📦 The Microsoft Store is similar to Google Play and the Apple Store. It's designed to be a secure way to download, install, update and manage applications on Windows 10 and 11.

There are two types of apps available on the Microsoft Store:
🔹 APPX - the Universal Windows Application Platform (UWP) format, which uses a different API to that of classic Win32 applications.
🔹 MSIX - is a new application delivery format that allows you to distribute not only APPX, but also classic Windows desktop applications packaged in MSI format.

⬇️ Some Windows apps can currently only be installed from the Microsoft Store. If you don't have the Microsoft Store app installed on your computer (it's been disabled, blocked or removed), you can manually download the software installation files in APPX and MSIX formats.

📥 How to get a direct link to download an APPX/MSIX file with all dependencies from the Microsoft Store for offline installation

🛡Microsoft Sysinternals' Sigcheck tool allows you to scan the local certificate store for suspicious third-party certificates installed on your computer.
🤝The tool compares the list of installed certificates with the list of Trusted Root Certification Authorities published by Microsoft, and displays certificates that are not on that list. For security purposes, it is recommended that you periodically scan the local trusted root CA store for suspicious third-party certificates.
✅ Scan the local computer's certificate store:

 sigcheck64.exe -tv * 

✅ Check user certificate stores:

sigcheck64.exe -tuv *

✅ Remove a certificate from the computer's trusted root CA by its thumbprint:

certutil –delstore Root C17163D597E8A9F01F5E55679866C6C941540195

🔹 Scanning Windows Certificate Root Store for Suspicious Certificates

📜 It is convenient to use Group Policies to centrally install or remove certificates on user computers in an AD environment.

✅ With GPO, you can deploy your root CA certificate or install a self-signed certificate to all domain-machines in just a few clicks.

🔹 Deploy certificates to Windows computers using the GPO

♾ In the age of installing software from online repositories and continuous integration, creating your custom Windows installation image with pre-installed software is a thing of the past. By the time you start deploying the image to devices, some of the applications in your gold Windows image will be out of date. 🤷‍♂️ Therefore, after deploying the image to the computer, it is usually easier to automate the installation of a software package using any available management tool.

⚙️ However, business specifics may require a pre-built gold Windows image with all the necessary software, files and settings to be deployed to end-user computers.

✅ How to Create a Custom Windows Image with Pre-installed Software

🩹Many organizations use deferred patch deployment on Windows Server hosts. If you have a maintenance window and need to quickly download and install updates on all servers, you can use the PSWindowsUpdate module.

1️⃣ Create a list of Windows Server hosts in AD:

$srvs = Get-ADComputer -SearchBase "OU=Servers,DC=woshub,DC=loc" -Filter {OperatingSystem -like "*Windows Server*" } | Select -ExpandProperty name

🔹or from TXT file:

$srvs = GC c:\servers.txt

2️⃣ Start the installation of the updates on the servers from the list:

Invoke-WuJob -ComputerName $srvs -Script {ipmo PSWindowsUpdate; Install-WindowsUpdate -AcceptAll -AutoReboot | Out-File "C:\update.log"} -RunNow -Confirm:$false -Verbose -ErrorAction Ignore

This command creates a scheduled task on computers with SYSTEM privileges that installs updates and reboots when complete.

3️⃣ Check the update installation status:

Get-WUJob -ComputerName $Srvs

✅ How to install updates using the PSWindowsUpdate module

🏁 Microsoft announced last year that build 22H2 would be the final version of Windows 10. Support for Windows 10 22H2 will end on 14 October 2025, at which point Windows 10 machines will no longer receive security updates.

🔼 If you are not using the LTSC editions of Win 10, you will need to upgrade your computers to Windows 11 in order to receive the latest security updates. Bearing in mind that W11 has restrictions on older CPU versions (processors prior to 2017 are not supported) and the presence of a TPM chip, there may be problems upgrading older computers to Windows 11.

🔨 There are a number of ways to bypass the minimum hardware requirements when upgrading to Windows 11, but none of them are officially supported, and it is not clear what their status will be. In any case, administrators need to proactively inventory their computer fleet to ensure that they meet the minimum requirements for Windows 11.

✅ How to upgrade an unsupported computer to Windows 11

🛠Managed Service Account (MSA) is a special type of Active Directory account used to run services and scheduled tasks on domain-joined workstation and servers. Typically, to run services on servers, separate user accounts with limited permissions are created in AD. The main problem with such accounts is that administrators have to manage the passwords of these service users: store their current password, change it, reconfigure services after the password change. The passwords for the MSA service accounts are managed by the Active Directory.

✅ MSA account benefits:

🔹 Automatic password change
🔹 240-character complex passwords
🔹 MSA accounts cannot log on to domain computers interactively
🔹 No redundant permissions (MSA accounts are not added to the Domain Users group)
🔹 Only one computer can be associated with an MSA account. Group Managed Service Accounts (gMSA) can be used on multiple computers.
🔹 Automatic SPN management

🔨 Getting Started with Managed Service Accounts (MSA and gMSA) in AD

⚙️ System Restore Points allow you to roll back Windows, drivers, and installed apps to the state they were in when the point was created. Windows restore points are based on volume checkpoints created using the Volume Shadow Copy service (VSS):

✅ Before creating a checkpoint, the VSS service instructs all VSS-aware applications to write unsaved I/O operations from memory (buffers, caches, etc.) to disk, and then reports that it is ready to take a snapshot.

✅ If you are restoring from a system restore point, the data in the snapshot will not overwrite the personal files in the user profile folders.

✅ You can manually extract a previous version of any file from a restore point.

How to Create, Delete, and Manage System Restore Points on Windows

📚 By default, modern versions of Windows use UDP port 3389 for Remote Desktop (RDP) connections, in addition to the standard TCP/3389 port.

✅ The control TCP (HTTP) session sends keyboard and mouse commands, and multiple UDP sessions are used for image transmission. All of these are designed to improve the responsiveness of the Remote Desktop session for users.

☁️ However, when using RDP over a VPN, using the UDP protocol can have the opposite effect, causing problems with freezing images, periodic disconnects and unstable sessions. This is most likely caused by fragmented UDP packets going through the VPN tunnel

🛠 In this case, disabling the use of the UDP transport protocol for RDP connections will help.

https://woshub.com/rdp-session-freezes-udp/

📚 The timely renewing and re-issuance of TLS/SSL certificates is an important aspect of the uninterrupted functioning of a wide range of services. The administrator needs to set up the monitoring of this component of the infrastructure.

✅ In this article, we will show you how to configure Zabbix to monitor the expiration date of SSL certificates of HTTPS web sites or webservices, and notify the administrator in advance of any upcoming expiration dates.

➡️ In Zabbix Agent 2 with the web.certificate.get plugin, you can use the built-in template "Website certificate by Zabbix agent 2".

➡️ For earlier versions of Zabbix, you can configure the certificate expiry check by retrieving the values from the console scripts using the UserParameter.

How to monitor SSL Certificate Expiry from Zabbix

📏 VMware ESXi doesn't have built-in tools to reduce the size of the virtual machine disk (VMDK). If I need to reduce the size of the virtual hard drive of the VM, this is how I do it:

1️⃣ Backup .vmdk and *-flat.vmdk files (on a powered off VM)
2️⃣ Reduce the size of the hard disk partition in the guest operating system.
3️⃣ To reduce the VMDK size on VMware ESXi, you can use the graphical vCenter Converter Standalone (if available). Or can directly edit the VMDK file that contains the virtual disk configuration.
4️⃣ To update the virtual disk size in the vSphere console, you must unregister and then register the VM (using its VMX file).

✅ How to Shrink VMDK Virtual Disk Size on VMware ESXi

🧱Windows 10 supports multiple partitions on a USB flash drive, starting with build 1703. You can create and manage partitions on a USB stick in the same way as you would on a local (fixed) drive.

⌛️ Previous Windows versions showed only the first partition on removable drives. If you needed to create multiple partitions on a USB stick, you had to use a special Hitachi filter driver to replace the response from the removable drive so that it was recognized as a fixed drive (Converting USB Removable to Fixed Disk)

✅ Multi-partition USB sticks are most commonly used for:
🔹 Creating separate logical sections within the USB stick that can be accessed separately (including the ability to hide some partitions)
🔹 Multiple partitions with different file systems
🔹 Multiboot drive with multiple operating systems (for example, LiveCD)

How to Create Multiple Partitions on a USB Drive in Windows

🥱 Wake-on-LAN (WOL) standard allows you to turn on a computer remotely by sending a special Magic Packet over the LAN that contains the MAC address of the computer's network adapter.
The network adapter wakes the computer from power saving mode (hibernation or sleep) when it receives such a network packet.

✅ WOL support is available not only for Ethernet adapters, but also for Wi-Fi wireless adapters (Wake on Wireless LAN, WoWLAN).

⚙️ This article describes how to configure and use Wake-on-LAN in Windows.

https://woshub.com/wake-on-lan-windows/

🧩 A step-by-step guide to updating a standalone VMware ESXi host to the latest build from an online or offline bundle.

✅ How To Upgrade a Standalone VMware ESXi Host

⏳ If you need to copy large files (virtual machine hard disks, images, etc.) between Windows hosts over an unstable, slow, or congested network connection, you can use the BITS protocol.

⚙️ For example, to create a background asynchronous file transfer task using BITS that automatically dynamically increases or decreases file transfer speed depending on network connection load (to avoid interfering with the traffic of other network applications):

Start-BitsTransfer -Source C:\my.vhdx -Destination \\SR1\c$\images -Asynchronous  -Priority low -DisplayName CopyVHDSR1

Check the file transfer progress:

Get-BitsTransfer -Name CopyVHDSR1

Complete the transfer:

Get-BitsTransfer -Name CopyVHDSR1| Complete-BitsTransfer

✅ This BITS background job runs in resume mode and will continue to run after a computer reboot or network failure. BITS can be used to transfer files between hosts via SMB or to download files from an IIS web server via HTTP.

Use PowerShell and BITS to Simplify Downloading Large Files

💬 To send a pop-up message to a remote Windows computer desktop, you can use the standard MSG command. It allows you to specify the address of the remote host and the message text:

✅ Send a message to a specific user:

MSG "k.fabian" /server:MUN-SAP01 "Restart the SUPGUI client to get the latest updates!" 

✅ Display a popup notification to active users on the server:

MSG * /server:MUN-SAP01 "The server will be restarted in 10 minutes" 

✅ You can send a custom customized notification with a picture to a remote computer using a small PowerShell script called RemoteSendToasNotification.ps1 (available on GitHub).

How to Send Toast Notifications and Network Pop-Up Messages on Windows Using PowerShell

⚙️ This article provides steps to allow SSH access to VMware ESXi hosts with public/private key authentication rather than with username/password.

Configure passwordless authentication using SSH keys on VMware ESXi

💾 You can easily export (backup) all installed device drivers to a local directory using the built-in Windows tools. For example, you can export all third-party (non-Microsoft) drivers to a specific directory using PowerShell:

Export-WindowsDriver –Online -Destination c:\drivers 

✅ Each driver, along with all required INF, SYS, CAT, DLL files, is exported from the Windows Driver Store into a separate directory.

⤵️ To install all device drivers from a directory, use the command:

pnputil.exe /add-driver C:\drivers\*.inf /subdirs /install
 

📥 If you only need to export a specific device driver (for example, for a Realtek NIC), you will need to know the name of its INF file:

Get-WindowsDriver -Online | where { ($_.ProviderName -like "Realtek") –and ($_.ClassName -like "Net")} 

Export a specific driver:

pnputil.exe /export-driver oem20.inf c:\drivers\realtek 

✅ How to backup (export) device drivers in Windows

⚙️ In some automation scenarios, you may need to read the contents of an email from your Outlook inbox and perform an action based on the sender/date/subject /content.

For example:
✅ Automatically extract attachments from emails from any external system and save them to a specific folder
✅ Create a ticket in ITSM when you receive email from a user.
✅ Send yourself a notification to messenger when you receive an email from your boss. 😜

Let's look at how you can access the contents of your Outlook mailbox from a PowerShell script.

https://woshub.com/read-outlook-email-powershell/

🛠 Over time, Active Directory DNS zones become clogged with a large number of dynamic DNS records for devices no longer on the network. Windows Server DNS doesn't delete these stale records by default.

🧹 You can automatically remove old records that have not been updated for a long time with the DNS Aging and DNS Scavenging features in Windows Server.

✅ How to configure DNS Aging and Scavenging in Active Directory to clean up stale DNS records