect user access can be difficult. Even experienced administrators can find it challenging to anticipate the results of policy interactions, especially when dealing with complex configurations.</p> <p>Factors such as these compound this difficulty:</p> <ul type="disc" class="default-list"> <li><b>Multiple assignments:</b> Policies often contain several assignments, such as requiring a compliant device and the user to be in a specific group, which makes it difficult to predict combined behavior.</li> <li><b>Order of enforcement:</b> Unlike firewall rules with a clear execution order, conditional access policies undergo a joint evaluation in which all policies must be satisfied and can sometimes lead to unpredictable results.</li> <li><b>Dynamic signals:</b> Conditional access policies can include dynamic elements, such as user risk levels and device compliance status, which change over time. It adds another layer of complexity to predicting a policy's behavior in any given situation.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Introducing the What If tool"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Introducing the What If tool</h2> <p>Testing and troubleshooting conditional access policies is challenging because live testing carries risks, such as locking out admins or users. Traditional methods are time-consuming and prone to errors and lack immediate feedback after policy changes, making it difficult to prevent security incidents and unintended disruptions.</p> <p>Admins require improved tools that offer instant feedback and replicate outcomes to find conflicts before they affect users. The What If tool assists this work by simulating sign-in scenarios for a user or <a href="https://www.techtarget.com/searchcloudcomputing/tip/Why-and-how-to-create-Azure-service-principals">service principal</a> to troubleshoot conditional access policies. This simulation capability is crucial for understanding the potential issues of policies before implementing them, reducing the risk of unintended access issues or security gaps.</p> <p>The primary purpose of the What If tool is to:</p> <ul type="disc" class="default-list"> <li><b>Predict policy outcomes:</b> By simulating different sign-in scenarios, administrators can see which conditional access policies apply and the resulting access decisions.</li> <li><b>Troubleshoot issues:</b> When users experience unexpected access issues, the What If tool can help pinpoint the policy or combination of policies causing the problem.</li> <li><b>Refine policies:</b> The tool shows how policies apply and why to help admins readjust configurations.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Benefits of using the What If tool"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Benefits of using the What If tool</h2> <p>The What If tool offers several advantages for managing and optimizing conditional access policies:</p> <ul type="disc" class="default-list"> <li><b>Risk-free testing:</b> Administrators can simulate different scenarios and see the potential outcomes without the risk of disrupting user access or exposing resources.</li> <li><b>Immediate Feedback:</b> The tool provides instant feedback which policies apply to identify and address issues quickly.</li> <li><b>Proactive troubleshooting:</b> The What If tool helps resolve potential conflicts before enabling policies to maintain a seamless user access experience.</li> <li><b>Detailed analysis:</b> Get a report listing applicable policies and the resulting access decision for refining policy configurations.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="How the What If tool works"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How the What If tool works</h2> <p>The What If tool simulates an access request based on specific parameters set by the administrator. Here's how it functions:</p> <ol type="1" start="1" class="default-list"> <li><b>User selection:</b> The administrator selects a user or group to run the simulation, such as a user with access issues or a group to test broader policy implications.</li> <li><b>Scenario setup:</b> The admin specifies the sign-in conditions to simulate, such as the target resource, device platform, identity and location. This enables testing a wide range of scenarios, from standard access attempts to more complex situations involving multiple scenarios.</li> <li><b>Policy evaluation:</b> The What If tool evaluates enabled or report-only conditional access policies against the specified scenario. It determines which policies would apply and what the resulting access decision would be, including grant, block or require MFA.</li> <li><b>Report generation:</b> The tool generates a report showing the simulation's outcome, including the policies that apply and required controls, policies that don't apply and why and any app filters with custom security attributes.</li> </ol> </section> <section class="section main-article-chapter" data-menu-title="How to use the What If tool for troubleshooting policies"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to use the What If tool for troubleshooting policies</h2> <p>The What If tool simulation process is straightforward and provides valuable insights into how policies will behave in various scenarios.</p> <h3>Accessing the What If tool</h3> <ol type="1" start="1" class="default-list"> <li>Sign in to the Microsoft Entra admin center with admin privileges.</li> <li>Go to Entra ID>Conditional Access>Policies<b> </b>to manage all conditional access policies.</li> <li>Click What If and set up the simulation, adding the conditions to check, such as client app, device platform and identity.</li> </ol> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/lcleary_whatif_1-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/lcleary_whatif_1-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/lcleary_whatif_1-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/lcleary_whatif_1-f.jpg 1280w" alt="An image showing a highlighted area around the words " height="37" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Open the What If tool from the conditional access section in the Microsoft Entra admin center. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>Setting up a simulation</h3> <ol type="1" start="1" class="default-list"> <li>Choose the identity to test. Click <b>"No user or service principal selected</b>" and use the search box to find the user or service principal.</li> <li>Specify the conditions to test. Required conditions include identity, target resource, device platform and client app. Optional conditions are sign-in risk, location, user action or authentication context, device state and authentication strength.  </li> </ol> <h3>Running the simulation</h3> <ol type="1" start="1" class="default-list"> <li>After setting up the desired scenario, click <b>What If</b> to run the simulation. The tool checks the selected user or service principal against enabled or report-only conditional access policies.</li> <li>The What If tool provides an evaluation report once the simulation completes, which includes:</li> </ol> <ol type="1" start="2" class="default-list"> <ul type="disc" class="default-list"> <li><b>Applicable policies</b>: A list of all the conditional access policies that apply to the specified scenario.</li> </ul> </ol> <ol type="1" start="2" class="default-list"> <ul type="disc" class="default-list"> <li><b>Policy outcome</b>: The outcome for each policy, such as grant access, block access or require MFA.</li> </ul> </ol> <ol type="1" start="2" class="default-list"> <ul type="disc" class="default-list"> <li><b>Overall decision</b>: Indicates the final decision for the access attempt based on the combined evaluation of all pertinent policies.</li> </ul> </ol> <h3>Understanding the report</h3> <p>The What If report details how conditional access policies apply in the specified scenario. Critical sections of the report include:</p> <ul type="disc" class="default-list"> <li><b>Policy evaluation</b>: Lists each policy evaluated, showing whether it did or didn't apply, and the enforced action.</li> <li><b>Policy details</b>: The report provides detailed information for each applicable policy, including the grant controls and session controls it evaluated.</li> <li><b>App filters</b>: Shows if a policy uses custom security attributes for filtering apps.</li> <li><b>Non-applicable policies: </b>What If will list any policies in scenarios when the first condition isn't met with an explainer.</li> <li><b>Classic policies indicator: </b>Lists if legacy conditional access policies exist in the environment.</li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/lcleary_whatif_2-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/lcleary_whatif_2-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/lcleary_whatif_2-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/lcleary_whatif_2-f.jpg 1280w" alt="A screenshot showing the details of a conditional access policy in Microsoft Entra." height="79" width="558"> <figcaption> <i class="icon pictures" data-icon="z"></i>The conditional access policy in Microsoft Entra requiring multifactor authentication for Microsoft partners and vendors shows as active and without filters. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/lcleary_whatif_3-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/lcleary_whatif_3-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/lcleary_whatif_3-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/lcleary_whatif_3-f.jpg 1280w" alt="A screenshot showing the details of two conditional access policies in Microsoft Entra ID." height="89" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Two conditional access policies in Microsoft Entra ID related to sign-in and user risk are in report-only mode with no filters applied. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>To enhance the process, enable the <b>Enhanced 'What if' evaluation experience </b>for further details when evaluating the policies.</p> <h3>Make changes based on the What If report</h3> <ul type="disc" class="default-list"> <li><b>Identify and resolve conflicts</b>: Use the report to <a target="_blank" href="https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-insights-reporting" rel="noopener">identify</a> conflicting policies that might lead to unintended access blocks or overly lenient access. Adjust the assignments to ensure a clear and intended access path.</li> <li><b>Test before implementation</b>: Before changing conditional access policies, use the What If tool to simulate the new configuration, evaluating the changes' effect and verifying that they will produce the desired results.</li> <li><b>Refine policies</b>: Based on the simulation results, adjust policies to align with security objectives. For example, if a policy requiring MFA doesn't trigger as expected, change the assignments to ensure they apply to the right users and intended scenarios.</li> </ul> <h3>Tips for effective use</h3> <ul type="disc" class="default-list"> <li><b>Regular testing</b>: Use the What If tool often to validate policies, especially after creating new ones or modifying existing ones to find issues before they affect users.</li> <li><b>Test a variety of scenarios</b>: To make policies resilient and comprehensive, don't just test typical access scenarios. Simulate a range of conditions, including high-risk situations and edge cases.</li> <li><b>Document findings</b>: Record the simulations and findings for future troubleshooting and to explain policy decisions to stakeholders.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Remove doubt with the What If tool"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Remove doubt with the What If tool</h2> <p>In Microsoft's zero-trust security model, conditional access policies are key to securing access to organizational resources. The What If tool provides a safe and efficient way to check policies to help admins identify and resolve conflicts and optimize access controls.</p> <p>Incorporating the What If tool into a regular policy management routine helps prevent misconfigurations, enhances the organization's security and ensures policies work as expected. By using this tool, admins can confidently navigate the complexities of conditional access policies, ensuring they provide the intended level of protection without compromising user productivity.</p> <p><i>Liam Cleary is the founder and owner of SharePlicity, a technology consulting company that helps organizations with internal and external collaboration, document and records management, business process automation, automation tool deployment, and security controls and protection. Cleary's areas of expertise include security on the Microsoft 365 and Azure platforms, PowerShell automation, and IT administration. Cleary is a Microsoft MVP and a Microsoft Certified Trainer.</i></p> <p><b> </b></p> </section> Admins should employ regular use of this simulation tool to ensure conditional access policies have no conflicts and avoid access problems that can slow down users. https://cdn.ttgtmedia.com/rms/onlineimages/location_g1202864734.jpg https://www.techtarget.com/searchwindowsserver/tip/Test-conditional-access-with-Microsoft-Entra-ID-What-If-tool Wed, 08 Oct 2025 10:00:00 GMT Test conditional access with Microsoft Entra ID What If tool <p>Managing PowerShell resources is a critical task for administrators, who must ensure that scripts and modules are up to date and correctly configured across environments.</p> <p>With the release of PSResourceGet, Microsoft has improved upon the original PowerShellGet module by producing a modernized approach to <a href="https://www.techtarget.com/searchITOperations/video/Automate-PowerShell-scripts-for-self-healing-IT-infrastructure">managing PowerShell resources</a>. This article looks at some of PowerShellGet's limitations, the problems solved by PSResourceGet and its key capabilities, and practical examples of how to use PSResourceGet in daily workflows.</p> <section class="section main-article-chapter" data-menu-title="Problems that PSResourceGet Solves"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Problems that PSResourceGet Solves</h2> <p>As useful as PowerShellGet has been, PSResourceGet was developed to address several key issues, including:</p> <ul class="default-list"> <li><b>Complexity and performance issues</b>. Microsoft designed PowerShellGet with a provider model that relied on the PackageManagement module, which led to bottlenecks and added complexity in managing dependencies.</li> <li><b>Usability and extensibility.</b> Because it was based on an older codebase, PowerShellGet was neither user-friendly nor easy to extend, making bug fixes and implementing new features difficult.</li> <li><b>Compatibility concerns</b>. Because it was written in PowerShell, keeping PowerShellGet <a href="https://www.techtarget.com/searchwindowsserver/tip/Why-you-should-consider-an-upgrade-from-PowerShell-51-to-7">compatible with all supported versions of PowerShell</a> was a challenge.</li> </ul> <p>By rewriting PowerShellGet's replacement in C# and removing its dependency on PackageManagement, PSResourceGet offers a more efficient and maintainable approach.</p> </section> <section class="section main-article-chapter" data-menu-title="PSResourceGet capabilities"> <h2 class="section-title"><i class="icon" data-icon="1"></i>PSResourceGet capabilities</h2> <p>As the new package manager for PowerShell, PSResourceGet is a comprehensive tool to manage all types of PowerShell artifacts available from repositories, including modules, scripts, <a href="https://www.techtarget.com/searchwindowsserver/tip/See-whats-new-in-Desired-State-Configuration-v3">Desired State Configuration resources</a> and role capabilities.</p> <p>For each resource type, PSResourceGet lets administrators:</p> <ul class="default-list"> <li>Install, update and remove resources.</li> <li>Manage dependencies automatically.</li> <li>Manage repositories that provide resources.</li> <li>Search repositories for resources.</li> </ul> <p>All capabilities are exposed in the module through cmdlets.</p> </section> <section class="section main-article-chapter" data-menu-title="Benefits of PSResourceGet"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Benefits of PSResourceGet</h2> <p>Now that we've covered the purpose of PSResourceGet and its capabilities, let's cover the advantages of using PSResourceGet over PowerShellGet.</p> <h3>Improved performance</h3> <p>The most significant and immediate benefit of PSResourceGet is speed. For example, the following script compares the search performance of both modules:</p> <pre class="language-powershell"><code>Measure-Command {     Find-Module -Name Microsoft.PowerShell.PSResourceGet } | Select-Object TotalSeconds Measure-Command {     Find-PSResource -Name Microsoft.PowerShell.PSResourceGet } | Select-Object TotalSeconds</code></pre> <p>After running these commands a few times, PSResourceGet typically executes twice as fast as PowerShellGet. Results can vary depending on the testing environment, including the host machine and internet connection.</p> <h3>Compatibility</h3> <p>To maintain compatibility with previous versions of PowerShellGet, Microsoft released a <a href="https://github.com/PowerShell/PowerShellGet/tree/master">compatibility module</a> designed to accept commands in the same syntax as PowerShellGet and call the equivalent PSResourceGet commands. This approach lets administrators continue running scripts that use PowerShellGet syntax while also benefiting from PSResourceGet enhancements.</p> <h3>Maintainability and extensibility</h3> <p>Although this might not be immediately noticeable for most users, one goal for PSResourceGet was to build a module that could easily implement changes based on customer feedback. From the start, the codebase was written to be clean and efficient so Microsoft could quickly address bugs and feature requests.</p> </section> <section class="section main-article-chapter" data-menu-title="Using PSResourceGet"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Using PSResourceGet</h2> <p>To start using PSResourceGet, you might have to install it. For all versions of PowerShell prior to 7.4, PSResourceGet isn't included by default, so we will use PowerShellGet's Install-Module cmdlet for the installation:</p> <pre class="language-powershell"><code>Install-Module -Name Microsoft.PowerShell.PSResourceGet</code></pre> <p>After installation, you can verify by importing it, running a command from the module or simply listing the commands in the module:</p> <pre class="language-powershell"><code>Get-Command -Module Microsoft.PowerShell.PSResourceGet</code></pre> <h3>Managing repositories</h3> <p>A repository is a location to publish PowerShell resources and retrieve them. The most well-known is the PowerShell Gallery. Using PSResourceGet, you can find the currently configured repositories:</p> <pre class="language-powershell"><code>Get-PSResourceRepository</code></pre> <p>By default, PowerShell only includes the PowerShell Gallery. To add other repositories, such as an internal private repository hosted in GitHub Packages, use the following code:</p> <pre class="language-powershell"><code>$splat = @{     Name     = 'GitHubOrg'     Uri      = 'https://nuget.pkg.github.com/<GitHubOrg>/index.json'     Trusted  = $true     Priority = 10 } Register-PSResourceRepository @splat</code></pre> <p>In this case, the script designates the repository as trusted and assigns it to a higher priority than the PowerShell Gallery.</p> <p>You can verify the change by rerunning Get-PSResourceRepository.<b></b></p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/ahowell_psresourceget_1-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/ahowell_psresourceget_1-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/ahowell_psresourceget_1-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/ahowell_psresourceget_1-f.jpg 1280w" alt="A command window shows a PowerShell command used to list repositories registered for use with PSResourceGet." height="103" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Re-run the Get-PSResourceRepository command after registering a GitHub repository as a trusted source for PowerShell resources. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>To see the full list of supported repository types, you can refer to <a href="https://learn.microsoft.com/en-us/powershell/gallery/powershellget/supported-repositories?view=powershellget-3.x">Microsoft's documentation.</a></p> <h3>Installing modules</h3> <p>The most common use for PSResourceGet is to install modules. This is very similar to using Install-Module, but instead use:</p> <pre class="language-powershell"><code>Install-PSResource -Name Microsoft.Graph</code></pre> <p>If you want a specific version, PSResourceGet has a lot more flexibility than PowerShellGet. The Version parameter accepts any valid Nuget version <a target="_blank" href="https://learn.microsoft.com/en-us/nuget/concepts/package-versioning?tabs=semver20sort#version-ranges" rel="noopener">range</a>, while PowerShellGet required three version parameters. For example, to install an exact version, use the following command:</p> <pre class="language-powershell"><code>Install-PSResource -Name Microsoft.Graph -Version 2.21.0</code></pre> <p>To specify a version range, such as greater than 1.5 but less than 2.0, you can use:</p> <pre class="language-powershell"><code>Install-PSResource -Name Microsoft.Graph -Version '[1.5,2.0)'</code></pre> <p>To validate your version range, use Find-PSResource.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/ahowell_psresourceget_2-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/ahowell_psresourceget_2-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/ahowell_psresourceget_2-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/ahowell_psresourceget_2-f.jpg 1280w" alt="A command window runs a PowerShell command to find a module between a specific version range. " height="242" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>The command checks for versions of the Microsoft.Graph module that are at least version 1.5 but less than version 2.0. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>PSResourceGet will install the latest version listed in the provided range.</p> <h3>Installing modules across several servers</h3> <p>To ensure the entire environment has the appropriate modules installed, you can use PSResourceGet through PowerShell remoting. For example, to manage Windows updates, you might want to install the PSWindowsUpdate module. The following script -- which requires PowerShell v7 because it uses the<b> </b><a href="https://www.techtarget.com/searchwindowsserver/tutorial/PowerShell-ForEach-Object-cmdlet-picks-up-speed">Parallel parameter of Foreach-Object</a> -- retrieves a list of servers from Active Directory and then installs the module remotely:</p> <pre class="language-powershell"><code>Get-ADComputer -Filter 'OperatingSystem -like "*Server*"' | ForEach-Object -ThrottleLimit 5 -Parallel {     Invoke-Command -ComputerName $_.Name -ScriptBlock {         Install-Module -Name Microsoft.PowerShell.PSResourceGet -Confirm:$false -Force         Install-PSResource -Name PSWindowsUpdate -Confirm:$false     } }</code></pre> <p>The script will install PSResourceGet if it isn't installed with Install-Module, then it will install PSWindowsUpdate with Install-PSResource.</p> <h3>Browse from the command line</h3> <p>Because PSResourceGet is so much faster than PowerShellGet, browsing the PowerShell Gallery from the command line makes more sense. For example, if you know there's a <a href="https://www.techtarget.com/searchwindowsserver/tutorial/Reveal-Windows-file-server-permissions-with-PowerShells-help">module to import Excel files</a> but can't remember the name, you can search for it:</p> <pre class="language-powershell"><code>Find-PSResource -Name '*Excel'</code></pre> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/ahowell_psresourceget_3-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/ahowell_psresourceget_3-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/ahowell_psresourceget_3-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/ahowell_psresourceget_3-f.jpg 1280w" alt="A command window with a PowerShell command that searches for resources using a wildcard. " height="142" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Use the Find-PSResource command to search for PowerShell resources in the registered repositories with 'Excel' at the end of the name. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>This command returns several modules, one of which is ImportExcel. To see the full metadata for the module, query it directly:</p> <pre class="language-powershell"><code>Find-PSResource -Name 'ImportExcel' | fl *</code></pre> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/ahowell_psresourceget_4-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/ahowell_psresourceget_4-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/ahowell_psresourceget_4-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/ahowell_psresourceget_4-f.jpg 1280w" alt="A command window that shows a PowerShell command to display a module's metadata. " height="330" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Execute a search to that displays all the metadata for the ImportExcel module. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>The output shows important information, such as the ProjectUri property, which you can use to verify it is the proper module.</p> </section> <section class="section main-article-chapter" data-menu-title="PSResourceGet offers scalability and reliability"> <h2 class="section-title"><i class="icon" data-icon="1"></i>PSResourceGet offers scalability and reliability</h2> <p>PSResourceGet offers improved package management in PowerShell, providing <a href="https://www.techtarget.com/searchwindowsserver/tutorial/Try-these-PowerShell-Start-Job-examples-for-more-efficiency">better speed</a> and reliability. By directly addressing user feedback and the issues with PowerShellGet, PSResourceGet presents a more streamlined and efficient approach to reduce time spent on repetitive tasks and allow more time to focus on automation and scripting.</p> <p><i>Anthony Howell is an IT strategist with extensive experience in infrastructure and automation technologies. His expertise includes PowerShell, DevOps, cloud computing, and working in both Windows and Linux environments.</i></p> </section> The updated package manager for PowerShell improves performance, simplifies module management and streamlines repository handling to free up time for automation tasks. https://cdn.ttgtmedia.com/rms/onlineimages/keyboard_g1077903946.jpg https://www.techtarget.com/searchwindowsserver/tutorial/Use-PSResourceGet-to-manage-PowerShell-modules-and-scripts Tue, 07 Oct 2025 15:42:00 GMT Use PSResourceGet to manage PowerShell modules and scripts <p>Managing storage capacity is one of the most crucial parts of system administration. PowerShell offers administrators many options for investigating and configuring storage options. This article examines the most useful cmdlets for viewing storage information, creating new storage space or removing unneeded storage capacity.</p> <p>Shell environments offer administrators two advantages:</p> <ol class="default-list"> <li>Command-line commands are often quicker to enter and run than browsing through multiple windows and consoles in mouse-driven environments.</li> <li>Commands can be added to scripts, enabling you to schedule automated tasks.</li> </ol> <p>You certainly have the option of running individual commands directly from the PowerShell console. However, you might find it more efficient to script your configurations as part of a larger <a href="https://www.techtarget.com/searchitoperations/definition/Infrastructure-as-Code-IAC">infrastructure-as-code</a> initiative. Keep this option in mind as you review the cmdlets below.</p> <section class="section main-article-chapter" data-menu-title="PowerShell syntax review"> <h2 class="section-title"><i class="icon" data-icon="1"></i>PowerShell syntax review</h2> <p>Recall that PowerShell uses a verb-noun syntax to specify tasks. These two combined elements are called <i>cmdlets</i> and form the basis of PowerShell administration. Various cmdlets recognize different parameters that specify objects, names or other values. PowerShell is logical, powerful and flexible, enabling plenty of administrative options for managing services, such as storage.</p> <p>Consider the sample cmdlet <samp>Get-Disk -FriendlyName "DataDisk"</samp>. Here, the verb is <samp>Get</samp>, the noun is <samp>Disk</samp> and the parameter is <samp>-FriendlyName "DataDisk"</samp>.</p> </section> <section class="section main-article-chapter" data-menu-title="Gather storage information with PowerShell"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Gather storage information with PowerShell</h2> <p>Your first administrative task will be displaying information about existing storage. You could examine files and directories or individual disks, partitions or volumes. Regardless, start by reviewing the <a href="https://www.techtarget.com/searchstorage/feature/How-to-choose-and-configure-Windows-Server-RAID-levels">current storage configuration</a>.</p> <p>Displaying information with PowerShell almost always involves using the <samp>Get</samp> verb. Attach this verb to the various storage nouns to display the relevant information.</p> <p>Use the following cmdlets to display this information:</p> <ul class="default-list"> <li><samp>Get-Disk</samp> displays disk information, including disk number, friendly name, total size, health status and bus type. This cmdlet is essential for identifying the disk.</li> <li><samp>Get-Partition</samp> displays information about the disk's physical partitions, partition numbers and sizes. It shows greater detail at the physical level than <samp>Get-Volume</samp>.</li> <li><samp>Get-Volume</samp> displays volume information, including logical volumes, drive letters, file systems and available space. It provides greater detail at the logical level than <samp>Get-Partition</samp>.</li> <li><samp>Get-PSDrive</samp> displays information on drive shares mapped on the system.</li> <li><samp>Get-PhysicalDisk</samp> displays physical storage devices attached to the system, including hard disk and solid-state drives.</li> <li><samp>Get-VirtualDisk</samp> displays information about virtual disks across all storage pools, including name, size and status.</li> </ul> <p>Begin by establishing what kind of information you need. For example, if you need data on physical disk structures, focus on <samp>Get-Partition</samp> and <samp>Get-Disk</samp>. If you need logical volume information, use <samp>Get-Volume</samp>.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/dgarn_stcmdlet_1-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/dgarn_stcmdlet_1-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/dgarn_stcmdlet_1-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/dgarn_stcmdlet_1-f.jpg 1280w" alt="A PowerShell window showing execution of a storage-related command." height="171" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Use the Get-Disk cmdlet to gather basic but necessary disk information. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>Display or test for files and directories</h3> <p>What if you need to gather information on the data stored on a device rather than about the device itself? Several cmdlets display directory and file information.</p> <p>One of the most useful cmdlets for checking drive content is <samp>Test-Path</samp>. This cmdlet confirms whether all parts of a given path are true, letting you know whether particular directories or files exist. This information could be <a href="https://www.techtarget.com/searchitoperations/video/Create-a-PowerShell-script-for-Windows-PATH-variable-cleanup">relevant when creating scripts</a> because you might want to test for data before removing a partition or back up data before changing drive configurations. <samp>Test-Path</samp> returns <samp>$true</samp> if the given path exists or <samp>$false</samp> if not. Use these results to direct your script to take different actions depending on whether specific files exist.</p> <p>Consider the example <samp>Test-Path</samp> <samp>-Path "C:\projects\2025projects\projectfile.docx</samp>. This cmdlet confirms all objects along the path, including the subdirectories and file. Use wildcards to broaden the match criteria.</p> <p>The <samp>Get-ChildItem</samp> cmdlet is a more comprehensive way to display directories and files. Without a <samp>-Path</samp> parameter, it will show the current folder's contents. Add <samp>-Path C: projects</samp> to show the contents of the specified folder. Add the <samp>-Recurse</samp> option to drill down into child folders. This gives you <samp>Get-ChildItem -Path "C:\projects" -Recurse</samp>.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/dgarn_stcmdlet_2-f.jpg "> <img data-src="https://www.techtarget.com/rms/onlineimages/dgarn_stcmdlet_2-f_mobile.jpg " class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/dgarn_stcmdlet_2-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/dgarn_stcmdlet_2-f.jpg 1280w" alt="A PowerShell window that shows command execution." height="194" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Use the Get-ChildItem cmdlet to list files and folders on storage devices. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>This is a handy way of discovering what information is stored in a particular location before you destroy data with a repartition or reformat cmdlet.</p> </section> <section class="section main-article-chapter" data-menu-title="Manage new storage space"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Manage new storage space</h2> <p>Your investigation of the system's storage could reveal unused and available storage space on existing disks. <a href="https://www.techtarget.com/searchwindowsserver/tip/Using-Diskpart-to-create-extend-or-delete-a-disk-partition">You can create partitions</a> or volumes in this space and then format them with a file system, probably NTFS.</p> <p>After you physically install the disk in the system, use the <samp>Get-Disk</samp> cmdlet to identify the <samp><DiskNumber></samp> value. This identifier lets you work with the specified disk using the other cmdlets.</p> <p>Use the following steps to deploy your new storage:</p> <ol class="default-list"> <li><b>Initialize the disk.</b> Use <samp>Initialize-Disk -Number <DiskNumber> -PartitionStyle GPT</samp>.</li> <li><b>Create a new disk partition.</b> Use <samp>New-Partition -DiskNumber <DiskNumber> -UseMaximumSize -AssignDriveLetter</samp>.</li> <li><b>Format the partition.</b> Use <samp>Format-Volume -DriveLetter <DriveLetter> -FileSystem NTFS -NewFileSystemLabel "Projects" -Confirm:$false</samp>.</li> <li><b>Confirm all drive settings.</b> Use <samp>Get-Volume -DriveLetter <DriveLetter></samp>.</li> </ol> <p>Manually run these commands or automate them in a PowerShell script.</p> <h3>Manage storage space with a script</h3> <p>Use the above cmdlets to generate a PowerShell script using an editor <a href="https://www.techtarget.com/searchwindowsserver/tutorial/How-to-use-the-PowerShell-extension-for-Visual-Studio-Code">such as Microsoft Visual Studio Code</a>. Here is a sample script snippet to build from. It uses the <samp>$disk</samp> variable to identify the storage device.</p> <pre class="language-powershell"><code># Identify the newly installed disk $disk = Get-Disk | Where-Object PartitionStyle -eq 'RAW' # Initialize the new disk Initialize-Disk -InputObject $disk -PartitionStyle GPT # Create a new disk partition using all available space and assign it the next available drive letter $partition = New-Partition -DiskNumber $disk.Number -UseMaximumSize -AssignDriveLetter # Format the new volume with the NTFS filesystem and label it Projects Format-Volume -DriveLetter $partition.DriveLetter -FileSystem NTFS -NewFileSystemLabel "Projects" -Confirm:$false Consider adding the following redirect instructions when you run the script command (assume the script is named new_disk.ps1): .\new_disk.ps1 > new-disk.log *>&1</code></pre> <p>This option redirects standard output and error streams into the specified <samp>new-disk.log</samp> log file, which is helpful for troubleshooting.</p> </section> <section class="section main-article-chapter" data-menu-title="Remove old storage space"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Remove old storage space</h2> <p>Perhaps your investigation of the system's storage space revealed data, partitions or volumes that are no longer necessary. Removing these resources using PowerShell is as straightforward as adding them.</p> <p>With the various storage nouns -- <samp>disk, partition, volume</samp>, etc. -- you'll use the standard deletion verbs, primarily <samp>Remove</samp> and <samp>Clear</samp>.</p> <p>Here are a few sample cmdlets for removing storage resources:</p> <ul class="default-list"> <li>To delete the partition, making any stored data unavailable, use <samp>Remove-Partition -DiskNumber <DiskNumber> -PartitionNumber <PartitionNumber></samp>.</li> <li>To remove volumes as identified by drive letter, use <samp>Remove-Volume -DriveLetter <DriveLetter>.</samp></li> <li>To remove all partition information and uninitialize the disk, use <samp>Clear-Disk -Number <DiskNumber> -RemoveData</samp>.</li> </ul> <p>Be very careful to <a href="https://www.techtarget.com/searchdatabackup/feature/The-7-critical-backup-strategy-best-practices-to-keep-data-safe">back up all data</a> before using these cmdlets to remove disk settings. Recovering lost data after running these cmdlets will be difficult or impossible. Also, think carefully before scripting disk deletions. It can be very easy to accidentally delete data as an automated process removes the storage space.</p> </section> <section class="section main-article-chapter" data-menu-title="Conclusion"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Conclusion</h2> <p>Managing Windows Server storage space is a common administrator task, and PowerShell makes that job easier. Running manual commands in the PowerShell console is usually faster than browsing through graphical wizard interfaces, but the true benefit of CLI environments is scripting.</p> <p>Use the cmdlets in this article to investigate, create and remove storage configurations. Write PowerShell scripts to automate these processes, especially the investigation and creation tasks.</p> <p>Check your standard processes today to see whether scripting storage space management with PowerShell could improve your workflows.</p> <p><i>Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to Informa TechTarget, The New Stack and CompTIA Blogs.</i></p> </section> These PowerShell cmdlets and scripts simplify Windows Server storage management by displaying existing storage information and creating or removing disk resources. https://cdn.ttgtmedia.com/rms/onlineimages/storage_g539954410.jpg https://www.techtarget.com/searchwindowsserver/tip/Top-PowerShell-disk-management-commands-for-Windows-storage Mon, 06 Oct 2025 11:26:00 GMT Top PowerShell disk management commands for Windows storage <p>If you run the same commands every time you launch the PowerShell console, consider modifying your PowerShell profile for a better overall experience.</p> <p>The PowerShell profile loads your settings whenever you launch PowerShell to customize the environment to your needs. You define your settings as a PowerShell script, making the process straightforward. This article will explain the concepts behind the PowerShell profile, how to edit it for the various PowerShell consoles -- <a href="https://www.techtarget.com/searchwindowsserver/definition/PowerShell">PowerShell</a>, Windows PowerShell, Visual Studio Code (VS Code), Integrated Scripting Environment (ISE) -- and several useful additions to incorporate to enhance your workflow and avoid potential issues.</p> <section class="section main-article-chapter" data-menu-title="What is the PowerShell profile?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is the PowerShell profile?</h2> <p>The PowerShell profile is simply a PowerShell script that runs every time you launch PowerShell, except when you launch PowerShell with the <b>-NoProfile </b>flag. The location of the profile varies depending on several conditions:</p> <ul class="default-list"> <li>The version of PowerShell (Windows PowerShell vs PowerShell)</li> <li>Is the profile for all users or the current user?</li> <li>Is the profile host application specific? (ISE, VS Code, etc)</li> </ul> <p>The following lists are directories. The names of the profile scripts depend on the host application.</p> <p>For all users, the profile is located here:</p> <ul class="default-list"> <li>Windows PowerShell: $PSHOME\</li> <li>PowerShell:</li> <li>Windows: $PSHOME\</li> <li>Linux: /usr/local/Microsoft/powershell/7/</li> <li>macOS: /usr/local/Microsoft/powershell/7/</li> </ul> <p>For specific users, the profile is located here:</p> <ul class="default-list"> <li>Windows PowerShell: $HOME\Documents\WindowsPowerShell\</li> <li>PowerShell</li> <li>Windows: $HOME\Documents\PowerShell\</li> <li>Linux: ~/.config/powershell/</li> <li>macOS: ~/.config/powershell/</li> </ul> <p>In these directories, you can have several valid profile files. The difference between the profiles is based on the host application that launches PowerShell. For this tutorial, we will use the ISE and VS Code as examples for hosts:</p> <ul class="default-list"> <li>All hosts: profile.ps1</li> <li>ISE: Microsoft.PowerShellISE_profile.ps1</li> <li>VS Code: Microsoft.VSCode_profile.ps1</li> </ul> <p>If a user launches PowerShell in VS Code, the following profiles could run on Windows:</p> <ul class="default-list"> <li>All users, all hosts: $PSHOME\profile.ps1</li> <li>All users, VS Code: $PSHOME\Microsoft.VSCode_profile.ps1</li> <li>Current user, all hosts: $HOME\profile.ps1</li> <li>Current user, VS Code: $HOME\Microsoft.VSCode_profile.ps1</li> </ul> <p>If any of the files don't exist, PowerShell skips that profile.</p> </section> <section class="section main-article-chapter" data-menu-title="How to access the PowerShell profile"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to access the PowerShell profile</h2> <p>The easiest way to access PowerShell's profile is through PowerShell itself. There's no need to remember any of the listed paths because they are all stored in a variable called <b>$Profile</b>.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/ahowell_psprofile_image1-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/ahowell_psprofile_image1-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/ahowell_psprofile_image1-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/ahowell_psprofile_image1-f.jpg 1280w" alt="A PowerShell command line window shows the location of the PowerShell profile." height="85" width="557"> <figcaption> <i class="icon pictures" data-icon="z"></i>To locate the PowerShell profile, enter the $Profile variable to show the path. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>In this case, the username is hidden.</p> <p>You'll notice that the only path displayed is the current user's PowerShell host application profile. Thankfully the <b>$Profile</b> variable has some additional properties to show us the other paths. We can find those properties by piping the variable to <b>Get-Member</b>:</p> <pre class="language-powershell"><code>$Profile | Get-Member -MemberType NoteProperty</code></pre> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/ahowell_psprofile_image2-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/ahowell_psprofile_image2-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/ahowell_psprofile_image2-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/ahowell_psprofile_image2-f.jpg 1280w" alt="A PowerShell command line window shows the properties of the $Profile variable." height="129" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Use the Get-Member cmdlet to find the properties associated with the $Profile variable. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Therefore, if we want to find the path for the AllUsersAllHosts profile, we can do so with:</p> <pre class="language-powershell"><code>$Profile.AllUsersAllHosts</code></pre> <p>On our system, the result is C:\Program Files\PowerShell\7\profile.ps1 for the path. Because the file is in the Program Files hierarchy and we can't edit that without administrative permissions, let's instead focus on the CurrentUserCurrentHost profile with:</p> <pre class="language-powershell"><code>$Profile.CurrentUserCurrentHost</code></pre> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/ahowell_psprofile_image3-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/ahowell_psprofile_image3-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/ahowell_psprofile_image3-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/ahowell_psprofile_image3-f.jpg 1280w" alt="A PowerShell command line window shows the location of the CurrentUserCurrentHost profile script." height="130" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Find the location of the CurrentUserCurrentHost profile script. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>If we want to edit that script, we can call VS Code directly:</p> <pre class="language-powershell"><code>code $Profile.CurrentUserCurrentHost</code></pre> <p>This will launch VS Code and open that file.</p> </section> <section class="section main-article-chapter" data-menu-title="Ideas of things to add to your profile"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Ideas of things to add to your profile</h2> <p>Since the profile is so flexible, you could do many different things with it. Let's look at a few that I've found useful over the years.</p> <h3>Add OS awareness to profile</h3> <p>Not all commands work the same way across the OSes that PowerShell supports, so we need logic to separate different commands. Fortunately, PowerShell makes this very easy with some built-in variables that will all exist cross-platform:</p> <ul class="default-list"> <li>$IsWindows is true when running on Windows</li> <li>$IsLinux is true when running on Linux</li> <li>$IsMacOS is true when running on MacOS</li> </ul> <pre class="language-powershell"><code>if ($IsWindows) {     # do Windows stuff } elseif ($IsLinux) {     # do Linux stuff } elseif ($IsMacOS) {     # do MacOS stuff }</code></pre> <p>The following suggestions will contain some examples of how to write profile code for multiple platforms.</p> <div class="btt-thumbnailContainer"> <span class="btt-thumbnailTitle">How to find and customize your PowerShell profile</span> <a class="btt-thumbnailLink" data-video-id="652455" data-channel-id="18865"> <div class="btt-thumbnailImgContainer"> <img class="btt-videoBtThumbnail" src="https://cdn.brighttalk.com/ams/california/images/communication/652455/image_1059040.png?width=640&height=360"> </div></a> <time class="btt-video-duration" datetime="PT5M59S">5:59</time> </div> <div class="btt-modal"> <div class="btt-modal-content"></div> </div> <h3>Customize your prompt</h3> <p>PowerShell allows you to run a script every time the prompt loads, which is every time you run a command. If you aren't already familiar with customizing your prompt, I highly encourage you to do additional research to see some cool prompts folks have blogged about. This article will only cover a very basic example.</p> <p>For instance, if we wanted to place the cursor on the line below the path and display the # symbol if we are running as administrator on Windows or as root on Linux, we could do something like:</p> <pre class="language-powershell"><code>Function Prompt {     $endChar = '>'     # check if running as admin     if ($IsWindows) {         If (([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {             $endChar = '#'         }     } elseif ($IsLinux) {         if ((id -u) -eq 0) {             $endChar = '#'         }     }     "$PWD`nPS$endchar" }</code></pre> <p>Since we want this to run every time PowerShell loads, put it in your profile.</p> <h3>Load a PowerShell module and set default properties</h3> <p>A mistake I regularly make is to use a module that requires authentication before authenticating. Some modules are slick and remind you to authenticate, while others throw a cryptic error. Regardless, if it is a module you use frequently, consider adding the authentication steps to your profile.</p> <p>Let's <a href="https://www.techtarget.com/searchwindowsserver/tip/Whats-new-in-Microsoft-Graph-PowerShell-v2">use the Microsoft.Graph module</a> as an example. It allows you to authenticate using cached credentials, so, assuming you have previously authenticated, you can simply add the following to your profile:</p> <pre class="language-powershell"><code>Connect-MgGraph</code></pre> <p>Though one of the quirks of the Microsoft.Graph.Users module is that returning multiple properties of users requires specifying even the default properties. We can work around this by building a variable in our profile:</p> <pre class="language-powershell"><code>$graphUserProps = @(     'BusinessPhones',     'DisplayName',     'GivenName',     'Id',     'Mail',     'PreferredLanguage',     'Surname',     'UserPrincipalName' )</code></pre> <p>And then whenever we need additional properties for a Graph user, we can reference that variable and add additional properties:</p> <pre class="language-powershell"><code>Get-MgUser -UserId <upn> -Select ($graphUserProps + 'AccountEnabled','UsageLocation')</code></pre> <h3>Manage PowerShell module versions</h3> <p>If you have a particular module that you want to keep up to date, you can run version checks in your profile or run the Update-PSResource or Update-Module command on every launch. Since you may end up managing many modules or modules that are large themselves, we could initiate this part of the profile in a ThreadJob:</p> <pre class="language-powershell"><code>$modulesToUpdate = @('az', 'microsoft.graph') $null = Start-ThreadJob -Name "Update modules" -ArgumentList $modulesToUpdate {     param([string[]]$modulesToUpdate)     foreach ($module in $modulesToUpdate) {         Update-PSResource -Name $module -Force -Confirm:$false     } }</code></pre> <p>Since this example <a href="https://www.techtarget.com/searchwindowsserver/tutorial/Try-these-PowerShell-Start-Job-examples-for-more-efficiency">runs as a ThreadJob</a>, the modules will update in the background without slowing your profile.</p> <h3>Add security features</h3> <p>Since your PowerShell profile will load every time you run, this is a great place to enable some security features.</p> <p>For example, if <a href="https://www.techtarget.com/searchwindowsserver/tutorial/PowerShell-7-remoting-expands-management-horizons">your organization uses Just Enough Administration (JEA),</a> you can pre-emptively set up some JEA sessions:</p> <pre class="language-powershell"><code>$jeaDcSession = New-PSSession -ComputerName 'DC01' -ConfigurationName 'JEA_DC' Import-PSSession -Session $jeaDcSession -Prefix 'JEADC'</code></pre> <p>Then, if you wanted to see what commands were imported, you could run:</p> <pre class="language-powershell"><code>Get-JEADCCommand</code></pre> <p>Another use case is for unlocking secret vaults. If you <a href="https://www.techtarget.com/searchwindowsserver/tutorial/Working-with-PowerShell-Secret-Management-and-Secret-Vault">use the Secrets Management module</a>, you can unlock your most-used vault in your profile:</p> <pre class="language-powershell"><code>Unlock-SecretVault -Name VaultName -Password (Read-Host -AsSecureString)</code></pre> <p>However, this will prompt you for the vault password on every run.</p> <p>If your infosec team requires you to log all your PowerShell activity for ingestion into your company's SIEM, you could even add transcript logging to your profile:</p> <pre class="language-powershell"><code>Start-Transcript -OutputDirectory C:\Path\To\SIEM\Directory</code></pre> <h3>Adding aliases and argument completers</h3> <p>Another excellent use case for the PowerShell profile is adding aliases. If you work a lot in PowerShell interactively, then aliases can save quite a bit of typing. If we go back to the previous Microsoft.Graph example, you could shorten <b>Get-MgUser</b> to <b>gmu</b>:</p> <pre class="language-powershell"><code>New-Alias -Name gmu -Value Get-MgUser</code></pre> <p>However, one of my favorite aliases is for the Kubernetes command line tool kubectl. I alias it to the letter k:</p> <pre class="language-powershell"><code>New-Alias -Name k -Value kubectl</code></pre> <p>Kubectl <a target="_blank" href="https://kubernetes.io/docs/tasks/tools/install-kubectl-windows/#enable-shell-autocompletion" rel="noopener">includes</a> a PowerShell argument completer -- the function that offers dynamic hints for parameter values for commands to speed up coding. If <a href="https://www.theserverside.com/blog/Coffee-Talk-Java-News-Stories-and-Opinions/compare-Kubernetes-kubectl-vs-kubelet-when-to-use">you use kubectl</a> a lot, that is an excellent addition to your profile.</p> <h3>Load custom functions</h3> <p>A lot of times, you may find yourself writing one-off functions to help with your work. They may not feel worth adding to a module, but they help you get your work done. So after you have them in source control, your profile can dot-source them all to load them when you load PowerShell:</p> <pre class="language-powershell"><code>. C:\path\to\Function.ps1</code></pre> <h3>Apply environment awareness</h3> <p>If you have hosts with standard names or an easy way to identify what environment a host is in, you can make environment-aware adjustments to PowerShell. For example, you could force the background to be red when you are in production.</p> <pre class="language-powershell"><code>if ($IsWindows) {     if ($env:COMPUTERNAME -like 'prod-*') {         $Host.UI.RawUI.BackgroundColor = 'DarkRed'     } }</code></pre> <p>Or you could even update the window title, giving another layer of warning:</p> <pre class="language-powershell"><code>$Host.ui.RawUI.WindowTitle = "POWERSHELL in PRODUCTION"</code></pre> <h3>Ways to sync a PowerShell profile</h3> <p>Once you've perfected your profile, you won't see those customizations when you hop onto another system. To solve that, we can introduce some profile synchronization.</p> <p>A common and easy fix is to use a file-syncing application, such as OneDrive. Be sure to enable the Documents folder redirection to sync your profile. If you do this, also be aware that your modules will also be synced, which could introduce latency unless you configure your Documents folder to be stored locally on your device. Whenever you import a module, OneDrive will download the files associated with the module.</p> <p>A better approach would be to store your profile in a place that is easily accessible. If you work in a corporate environment, this could be on a file server or even an Azure File share. Then, any time you launch PowerShell on a new machine, you just need to copy the profile onto your local system:</p> <pre class="language-powershell"><code>Copy-Item Z:\share\home\profile.ps1 ~\Documents\PowerShell\Profile.ps1</code></pre> <p>This approach also has the advantage of being supported on servers where installing an application such as OneDrive is prohibited.</p> <p>Another method is to use a GitHub <a target="_blank" href="https://docs.github.com/en/get-started/writing-on-github/editing-and-sharing-content-with-gists/creating-gists" rel="noopener">gist</a> to make the profile available for download. Gists are publicly available, so only use this method if your profile contains no private information, such as information about your internal environment.</p> <p>An excellent example of using a gist to sync your PowerShell profile is the from Steve Lee, the principal software engineer manager of the PowerShell development team from Microsoft. <a target="_blank" href="https://gist.github.com/SteveL-MSFT/a208d2bd924691bae7ec7904cab0bd8e" rel="noopener">His profile</a> uses a comment to identify the published version:</p> <pre class="language-powershell"><code># Version 1.2.13</code></pre> <p>He also includes logic that compares the version in the local profile with the public version. If the public profile version is greater, then the profile will be downloaded and made available the next time PowerShell launches.</p> <p>The following code downloads a PowerShell profile from a gist and saves it as the local PowerShell profile.</p> <pre class="language-powershell"><code>$gist = Invoke-RestMethod https://api.github.com/gists/a208d2bd924691bae7ec7904cab0bd8e $gist.files."profile.ps1".content | Out-File ~\Documents\PowerShell\Profile.ps1</code></pre> <p>These are just a few examples of how to customize your PowerShell profile. Experiment with some of these suggestions and incorporate them to optimize and simplify your workflow when working with this automation tool.</p> <p><i>Anthony Howell is an IT strategist with extensive experience in infrastructure and automation technologies. His expertise includes PowerShell, DevOps, cloud computing, and working in both Windows and Linux environments.</i></p> </section> Give a more streamlined approach to PowerShell by learning how to customize your PowerShell profile to optimize workflows, enhance security and adapt to different environments. https://cdn.ttgtmedia.com/rms/onlineimages/container_g1294273513.jpg https://www.techtarget.com/searchwindowsserver/tutorial/How-to-find-and-customize-your-PowerShell-profile Tue, 16 Sep 2025 10:37:00 GMT How to find and customize your PowerShell profile Fri, 12 Sep 2025 08:32:00 GMT Azure Arc guide for Microsoft admins <p>If you're looking for a safe space to build your expertise with Azure Arc and Microsoft's cloud offerings, there's a ready-made option available.</p> <p>Jumpstart ArcBox for IT Pros is a purpose-built, ready-to-deploy sandbox environment that provides IT professionals with a practical, hands-on introduction to Azure Arc and hybrid cloud technologies. Designed by Microsoft engineers, Jumpstart ArcBox delivers a pre-configured set of VMs and resources to simulate real-world scenarios across on-premises, edge and multi-cloud environments. For IT pros tasked with <a href="https://www.techtarget.com/searchwindowsserver/tip/Guide-to-Windows-Server-Hybrid-Administrator-certification">managing hybrid infrastructure</a>, Jumpstart ArcBox offers a controlled yet realistic platform to experiment, test, and build confidence in using Azure Arc to manage both Windows and Linux servers, and SQL workloads. This article will explain the deployment process for Jumpstart ArcBox and how to work within the environment to build your understanding of Azure Arc.</p> <section class="section main-article-chapter" data-menu-title="Why use Jumpstart ArcBox for IT Pros?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why use Jumpstart ArcBox for IT Pros?</h2> <p>One of the standout benefits of Jumpstart ArcBox is the ability to gain experience with complex enterprise technologies without needing to provision or configure the underlying infrastructure from scratch. IT professionals can <a href="https://www.techtarget.com/searchwindowsserver/tutorial/Azure-Arc-setup-tips-for-on-premises-server-management">explore key capabilities, such as Azure Arc-enabled servers</a>, policy enforcement and Azure Monitor integration. This arrangement eliminates the barriers typically associated with setting up hybrid environments, such as hardware dependencies, security configurations and networking complexities, allowing learners to focus on mastering the tools and workflows that matter most in real-world deployments.</p> <p>Jumpstart ArcBox also serves as a valuable training and enablement resource for organizations and IT teams. Whether onboarding new team members, conducting internal workshops or evaluating Azure Arc capabilities before production rollout, Jumpstart ArcBox provides a consistent, replicable learning experience. It bridges the skills gap by accelerating familiarity with hybrid management tools and gives IT pros the confidence to support evolving infrastructure strategies that blend on-premises systems with the flexibility of the cloud.</p> <p>In addition to Jumpstart ArcBox for IT Pros, Microsoft also offers other tailored sandbox deployments: a full ArcBox deployment for a complete hybrid cloud experience, ArcBox for DevOps designed for DevOps engineers and ArcBox for DataOps for data professionals.</p> </section> <section class="section main-article-chapter" data-menu-title="How to deploy Jumpstart ArcBox for IT Pros"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to deploy Jumpstart ArcBox for IT Pros</h2> <p>Microsoft designed Jumpstart ArcBox to be self-sufficient. If you've ever set up a lab environment for Arc before, chances are that you've had to make use of physical hardware. Jumpstart ArcBox for IT Pros <a href="https://www.techtarget.com/searchitoperations/tip/Understand-hardware-support-for-virtualization">uses nested virtualization</a>: Hyper-V VMs that run inside the Azure VM are the "on-premises" systems registered as Arc-enabled servers. All you need is an Azure subscription to provision the entire lab environment.</p> <p>Before you start, there are a few prerequisites to check:</p> <ol type="1" start="1" class="default-list"> <li>While you don't need hardware to run the lab, you need a system to trigger the deployment and access the lab environment. Anything capable of running a terminal and a browser should be fine. There are no OS requirements.</li> <li>Install the latest version of Azure CLI, which is cross-platform, so you can install it on Windows, Linux -- including Windows Subsystem for Linux (WSL) -- and macOS.</li> <li>Check that you can deploy to one of the supported Azure regions. Not every region supports all the features needed to run Jumpstart ArcBox, so check the online <a target="_blank" href="https://jumpstart.azure.com/azure_jumpstart_arcbox/faq" rel="noopener">documentation</a> and ensure you can access one of the supported datacenters.</li> <li>Check the vCPU quota for the desired region. Jumpstart ArcBox for IT Pros uses eight DSv5 vCPUs, so ensure you have sufficient capacity. You can request a quota increase for the specific region, which usually only takes a few minutes to fulfill.</li> <li>Using the <b>az provider register</b> command, you'll need to register the following Resource Providers in your Azure subscription:</li> </ol> <ol class="default-list"> <li style="list-style: none;"> <ol class="default-list"> <li style="list-style: none;"> <ol style="list-style-type: lower-alpha;" class="default-list"> <li>Microsoft.Compute</li> <li>Microsoft.HybridCompute</li> <li>Microsoft.GuestConfiguration</li> <li>Microsoft.AzureArcData</li> <li>Microsoft.OperationsManagement</li> <li>Microsoft.Insights</li> <li>Microsoft.HybridConnectivity</li> </ol> </li> </ol> </li> </ol> <p>To deploy Jumpstart ArcBox for IT Pros, there are a couple of approaches, and both of them start from the official documentation <a target="_blank" href="https://jumpstart.azure.com/azure_jumpstart_arcbox/ITPro" rel="noopener">page</a>:</p> <ol type="1" start="1" class="default-list"> <li>Navigate to <b>Deployment Option 1: Azure portal</b> and click the <b>Deploy to Azure</b> button to start a deployment using the ARM templates for ArcBox, which are stored in the relevant GitHub repository. Because the repository is public, all templates and parameter files are referenced via URLs to allow a complete deployment.<b> </b>You only need to provide values for the required parameters that can't be automatically populated, such as the tenant ID and a <a href="https://www.techtarget.com/searchwindowsserver/tip/How-to-work-with-the-new-Windows-LAPS-feature">password for the local Windows administrator</a>. The system automatically populates other parameters with default values from the parameters file, but they can be customized. For example, you can modify the automatic shutdown time, specify an email recipient for the shutdown notifications or and whether or not to make use of Azure Spot Pricing. Once you've made the necessary edits, select <b>Review and create</b>, confirm the details and the deployment is submitted.</li> <li>The second option is to pull down the GitHub repository and deploy from a local workstation. In the official documentation, scroll down to <b>Deployment Option 2: Bicep deployment</b>, and you'll see the git command to clone down the repository. The files you're looking for are contained in the <b>./azure_arc/azure_jumpstart_ArcBox/bicep</b> folder. The main file to edit is the <b>main.bicepparam</b> file -- this is the parameters file which passes values to the <b>main.bicep</b> deployment template. As with the portal-based deployment, the main values you need to provide are for the <b>tenantID</b> and <b>windowsAdminPassword</b> parameters, but you can add additional parameters to the file to overwrite the default values in the main template. Just keep the syntax consistent, for example <b>param autoShutdownTime = '1200'</b>. The online documentation lists the available parameters you can adjust, or you can look inside the <b>main.bicep </b>file at the different configured parameters. Once done, you have a few options for deployment:</li> </ol> <ol style="list-style-type: lower-alpha;" class="default-list"> <li>Start by creating a new Azure Resource Group in the region to deploy ArcBox. For example, <b>az group create --name "ArcBox-rg" --location "eastus"</b></li> <li><a href="https://www.techtarget.com/searchcloudcomputing/tip/Why-and-how-to-create-Azure-service-principals">Deploy using Azure CLI</a> with the following command: <b>az deployment group create -g "ArcBox-rg" -f "main.bicep" -p "main.bicepparam"</b></li> <li>Deploy using Azure PowerShell with the following command: <b>New-AzResourceGroupDeployment -Name ArcBox -ResourceGroupName "ArcBox-rg" -TemplateFile "./main.bicep" -TemplateParameterFile "./main.bicepparam"</b></li> <li>Deploy directly from a supported application, such as VSCode. To do this, ensure you have the relevant Azure and Bicep extensions installed, then right-click the <b>main.bicepparam</b> file and select <b>Show Deployment Pane</b>. This gives a step-by-step UI for submitting the deployment to Azure and tracking it to completion.</li> </ol> <p>The first deployment option via the Azure portal gets you up and running faster, but if you think you'll run the deployment multiple times, then the second option is preferred. The portal-based deployment option doesn't store any of the parameter values, so you'll have to re-enter them each time. Using a <a href="https://www.techtarget.com/searchitoperations/tutorial/How-to-use-Git-to-save-PowerShell-scripts">local copy of the GitHub repository</a> means that your parameter values are saved, so you don't need to provide them for each deployment. Just be careful to avoid committing sensitive data to the parameters file and then committing it to an online repository. You won't have access to push to the original Microsoft repository, so you can't do that accidentally, but it's still worth being careful.</p> </section> <section class="section main-article-chapter" data-menu-title="Post-deployment configuration and access for ArcBox lab"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Post-deployment configuration and access for ArcBox lab</h2> <p>Once the template deployment is complete, go to the Azure portal and navigate to the Azure Resource Group that you specified for the ArcBox deployment. You'll see a list of various resources, but nothing specifically related to Azure Arc, because there's a fully automated post-deployment process running on the <b>ArcBox-Client VM</b>. This was triggered by an Azure VM script extension, which runs the <b>./azure_arc/azure_jumpstart_ArcBox/artifacts/Bootstrap.ps1</b> script. This, in turn, executes additional configuration scripts depending on the type of ArcBox provisioned.</p> <p>Connect to the <b>ArcBox-Client VM</b> to see the ongoing configuration process.<b> </b>By default, there's no inbound connectivity, so we need to open a port in the <b>ArcBox-NSG</b> Network Security Group. Go to the NSG resource, navigate to Settings>Inbound security rules and select <b>Add</b>. Choose the following configuration options:</p> <ul class="default-list"> <li>Source>My IP Address</li> <li>Service>RDP</li> </ul> <p>Leave all the other settings as the default. Select <b>Add</b> to create the new rule, which opens TCP port 3389 to the target VM, but only from the detected public IP address. If the IP address changes in the future or you want to connect from a different location, you'll need to update the rule with the new IP address. You can also turn off the rule when you're not planning to connect to the VM by changing the action from <b>Allow</b> to <b>Deny</b>. If you're uncomfortable with opening the RDP port, a deployment option <a href="https://www.techtarget.com/searchcloudcomputing/tip/How-to-protect-VMs-with-Azure-Bastion-hosts">includes an Azure Bastion instance</a> that gives a connection to the VM via a hosted jumphost. However, this is an always-on service, so Azure Bastion will keep incurring running costs even if the VM is turned off.</p> <p>Once done, navigate to the <b>ArcBox-Client VM</b> and select <b>Connect</b>. Download the RDP file, and you can connect to the VM via any application that supports Remote Desktop Protocol. The username and password are whatever you specified in the deployment. Once connected, you should see a PowerShell window that is running several predetermined configuration scripts to set the VM up to host multiple VMs acting as your pseudo on-premises lab. These are the systems that will be automatically registered with Azure Arc. This post-deployment process can take up to 45 minutes to complete, and the VM will log you out at least once.</p> <p>If you turn the VM off or set it to auto-shutdown, then the VM will likely have a different public IP address when it is restarted. You'll need to retrieve this when reconnecting.</p> <p>Once complete, the desktop wallpaper will change to the official JumpStart logo, and there'll be a BgInfo box in the corner showing you how many functional tests were executed, how many passed and how many failed. Open Hyper-V Manager and you'll see five VMs: two Windows, two Linux and one SQL. Lastly, go back to the resource group in the Azure portal and refresh to see the new resources -- these are the newly deployed VMs now registered with Azure Arc. Your JumpStart lab is complete.</p> </section> <section class="section main-article-chapter" data-menu-title="How to interact with Jumpstart ArcBox for IT Pros"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to interact with Jumpstart ArcBox for IT Pros</h2> <p>You can interact with the Jumpstart ArcBox for IT Pros lab environment from any system, but the <b>ArcBox-Client VM</b> is the best option. This dedicated VM includes:</p> <ul class="default-list"> <li>required binaries and necessary tools;</li> <li>System Managed Identity configuration to authenticate to Azure services; and</li> <li>required permissions to interact with Arc-enabled resources.</li> </ul> <p>To work in the lab, use Azure CLI to remote to one of the Linux servers. From within the VM, start by opening up a terminal session, then:</p> <ol type="1" start="1" class="default-list"> <li>Start typing <b>Get-ChildItem env:</b> to get a list of all the environment variables available to the PowerShell session. There are many custom ones which define the lab environment, such as <b>mssqlmiName</b> and <b>resourceGroup</b>, that help with passing values into administrative commands.</li> <li>Type in <b>az account show</b> to demonstrate Azure CLI is already installed and authenticated to Azure using the VM's managed identity.</li> <li>Enter the following PowerShell commands:</li> </ol> <pre class="language-powershell"><code>$serverName = "ArcBox-Ubuntu-01" $localUser = "jumpstart" az arc ssh --resource-group $env:resourceGroup --name $serverName --local-user $localUser</code></pre> <ul class="default-list"> <li style="list-style: none;"> <ol style="list-style-type: lower-alpha;" class="default-list"> <li>This uses the Azure CLI Arc module to connect to the Arc-enabled Linux server using SSH. The Arc management plane handles the connection. There is no need to configure any networking or firewalls to enable it.</li> <li>Try changing the <b>$serverName</b> variable to <b>ArcBox-Ubuntu-02</b> and execute the same command as above. You will see that you're able to <a href="https://www.techtarget.com/searchwindowsserver/tip/These-Posh-SSH-examples-pave-the-way-to-Linux-management">SSH directly into the system</a> from the VM because the managed identity has the requisite permissions.</li> </ol> </li> </ul> <ol type="1" start="4" class="default-list"> <li>Connect to the Windows Server 2025 system via Azure Arc SSH using the following commands:</li> </ol> <pre class="language-powershell"><code>$serverName = "ArcBox-Win2K25" $localUser = "Administrator" az arc ssh --resource-group $env:resourceGroup --name $serverName --local-user $localUser Password = "JS123!!"</code></pre> <ol class="default-list"> <li style="list-style: none;"> <ol class="default-list"> <li style="list-style: none;"> <ol style="list-style-type: upper-alpha;" class="default-list"> <li style="list-style: none;"> <ol style="list-style-type: lower-alpha;" class="default-list"> <li>The commands connect you to a shell session on the Arc-enabled Windows Server 2025 VM. Type in <b>pwsh</b> to enter a PowerShell 7 -- formerly PowerShell Core -- session on the same remote system.</li> <li>Exit the SSH session back to the main VM. Enter the same command as above, but this time append <b>--rdp</b> to the end. This time you'll connect to the Server 2025 VM, but instead of tunnelling SSH through the Azure Arc backplane, you'll connect via RDP.</li> </ol> </li> </ol> </li> </ol> </li> </ol> </section> <section class="section main-article-chapter" data-menu-title="Get familiar with Azure Arc's operational features"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Get familiar with Azure Arc's operational features</h2> <p>Let's move on to look at some of the operational features that have been enabled in the ArcBox lab, starting with operational workbooks.</p> <p>In the <b>ArcBox-itpro</b> resource group, you'll see two Azure Workbook resources. Open the <b>Azure Arc-enabled resources inventory</b> workbook to see a breakdown of the lab inventory, including the available and outstanding list of software updates pending across the lab.</p> <p>Go back out and select the second workbook (OS Performance) -- this workbook takes it data from the lab Log Analytics Workspace, so you may need to select the workspace resource for the workbook to be populated.</p> <p>This workbook gives you a rundown of the <a href="https://www.techtarget.com/searchitoperations/tutorial/Build-a-PowerShell-performance-monitoring-script-step-by-step">processor, memory and disk performance metrics</a> for each server in the lab. While these are very similar to the performance metrics you'd expect to see from Azure VMs, this metrics data is ingested into Log Analytics via Azure Arc from systems that are effectively on-premises.</p> <p>In the top right-hand corner of each component in the workbook, you'll see an Azure Logs icon to view the logs directly in the workspace which were used to populate the report component view. Within the logs view, if you click on <b>User Query</b>, you'll get the <a href="https://www.techtarget.com/searchwindowsserver/tip/Kusto-Query-Language-primer-for-IT-administrators">specific Kusto Query Language (KQL) query</a> used to generate the results. This allows you to customize the queries, save them as custom queries and use them in different workbooks or administrative systems.</p> <p>Circling back to update management, this data is available because each Arc-enabled system has been onboarded to Azure Update Manager. This centralized platform allows managing updates across the infrastructure in Azure and Arc-enabled servers.</p> <p>Try the following steps to manage updates on an Arc-enabled server:</p> <ol type="1" start="1" class="default-list"> <li>In the Azure portal, navigate to the <b>ArcBox-itpro</b> resource group and go into <b>ArcBox-Ubuntu-02</b>. This is the Arc resource created when the Hyper-VM was onboarded to Azure Arc.</li> <li>Navigate to <b>Operations>Updates</b> for a list of available updates for this particular system, classified by type.</li> <li>Select <b>One-time update</b>. There should be only one machine selected, although Azure Update Manager can update multiple systems at once.</li> <li>Select <b>Next</b>, then choose <b>Select by Update Classification</b>. Uncheck <b>Select All</b> and select <b>Security and critical updates</b>, then click <b>Save</b>.</li> <li>Proceed to <b>Review and install</b>, and then click <b>Install</b>. This triggers an update of the Arc-enabled VM, downloading and installing critical and security updates. The system will reboot if needed, and Azure Update Manager will refresh the status of the VM once the outstanding updates have been installed successfully.</li> </ol> <p>The last thing we'll take a look at is the Arc-enabled SQL instance. In the <b>ArcBox-itpro</b> resource group, navigate to the <b>ArcBox-SQL</b> resource, which is the SQL server instance running on the Hyper-V lab VM. SQL Best Practices Assessment has been enabled for the lab and has been run on instance already, with the results stored in the lab's Log Analytics workspace.</p> <p>Navigate to <b>Settings>Best practices assessment </b>and click on the completed assessment. You'll see a full list of all the issues detected on the SQL server and databases, categorized by severity and type. Drill down into any of the issues to see a rundown of the problem along with the URL to the associated help link to assist with research and to implement the correct remediation.</p> <p>Best practices assessment doesn't allow you to execute remote remediation, which is probably a good thing given the importance of most SQL servers. As you work through the detected issues, each new assessment will show a reduction in the problem and recommendation count. If you're too impatient to wait for the next scheduled scan, hit <b>Run assessment</b> to trigger a manual scan. This functionality is available for any Arc-enabled SQL server, regardless of where it runs.</p> </section> <section class="section main-article-chapter" data-menu-title="Explore these next steps with an ArcBox lab"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Explore these next steps with an ArcBox lab</h2> <p>When you finish exploring the Jumpstart ArcBox for IT Pros lab, delete the resource group, which removes all the lab-related resources.</p> <p>Because the ArcBox lab is designed to be completely self-contained and easily deployed, it's a good candidate for building a <a href="https://www.techtarget.com/searchwindowsserver/tip/Improve-IT-efficiency-with-a-PowerShell-self-service-portal">self-service portal for your team</a>. Creating a simple Microsoft Form tied to an Azure Logic App can trigger an automated ArcBox deployment for further testing and also exploring the other ArcBox offerings. You can also extend the standard ArcBox deployment by adding custom Hyper-V VMs running a range of OSes and applications, then register them with Azure Arc to explore technical scenarios closer to your own environment's ecosystem.</p> <p>The official JumpStart ArcBox <a target="_blank" href="https://jumpstart.azure.com/azure_jumpstart_arcbox" rel="noopener">website</a> features additional tutorials and labs to explore, so don't forget to check it out as you progress on your journey to learn more about Azure Arc.</p> <p><i>James Bannan is a principal security consultant with more than 25 years of industry experience, specializing in Microsoft Azure architecture, security and automation. He is a published author and journalist, as well as a former Microsoft MVP and a current Microsoft Certified Trainer.</i></p> </section> Get familiar with Microsoft's ready-to-deploy environment that simulates real scenarios to help admins to learn hybrid cloud management through the company's Azure Arc tool. https://cdn.ttgtmedia.com/rms/onlineimages/keyboard_g1253608928.jpg https://www.techtarget.com/searchwindowsserver/tip/How-to-work-with-Jumpstart-ArcBox-for-IT-Pros Fri, 12 Sep 2025 08:19:00 GMT How to work with Jumpstart ArcBox for IT Pros <p>Linux administrators often juggle several responsibilities, such as maintaining connections to multiple servers to manage services, <a href="https://www.techtarget.com/searchcio/feature/Replacing-vs-maintaining-legacy-systems">maintaining software</a>, updating configurations and reviewing log files. Instead of repeatedly establishing and closing connections, it's easier and more time-efficient to establish multiple terminals from a single workstation's shell.</p> <p>The terminal multiplexer (tmux) application enables administrators to connect and disconnect from multiple sessions without closing terminals, which would exit the processes running in them.</p> <p>This article gets administrators started with tmux. It covers the installation process, basic usage, configuration options and the essential key bindings that make tmux such a useful tool.</p> <section class="section main-article-chapter" data-menu-title="Primary benefits and features of tmux"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Primary benefits and features of tmux</h2> <p>There are several primary benefits to integrating tmux into a standard Linux system administration workflow. These benefits include:</p> <ul class="default-list"> <li>Maintaining persistent sessions that run after disconnecting, enabling long-running tasks such as software compilation or script execution to continue.</li> <li>Providing vertical and horizontal split-screen panes for viewing multiple sessions in the local shell.</li> <li>Enabling key bindings for efficient task switching.</li> </ul> <p>Most administrators establish an SSH connection and then run tmux. SSH provides security, and tmux offers flexibility.</p> <p>In addition to persistent sessions, tmux enables many other use cases, such as:</p> <ul class="default-list"> <li>Splitting terminal windows into multiple panes to run several applications simultaneously, such as system administration tasks and Python development.</li> <li>Connecting multiple users to one session for collaboration, pair programming or troubleshooting.</li> <li>Conducting continuous monitoring of multiple systems, including various log files and services.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="How to install tmux"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to install tmux</h2> <p>Tmux offers various installation options for Linux and macOS, since most current distributions do not typically include it. The installation process assumes the OS is using the <a href="https://www.techtarget.com/searchITOperations/tip/How-to-use-Linux-package-managers">preferred package manager</a>. Like many Linux applications, tmux is open source. Users can <a href="https://github.com/tmux" target="_blank" rel="noopener">download the source code</a> and compile the program themselves.</p> <h3>Red Hat-based Linux distributions</h3> <p>For distributions such as RHEL, Fedora, <a href="https://www.techtarget.com/searchDataCenter/tip/Rocky-Linux-vs-AlmaLinux-Which-is-better">AlmaLinux and Rocky Linux</a>, type:</p> <p><span style="font-family: 'courier new', courier, monospace;">dnf install tmux</span></p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/dnf-info-tmux-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/dnf-info-tmux-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/dnf-info-tmux-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/dnf-info-tmux-f.jpg 1280w" alt="Screenshot of tmux installation details on Fedora." data-credit="Damon Garn" height="178" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Details of a tmux package installed on Fedora system (version 3.3a, aarch64 architecture). </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>Debian-based distributions</h3> <p>For Debian-based distributions, including Ubuntu and Linux Mint, type:</p> <p><span style="font-family: 'courier new', courier, monospace;">apt install tmux</span></p> <h3>macOS</h3> <p>Mac users frequently rely on the Homebrew package manager. After <a href="https://www.techtarget.com/searchVirtualDesktop/tip/How-to-install-Homebrew-on-macOS-for-software-distribution">installing Homebrew</a>, run the following command to add tmux:</p> <p><span style="font-family: 'courier new', courier, monospace;">brew install tmux</span></p> <h3>Windows</h3> <p>Windows users must rely on the Windows Subsystem for Linux (<a href="https://www.techtarget.com/searchwindowsserver/definition/Microsoft-Windows-Subsystem-for-Linux">WSL</a>). After installing WSL, use the <span style="font-family: 'courier new', courier, monospace;">apt</span> package manager to install tmux:</p> <p><span style="font-family: 'courier new', courier, monospace;">apt install tmux</span></p> <p>Users might also run tmux on OpenBSD, FreeBSD and NetBSD.</p> </section> <section class="section main-article-chapter" data-menu-title="How to perform basic actions in tmux"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to perform basic actions in tmux</h2> <p>Run the application by typing the tmux command. Once it's running, use the <b>Ctrl+B</b> combination to initiate commands. Pressing <b>Ctrl+B</b> on a Linux system alerts tmux that the next key presses are commands for tmux itself.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/tmux-greenbox-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/tmux-greenbox-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/tmux-greenbox-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/tmux-greenbox-f.jpg 1280w" alt="Screenshot of a new tmux session in the terminal." data-credit="Damon Garn" height="124" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>A tmux session with a status bar at the bottom that shows the active shell, host name and timestamp. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>For example, disconnecting from a tmux session relies on the <b>d</b> command. Make sure to press <b>Ctrl+B</b> first, alerting tmux that the subsequent command -- the <b>D</b> disconnect command -- applies to it.</p> <h3>Start and detach from sessions</h3> <p>Begin by starting a new tmux session. Give it a unique session name -- something descriptive. Once the session is running, it will continue executing scripts and commands after disconnecting from the session.</p> <p>Create a new session named <span style="font-family: 'courier new', courier, monospace;">backup-script</span> by typing this command:</p> <p><span style="font-family: 'courier new', courier, monospace;">tmux new -s backup-script</span></p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/tmux-start-detach-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/tmux-start-detach-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/tmux-start-detach-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/tmux-start-detach-f.jpg 1280w" alt="Screenshot of starting, detaching from and listing tmux sessions." data-credit="Damon Garn" height="120" width="558"> <figcaption> <i class="icon pictures" data-icon="z"></i>Starting a session called backup-script, detaching from that session and listing running tmux sessions, including both the default session (0) and the new backup-script session. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>After launching the tmux session, use SSH to connect to a remote system. For example, the command within the tmux window might resemble <span style="font-family: 'courier new', courier, monospace;">ssh damon@192.168.2.200</span>.</p> <p>Use the SSH session to launch backup scripts, conduct sysadmin tasks or update software.</p> <p>Detach from the tmux session by using the <b>D</b> key. Don't forget to use <b>Ctrl+B</b> to inform tmux that the next command applies to it.</p> <p><b>Ctrl+B</b></p> <p><b>D</b></p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/detached-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/detached-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/detached-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/detached-f.jpg 1280w" alt="Screenshot of the user detaching from the default tmux session." data-credit="Damon Garn" height="122" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Detaching from the default tmux session after starting it. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p></p> <h3>Display existing sessions</h3> <p>Display existing sessions by using the <span style="font-family: 'courier new', courier, monospace;">tmux ls</span> command, as seen below.</p> <p><span style="font-family: 'courier new', courier, monospace;">tmux ls</span></p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/tmux-ls-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/tmux-ls-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/tmux-ls-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/tmux-ls-f.jpg 1280w" alt="Screenshot of the user listing existing tmux sessions." data-credit="Damon Garn" height="121" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Displaying the existing tmux sessions including backup-script and 0. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>Reattach to sessions</h3> <p>Reattach to a running session by using the <span style="font-family: 'courier new', courier, monospace;">attach</span> subcommand and specifying the session name.</p> <p><span style="font-family: 'courier new', courier, monospace;">tmux attach -t backup-script</span></p> <p>This example shows why descriptive names are important.</p> <h3>Kill sessions</h3> <p>Kill an existing session by using the following command:</p> <p><span style="font-family: 'courier new', courier, monospace;">tmux kill-session -t backup-script</span></p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/tmux-kill-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/tmux-kill-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/tmux-kill-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/tmux-kill-f.jpg 1280w" alt="Screenshot of the user killing the backup-script session, then listing remaining sessions." data-credit="Damon Garn" height="121" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Killing the backup-script session, then listing the existing sessions, which now only includes session 0. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="How to use copy mode in tmux"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to use copy mode in tmux</h2> <p>The standard local command history feature within a Linux distribution might not work reliably with tmux. Instead, rely on tmux's own copy mode.</p> <p>Copy mode lets the user select and copy commands from the terminal history and paste them into tmux panes.</p> <p>The tmux copy mode process follows six steps.</p> <ol class="default-list"> <li>Press <b>Ctrl+B</b> and then the <b>[</b> key.</li> <li>Use navigation keys -- typically the arrow keys -- to move to the desired text.</li> <li>Press <b>Space</b> to begin the text selection process.</li> <li>Use the navigation keys to select the text.</li> <li>Press <b>Enter</b> after selecting the text.</li> <li>Paste the text using the <b>]</b> key.</li> </ol> </section> <section class="section main-article-chapter" data-menu-title="Quick reference guide of tmux key bindings"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Quick reference guide of tmux key bindings</h2> <p>Use the following quick reference list to take advantage of the available key bindings.</p> <ul class="default-list"> <li><b>Ctrl+B C</b>. Create a new window.</li> <li><b>Ctrl+B N</b>. Switch to the next window.</li> <li><b>Ctrl+B P</b>. Switch to the previous window.</li> <li><b>Ctrl+B W</b>. List all windows to select one.</li> <li><b>Ctrl+B %</b>. Split the current pane vertically.</li> <li><b>Ctrl+B "</b>. Split the current pane horizontally.</li> <li><b>Ctrl+B D</b>. Detach from the current session.</li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/multiple-windows-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/multiple-windows-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/multiple-windows-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/multiple-windows-f.jpg 1280w" alt="Screenshot displaying multiple windows in a tmux session." data-credit="Damon Garn" height="249" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Displaying one tmux session split both vertically and horizontally into multiple panes. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Tmux includes plenty of additional key bindings, but these are sufficient to get started.</p> </section> <section class="section main-article-chapter" data-menu-title="Basic customization options"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Basic customization options</h2> <p>Tmux relies on the <span style="font-family: 'courier new', courier, monospace;">~/.tmux.conf </span>file. Because it's stored in the user's home folder, it is not a global configuration, enabling administrators to customize tmux to their own preferences. Tmux doesn't create the file automatically, although it does check for it when launched. Users must create the file and add customizations if they want to personalize tmux.</p> <p>Some common configuration options include:</p> <ul class="default-list"> <li>Adjusting the tmux prefix command from the <b>Ctrl+B</b> default to <b>Ctrl+A</b> or similar.</li> <li>Enabling status bar colors, borders and styles for easier pane identification.</li> <li>Configuring custom key bindings.</li> <li>Automatically running specific commands, scripts or programs upon starting a new tmux session.</li> </ul> <p>Advanced users <a target="_blank" href="https://github.com/tmux-plugins/tpm" rel="noopener">can add</a> the Tmux Plugin Manager to their system. This utility enables many additional customizations using community-developed plugins.</p> </section> <section class="section main-article-chapter" data-menu-title="Using tmux with SSH"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Using tmux with SSH</h2> <p>SSH provides a critical method of securely connecting to remote systems. Tmux extends its flexibility by enabling multiple running remote sessions. Users can reattach to these sessions later, and they can even reattach from different systems. As an example, this makes it possible to execute a program on a remote server from a workstation at an office and then verify its status from a home computer.</p> <p><i>Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to Informa TechTarget, The New Stack and CompTIA Blogs.</i></p> </section> Learn the basics of using the terminal multiplexer (tmux) for managing remote connections. Walk through the installation process and configuration options for tmux. https://cdn.ttgtmedia.com/rms/onlineimages/code_g684641103.jpg https://www.techtarget.com/searchsoftwarequality/tip/How-to-use-tmux-sessions-to-manage-remote-connections Wed, 10 Sep 2025 13:53:00 GMT How to use tmux sessions to manage remote connections <p>As the hybrid cloud landscape continues to evolve, Microsoft's Azure Arc offers a different yet familiar approach to manage your Hyper-V infrastructure.</p> <p>Most experienced Hyper-V admins are well-versed with a wide range of virtualization management tools: from a full-blown System Center Virtual Machine Manager (SCVMM) platform to Windows Admin Center to the humble Hyper-V Manager or just PowerShell. Whatever your preference, you've likely recognized there are multiple avenues for both Hyper-V host administration and VM workload management. Microsoft's push towards hybrid management for on-premises workloads includes another option to consider: Azure Arc. At its simplest, Azure Arc is a platform to connect your on-premises workloads and <a href="https://www.techtarget.com/searchwindowsserver/feature/Azure-Local-aims-to-answer-shifting-needs-of-the-enterprise">integrate them with Microsoft Azure</a>, either directly using a locally installed agent or via a dedicated Arc Gateway. This article will step through how to use the Azure Arc agent to onboard a single Hyper-V host and work with VM workloads.</p> <section class="section main-article-chapter" data-menu-title="How to get started with Azure Arc"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to get started with Azure Arc</h2> <p>Azure Arc is not a replacement Hyper-V management platform but rather a complementary one to existing administrative tools and processes. Azure Arc centralizes the management of disparate on-premises systems and gives those systems a way to consume Azure-native services, such as Azure Monitor, Azure Storage, <a href="https://www.techtarget.com/searchcloudcomputing/tip/Protect-data-with-these-Azure-Key-Vault-best-practices">Azure Key Vault</a> and Microsoft Defender for Cloud. It also presents a different approach to traditional management approaches.</p> <p>To start, you need an Azure subscription. The good thing is that there's essentially no requirement regarding the type needed; you can use a DevTest, Visual Studio or free subscription to test Azure Arc onboarding. You must register the following resource providers to ensure the subscription can support Arc-enabled servers:</p> <ul class="default-list"> <li>Microsoft.HybridCompute</li> <li>Microsoft.GuestConfiguration</li> <li>Microsoft.HybridConnectivity</li> <li>Microsoft.AzureArcData</li> </ul> <p>If you're using Azure PowerShell, you can check the provider status using the <span style="font-family: 'courier new', courier, monospace;">Get-AzResourceProvider cmdlet</span>, for example:</p> <p><span style="font-family: 'courier new', courier, monospace;">Get-AzResourceProvider -ProviderNamespace Microsoft.HybridCompute</span></p> <p>And then use the <span style="font-family: 'courier new', courier, monospace;">Register-AzResourceProvider</span> cmdlet, for example:</p> <p><span style="font-family: 'courier new', courier, monospace;">Register-AzResourceProvider -ProviderNamespace Microsoft.HybridCompute</span></p> <p>There's additional information as well as a full list of commands for both Azure PowerShell and Azure CLI on the Microsoft Learn <a target="_blank" href="https://learn.microsoft.com/en-us/azure/azure-arc/servers/prerequisites#azure-resource-providers" rel="noopener">site</a>.</p> <p>In the Microsoft Entra ID tenant associated with your subscription, you need the following built-in roles assigned to your account:</p> <ul class="default-list"> <li>Azure Connected Machine Onboarding for the Resource Group where you plan to onboard the Hyper-V system (a Contributor or higher role will also work)</li> <li>Azure Connected Machine Resource Administrator role in the Resource Group to work with an onboarded machine</li> </ul> <p>Lastly, verify the chose Azure region supports Arc-enabled servers. Use Microsoft's Product Availability by Region <a target="_blank" href="https://azure.microsoft.com/en-GB/explore/global-infrastructure/products-by-region/table" rel="noopener">website</a>, filter on <b>Azure Arc-enabled servers</b> and search for your preferred location in the list of regions.</p> <p>The next step is to make sure the Hyper-V system is ready. At the time of writing, every version of Windows Server from 2012 <a href="https://www.techtarget.com/searchwindowsserver/tip/Learn-how-the-Windows-Server-2025-editions-differ">through Windows Server 2025</a> is fully supported as an Arc-enabled server, including both full desktop and Server Core installations. This tutorial uses an installation script locally on the server, which requires local administrator rights. The Hyper-V host must be able to connect to the internet via port 443 (HTTPS) either directly or using a proxy server.</p> <p>The Hyper-V host does not need to be bare metal; it can be a VM using nested virtualization. However, it shouldn't be an Azure VM, as VMs hosted on Azure have their own management capabilities.</p> </section> <section class="section main-article-chapter" data-menu-title="How to onboard a Hyper-V host to Azure Arc"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to onboard a Hyper-V host to Azure Arc</h2> <p>There are several ways to onboard a new system to Azure Arc, but this walkthrough will demonstrate a simple GUI-based approach.</p> <ol class="default-list"> <li>From the Hyper-V host, log into the Azure portal and navigate to the <b>Azure Arc</b> blade. This is the location to manage Arc-enabled systems and to onboard new ones. If the <a href="https://www.techtarget.com/searchwindowsserver/tip/How-to-manage-Windows-Server-in-an-air-gapped-environment">host runs Server Core</a>, then you'll need to do this from any system with a browser.</li> <li>Expand <b>Azure Arc resources</b> and select <b>Machines</b>. This is where any Arc-enabled systems will appear, and where you can launch administrative tasks.</li> <li>Select <b>Add/Create </b>and then <b>Add a machine</b>. This page presents a range of options for performing ad-hoc onboarding of systems into Azure. One of the most common is to generate an installation script via the <b>Add a single server</b> option, but in this example we'll use <b>Add Windows Server with installer</b>, which lets you download the installation executable directly. <br><br>The following <a target="_blank" href="https://aka.ms/arcsetup" rel="noopener">link</a> has the executable you can download without logging into the Azure portal. Windows Server 2022 and later versions come with this package, so you can trigger the onboarding directly. Onboarding Server Core systems require the installation script option.</li> </ol> <ol start="4" class="default-list"> <li>Launch the executable and click <b>Next</b>. The installer will check the system, software and network requirements, and will then install and configure the Azure Connected Machine agent. The agent will set up the Azure Hybrid Instance Metadata Service, which runs as a virtual account (NT SERVICE\himds). This account needs rights to log on as a service, but the agent installation will take care of that automatically.</li> <li>Select <b>Configure</b> to connect the Arc agent to your Azure subscription. Sign in to Azure to configure the agent. This is a one-time process; the credentials are not stored or used by the agent after onboarding.</li> <li>At the prompt, configure the environment details indicating where to onboard the local Hyper-V server, including the tenant, subscription, resource group and Azure region. If you have access to multiple tenants and subscriptions, then you'll need to select the right ones. The onboarding region doesn't need to match the resource group's region. If your system needs a proxy server to connect to the internet, enter those details.</li> <li>Click <b>Next</b> and your system will be onboarded to Azure Arc. To verify it worked, go back to the Azure portal and refresh the <b>Azure Arc resources>Machines</b> page to see the newly onboarded Hyper-V server.</li> </ol> </section> <section class="section main-article-chapter" data-menu-title="How to connect additional workloads to Azure Arc"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to connect additional workloads to Azure Arc</h2> <p>After onboarding the Hyper-V host to Azure Arc, you can also add the VMs running on the host. A simple approach is to just repeat the steps in the previous section on each VM -- download the executable or generate an installation script -- but that is not efficient. Let's try something a bit neater by <a href="https://www.techtarget.com/searchwindowsserver/feature/Got-infrastructure-needs-These-PowerShell-tutorials-can-help">using PowerShell Direct</a> to onboard VMs to Azure Arc. PowerShell Direct provides the ability to run PowerShell commands and scripts on Windows-based Hyper-V VMs via the host VMBus.</p> <ol class="default-list"> <li>In the Azure Arc machine page in the Azure portal, select <b>Add/Create</b> and then <b>Generate script</b> under <b>Add a single server</b>.</li> <li>Select the correct options for subscription, resource group and region. Select <b>Windows</b> as the operating system and optionally untick <b>Connect SQL Server</b>.</li> <li>Click through to the last page to see the resulting PowerShell script. Either download the script or copy the contents to a new file on your Hyper-V server, for example <b>C:\Users\Administrator\OnBoardingScript.ps1</b>.</li> <li>On the Hyper-V host, open PowerShell and enter the following commands:</li> </ol> <p><span style="font-family: 'courier new', courier, monospace;">$credential = Get-Credential #Enter the local username/password for the remote VM)</span></p> <p><span style="font-family: 'courier new', courier, monospace;">Invoke-Command -Credential $credential -VMName <VMNAME> -FilePath C:\Users\Administrator\OnBoardingScript.ps1</span></p> <ol start="5" class="default-list"> <li>The script will execute on the remote Windows VM: downloading and installing the Azure Connected Machine agent, and registering the system in the correct tenant and subscription. Once it's complete, refresh the <b>Machines</b> page in the Azure portal to see the newly onboarded Hyper-V VM.</li> </ol> <p>This approach won't work with Linux VMs; PowerShell Direct isn't supported on Linux. Hyper-V's command-line tool <b>hvc</b> enables a connection to any VM using the VMBus, including Linux. Use the <b>hvc ssh username@vmname </b>command to<b> </b>SSH directly from the Hyper-V host to the Linux VM, assuming <a href="https://www.techtarget.com/searchwindowsserver/tutorial/PowerShell-7-remoting-expands-management-horizons">SSH has been set up correctly</a>, to execute the onboarding shell script for Linux.</p> </section> <section class="section main-article-chapter" data-menu-title="Using remote PowerShell via Azure Arc for VM management"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Using remote PowerShell via Azure Arc for VM management</h2> <p>After onboarding the Hyper-V host to Azure Arc, it's now possible to remotely administer via the Azure Arc management plane from virtually any system. For example, I am using a separate Ubuntu Linux system which has PowerShell and the <a href="https://www.techtarget.com/searchwindowsserver/tutorial/Using-PowerShell-for-Azure-service-principal-authentication">Azure PowerShell modules installed</a>. I've logged in using the <b>Login-AzAccount </b>command.</p> <ol class="default-list"> <li>Retrieve a list of Arc-connected systems with the <b>Get-AzConnectedMachine</b> cmdlet to see the onboarded Hyper-V host.</li> <li>Next, we'll create an empty text file on the Hyper-V host via Arc, using the <b>New-AzConnectedMachineRunCommand</b> cmdlet:</li> </ol> <p><span style="font-family: 'courier new', courier, monospace;">New-AzConnectedMachineCommand -ResourceGroupName <RGNAME> -Location <REGION> -MachineName <NAME> -RunCommandName "TestFile" -SourceScript "New-Item -Type File -Path 'C:\Windows\Temp' -Name test.txt"</span></p> <ol start="3" class="default-list"> <li>Log in to the Hyper-V system and check the <b>C:\Windows\Temp</b> folder for the <b>test.txt</b> file.</li> </ol> <p>Running the <b>New-AzConnectedMachineRunCommand</b> cmdlet from my Linux system, I used my Azure credentials to execute a command against the Hyper-V system using the registered Arc agent. My Linux system isn't talking directly to the Hyper-V system -- Azure Arc acts as the centralized management platform which links both systems.</p> <p>Using this method, it's straightforward to execute PowerShell commands directly on the Hyper-V host and by using the <b>New-VM</b>, <b>Get-VM </b>and <b>Set-VM</b> cmdlets. It's easy to provision and manage Hyper-V VMs via Azure Arc. However, let's extend Arc's capabilities and enhance our management options with the Windows Admin Center.</p> </section> <section class="section main-article-chapter" data-menu-title="Provisioning new VMs with the Windows Admin Center in Azure Arc"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Provisioning new VMs with the Windows Admin Center in Azure Arc</h2> <p>The <a href="https://www.techtarget.com/searchwindowsserver/definition/Microsoft-Project-Honolulu">Windows Admin Center</a> offers an on-premises, centralized method to manage multiple systems, including Hyper-V hosts. When integrated with Azure Arc, you can access Windows Admin Center directly through the Azure portal without requiring VPN or direct private connectivity. The integration only requires outbound communication from the target system via port 443, with no inbound access or port forwarding needed.</p> <p>Unlike installing the Arc agent, using Windows Admin Center in Azure Arc requires specific licensing. The Windows Server license must either come from Software Assurance or <a href="https://www.techtarget.com/searchwindowsserver/tip/Understand-how-Windows-Server-2025-PAYG-licensing-works">from pay-as-you-go via Microsoft Azure.</a></p> <p>To set up Windows Admin Center integration, do the following:</p> <ol class="default-list"> <li>In the <b>Azure Arc </b>blade in the portal, navigate to the Hyper-V host which you onboarded earlier, and navigate to <b>Licenses</b> and <b>Windows Server</b>.</li> <li>Azure Arc will show the system's license details, activation status and the Arc agent status. If you're using an <a href="https://www.techtarget.com/searchwindowsserver/tutorial/Activate-Windows-Server-2019-with-KMS-or-the-command-line">on-premises licensing model, such as multiple activation key (MAK),</a> then Azure will not know if the system is covered with Software Assurance. You will have to manually confirm this by clicking the checkbox next to <b>Activate Azure benefits</b>.</li> <li>Navigate to <b>Windows management</b> and go to <b>Windows Admin Center</b>.</li> <li>Select <b>Set up</b> and the system will prompt you to choose a network port for the remote system to listen on. You can change the default port if necessary.</li> <li>Click <b>Install</b> to install the <b>AdminCenter</b> extension on the Hyper-V host. Extensions for Arc-enabled systems function in essentially the same manner as Azure VM extensions, providing discrete applications that bring additional functionality, such as monitoring or Entra-integrated authentication. To see the progress of the installation, navigate to <b>Settings</b> and select <b>Extensions</b>.</li> <li>After the extension installs, navigate back to <b>Windows Admin Center</b>. The UI should show <b>Connect </b>rather than <b>Set up</b>. Click <b>Connect</b> to establish connectivity to Windows Admin Center on the Hyper-V host.</li> </ol> <p><b>Note:</b> At the time of writing, only Chromium-based browsers, such as Microsoft Edge will work to connect to Windows Admin Center via Azure Arc. Non-Chromium browsers, such as Firefox don't work, even though you can use them to navigate the Azure portal.</p> <p>Under <b>Tools</b>, you will find multiple Windows Server features now exposed directly in the Azure portal, including <b>Firewall</b>, <b>Installed Apps</b>, <b>Remote Desktop</b>, <b>Virtual Machines</b> and <b>Virtual Switches</b>.</p> <p>Select <b>Virtual Machines</b> to see all the VMs currently configured on the Hyper-V host. Through this interface, you can perform almost the same administrative functions as you can when logged in locally to the server, including:</p> <ul class="default-list"> <li>creating and deleting VMs,</li> <li>modifying the configuration of existing VMs, and</li> <li>managing the host's virtual networks and Hyper-V settings.</li> </ul> <p>Some operations remain local to the Hyper-V host, such as the location of files and folders for VM storage, and access to ISOs for operating system installation.</p> <p>Navigate to the <b>Remote Desktop</b> blade for work that requires you to interact locally with the Hyper-V host. Remote Desktop enabled on the remote system allows you to open a secure session directly to the host as if it were a local connection.</p> <p>This feature also extends to the VMs. Navigate back to <b>Virtual Machines</b> and select one of the running Windows VMs. Select <b>Connect</b> and then <b>Connect</b> again from the drop-down. Enter the credentials for the Hyper-V host (not the VM) to establish a Remote Desktop session to the VM via the Hyper-V host to interact directly with the VM without needing:</p> <ul class="default-list"> <li>a private network connection,</li> <li>enabling Remote Desktop on the VM, or</li> <li>onboarding the VM via Azure Arc.</li> </ul> <p>Finally, select the <b>PowerShell</b> blade to open a remote interactive PowerShell session to the Hyper-V host and run any local PowerShell commands or scripts directly on the host, including the Azure Arc onboarding scripts.</p> <p><i>James Bannan is a principal security consultant with more than 25 years of industry experience, specializing in Microsoft Azure architecture, security and automation. He is a published author and journalist, as well as a former Microsoft MVP and a current Microsoft Certified Trainer.</i></p> </section> Azure Arc centralizes Hyper-V management via the Azure portal and enables remote administration from devices without requiring a VPN. https://cdn.ttgtmedia.com/rms/onlineimages/keyboard_g1077903946.jpg https://www.techtarget.com/searchwindowsserver/tip/Admins-guide-to-Azure-Arc-Hyper-V-management Thu, 04 Sep 2025 08:51:00 GMT Admin's guide to Azure Arc Hyper-V management <p>Following the WSUS deprecation notice, enterprises that have yet to shift their patch management process will want to take a closer look at alternatives, such as the Azure Arc and the Azure Update Manager service.</p> <p>Patch management is a critical task to keep Windows Server environments secure, stable and performant. In September 2024, Microsoft signaled to customers that it will <a href="https://www.techtarget.com/searchwindowsserver/tip/The-Microsoft-patch-management-guide-for-admins">no longer add new features to Windows Server Update Services (WSUS)</a> and recommended exploring other avenues. Microsoft offers several options to keep Windows Server up to date with the latest software. One tool that has been gaining traction since its introduction in November 2019 is Azure Arc, a tool for admins to manage on-premises and cloud infrastructure via the Azure control plane. Azure Arc also extends Azure services, such as Azure Monitor and Azure Policy, to Windows Server workloads in the data center. This tutorial will cover the Azure Arc setup process and run through the <a href="https://www.techtarget.com/searchwindowsserver/tip/How-to-use-Windows-Server-2025-hotpatching">patch deployment of an on-premises server</a>.</p> <section class="section main-article-chapter" data-menu-title="Why Azure Arc is an effective tool for patching"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why Azure Arc is an effective tool for patching</h2> <p>Larger organizations often rely on either WSUS or on a third-party patch management tool. These utilities can scale to handle many servers, while also providing rich reporting capabilities to help organizations assess their patch management status.</p> <p>Although WSUS does a good job of keeping Windows machines up to date with the latest fixes, it is primarily designed for on-premises patch management. Companies that host workloads both on premises and in the Azure cloud might use a patch management tool in their data center and another within Azure. However, there is a convenient way to use the Azure Update Manager to handle patch management both in the cloud and on-premises.</p> <p>The key to using Azure Arc with on-premises servers is to "Arc-enable" the servers, as Microsoft calls it. Azure Arc is a service designed to manage physical servers and VMs both on-premises and in Azure and other clouds. Azure Arc can also <a href="https://www.techtarget.com/searchitoperations/tutorial/Manage-Kubernetes-clusters-with-PowerShell-and-kubectl">handle Kubernetes clusters</a> and databases.</p> <p>Arc-enabling a server or VM just requires installing the Azure Connected Machine agent onto the server. There's no need to set up a VPN or establish direct connectivity to Azure, as long as the machine has Internet access.</p> <p>Microsoft makes the Azure Arc control plane available for free. This means that you can use Azure Arc to tag resources and to enable search and indexing for those resources. The free Azure Arc plan also lets you take advantage of <a href="https://www.techtarget.com/searchsecurity/definition/role-based-access-control-RBAC">Role Based Access Control (RBAC)</a> permissions and you can use templates to automate various tasks. If an organization is using VMware vCenter or System Center Virtual Machine Manager, then you can use the Azure Arc control plane to inventory your resources and to perform lifecycle management for your VMs. To use Azure Update Manager in Arc-enabled VMs costs $0.162 per server per day or $5 per server per month for months with 31 days.</p> <p>Microsoft does not charge when a customer uses Azure Update Manager in the following scenarios:</p> <ul class="default-list"> <li>the Arc-enabled VM has Extended Security Updates (ESUs);</li> <li>the subscription that hosts the Arc-enabled VM also has Microsoft Defender for Servers Plan 2; or</li> <li>the Arc-enabled VM uses Windows Server licenses with either active Software Assurance license or <a href="https://www.techtarget.com/searchwindowsserver/tip/Understand-how-Windows-Server-2025-PAYG-licensing-works">Windows Server pay-as-you-go</a>.</li> </ul> <p>While Microsoft allows free access to the Azure Arc control plane, any Azure cloud services exposed through SCVMM or VMware vCenter will incur standard Azure usage charges. The same holds true for Azure services consumed through Arc-enabled Kubernetes clusters. Microsoft also charges a fee for Extended Security Updates (ESUs) for legacy systems and using Azure Arc to manage SQL Server instances.</p> </section> <section class="section main-article-chapter" data-menu-title="How to connect Azure Arc to a server using the Azure portal"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to connect Azure Arc to a server using the Azure portal</h2> <p>Configuring servers to use Azure Arc involves deploying the Azure Connected Machine agent to the VMs, using the Azure portal, <a href="https://www.techtarget.com/searchcloudcomputing/tip/Evaluate-Azure-CLI-vs-PowerShell-for-resource-management">Azure CLI or PowerShell.</a></p> <p>First, log in to the Azure portal and open the Azure Arc service. Click the <b>Add Resources</b> button, then click on the <b>Add/Create</b> button under the <b>Machines</b> section. Choose the <b>Add a Machine</b> option after the prompt to begin the onboarding process.</p> <p>Next, the console will prompt to specify the type of resource to onboard. For the purposes of this article, choose <b>Add a Single Server with Installer</b>. (Azure Arc also provides options to onboard multiple servers at once, including Linux VMs.) Azure Arc will download an installer file in your browser. Copy the installer file to the server you want to manage with Azure Arc.</p> <p>Next, go to the VM to manage and launch the executable. The installer will start a wizard for the installation process, which will require signing into Azure and choosing the subscription. When complete, Azure Arc can now manage the VM via the Azure Connected Machine agent.</p> </section> <section class="section main-article-chapter" data-menu-title="How to manage patches for Arc-enabled servers"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to manage patches for Arc-enabled servers</h2> <p>After onboarding the server to Azure Arc, configure that server to receive updates. Start by opening the Azure Update Manager service in the Azure portal, then select the <b>Resources</b> tab and click <b>Machines</b>. The Arc-enabled server should be listed on the <b>Machines</b> tab.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/posey_azurearc_1-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/posey_azurearc_1-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/posey_azurearc_1-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/posey_azurearc_1-f.jpg 1280w" alt="A menu showing the Machines page in Azure Update Manager." height="163" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>After adding the server to Azure Arc, it should be listed on the Machines page. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>The screenshot shows a console message that "1 out of 1 machine(s) don't have update data." To enable automatic updates for the machine, click the <b>Enable Now</b> link located at the end of the message. Alternatively, click the <b>Check for Updates</b> button to start an immediate update check for the VM.</p> <p>After the update assessment, the Azure Update Manager dashboard may show a message about pending updates. Click the message to see the results. The options are to either install the updates immediately or <a href="https://www.techtarget.com/searchenterprisedesktop/tip/Creating-a-patch-management-policy-Step-by-step-guide">schedule them during a maintenance window</a>. Note that there might be delays when forcing an immediate update. During testing, it took 30 minutes from the start of the update until the dashboard updated the VM's status. IT administrators will need to account for this delay when verifying update compliance and to avoid unnecessary troubleshooting.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/posey_azurearc_2-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/posey_azurearc_2-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/posey_azurearc_2-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/posey_azurearc_2-f.jpg 1280w" alt="A menu in Azure Update Manager showing the recommended updates for the selected VM." height="215" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Select the VM to see the available updates. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="How to connect a server to Azure Arc with PowerShell"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to connect a server to Azure Arc with PowerShell</h2> <p>Instead of the Azure portal, PowerShell is another option for admins who prefer this method. To start, install the <b>Az.ConnectedMachine</b> module with this command:</p> <p><span style="font-family: 'courier new', courier, monospace;"><b>Install-Module -Name Az.ConnectedMachine</b></span></p> <p>Next, use the <b>Connect-AZAccount</b> command to log into Azure. Lastly, install the Azure Connected Machine agent with this command:</p> <p><span style="font-family: 'courier new', courier, monospace;"><b>Connect-AzConnectedMachine -ResourceGroupName myResourceGroup -Name myMachineName -Location <region></b></span></p> <p>The command downloads the Connected Machine agent, installs it on the server, creates the Azure Arc-enabled server resource and associates it with the agent. The onboarding process takes a few minutes to complete.</p> <p>This concludes the setup necessary to use Azure Arc for patch management. However, for other tasks that require secure remote access, Azure Arc allows connections to Arc-enabled machines <a href="https://www.techtarget.com/searchvirtualdesktop/tip/How-to-enable-RDP-remotely-with-several-different-methods">using Remote Desktop Protocol (RDP)</a> and the Windows Admin Center extension in Azure or SSH with either Azure CLI or PowerShell.</p> </section> <section class="section main-article-chapter" data-menu-title="How to use the reporting feature in Azure Arc"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to use the reporting feature in Azure Arc</h2> <p>While the Azure Update Manager dashboard provide information regarding the patch management status of Arc-enabled machines, Azure Arc can generate more detailed reports.</p> <p>To start, expand the console's <b>Monitoring</b> container and then click on the <b>Reports</b> tab. Next, click on the <b>Overview</b> report in the Azure Update Manager section.</p> <p>At the <b>Reports</b> screen, select the subscription from the menu. By default, the report will span the entire tenant, so it's helpful to filter by region, resource type and time range. You can save the report by clicking on the Save icon.</p> <p>You can filter the report by location, resource type, or time range. Azure Workbooks connect to Azure Arc for even more granular <a target="_blank" href="https://docs.azure.cn/en-us/update-manager/manage-workbooks" rel="noopener">information</a> related to patching, including compliance status across the infrastructure, security update install success rates and update deployment history.</p> </section> Admins should explore their patching options now that Microsoft deprecated WSUS. Azure Arc offers integration with Azure to give the operations team a unified management approach. https://cdn.ttgtmedia.com/rms/onlineimages/container_g1294273513.jpg https://www.techtarget.com/searchwindowsserver/tutorial/Azure-Arc-setup-tips-for-on-premises-server-management Wed, 03 Sep 2025 13:34:00 GMT Azure Arc setup tips for on-premises server management SearchWindows Server Resources and Information from TechTarget 60 webmaster@techtarget.com