I was working in VS Code when Git showed an untracked file in my project:

./upload-d1337.php

That stopped me immediately.

This is a Next.js app running on Node.js. There should never be a PHP file in the root of the project.

I opened it and found a full PHP webshell. A webshell is a backdoor. If someone can access it, they can run commands on your server, browse files, and upload more malicious code.

Now this was incident response.

How It Happened

The first shell was sitting at the project root.

After that, I searched the entire directory for *.php files and found another copy here:

./.next/static/chunks/upload-d1337.php

That folder is generated during the Next.js build process. It should only contain static JavaScript files. Seeing a PHP file there strongly suggested the application itself had been exploited.

I ran npm audit and found a critical advisory:

next 10.0.0 - 15.5.9
Next.js vulnerable to Remote Code Execution
https://github.com/advisories/GHSA-9qr9-h5gf-34mp

I was running version 15.5.2.

Remote Code Execution, or RCE, means an attacker can send a specially crafted request to your app and cause your server to execute code they control. In this case, that code wrote a PHP backdoor onto my server.

The Logs Confirmed It

From a single IP address, I saw this pattern:

00:23:32 - POST /  (303)
00:23:34 - POST /  (303)
00:23:36 - POST /  (500)
00:23:38 - POST /  (500)
00:23:39 - POST /  (303)
00:23:41 - GET /upload-d1337.php?key=d1337  (200)

Several POST requests hit the site first. A couple caused 500 errors, which usually happens while an exploit is being tuned.

Then immediately after, there was a successful request to the PHP file that had just been written.

This was almost certainly automated scanning. Bots continuously sweep the internet looking for known vulnerabilities in popular frameworks.

What I Did Immediately

I treated it as a real compromise.

1. Updated Next.js to the latest patched version

    

   npm install next@latest

    

2. Rebuilt and redeployed the app

3. Removed all discovered PHP files

4. Rotated API keys and secrets

5. Changed hosting credentials

6. Enabled two-factor authentication

If there is any chance code execution occurred, assume secrets may have been exposed.

Lessons Worth Keeping

Keep dependencies updated. Public vulnerabilities are actively exploited.

Run npm audit regularly. At minimum:

• Before production deployments

• After installing new packages

• As part of your CI pipeline using --audit-level=high

The goal is not to run it obsessively. The goal is to reduce how long you stay on a vulnerable version.

A clean Git working tree makes suspicious files obvious.

Deleting the malicious file is not enough. You have to patch the vulnerability that allowed it.

Limit what lives in your .env file. The fewer sensitive values your app holds, the smaller the blast radius.

References

Next.js Security Advisory
https://github.com/advisories/GHSA-9qr9-h5gf-34mp

Next.js Release Notes
https://github.com/vercel/next.js/releases

I still buy music.

Part of that is nostalgia, and part of it is a conscious choice. Music has always been a big part of my life. Punk rock, hardcore, metal, indie. I like owning the album, the artwork, the liner notes, and having a physical copy that lives on my shelf.

Because of that, I buy CDs and records, then rip my CDs into a lossless music library that I keep for myself. I stream that library to my devices so I can listen wherever I am, without depending on third-party services.

No piracy. No sketchy sources. Just music I bought and ripped for my own collection.

I already had a setup I liked. I just wanted to make it easier to use.

A quick personal note on supporting artists

I want to be explicit about something that matters to me. I believe in supporting artists and musicians directly. That means buying records and CDs, going to shows, and paying for the music that means something to you.

Everything described here is about ripping music I already own for my personal library. No piracy, no file sharing, no gray areas. Just taking physical media I paid for and making it usable in a modern, self-hosted setup.

If you care about music, especially local scenes and independent artists, the best thing you can do is support them with your money and your time. Buy the album. Go to the show. Talk to the band at the merch table. The tools are just tools. The point is the music and the people who make it.

 

A few local bands worth supporting

Since I’m talking about buying music and supporting artists, I’d be remiss not to call out a few local bands that have meant a lot to me as of recent. These are artists I’ve seen live, bought records from, and still listen to regularly.

 

Outpatient X  - Santa Cruz, CA
Bunker Club - Paso Robles, CA
Whats Good - Santa Cruz, CA

Why I use abcde on Linux

I really like abcde.

It is one of those Linux tools that has been around forever for a reason. It is reliable, flexible, and does exactly what it is supposed to do. Ripping, tagging, metadata lookups, encoding. It handles all of it without getting in the way.

I had no interest in replacing abcde or wrapping it in a heavy UI. I just wanted a better workflow when ripping more than one CD at a time.

A better multi-drive ripping workflow

I wrote a small wrapper script around abcde and called it ripcd.

From a terminal, I type:
 

ripcd

The script checks all connected optical drives, detects which ones actually have discs loaded, and shows a simple menu. I can select a single drive or press a to rip all loaded CDs at once.

When ripping multiple discs, each CD opens in its own terminal tab. That keeps metadata prompts clean and makes it easy to work through several discs in parallel without mixing things up.

At that point, abcde takes over and does what it already does best.

FLAC only, by design

This script always rips CDs to lossless FLAC.
 

That choice is intentional. My goal is a clean archive, not a dozen encoding options. I keep one high-quality copy and convert formats later if I need to.

If you want different behavior, the abcde command is easy to change. The script is simple and readable on purpose so it can be adapted without much effort.

Why this setup works for me

I enjoy building and maintaining my own music library. I enjoy Linux tools that respect my time. I enjoy small bits of automation that remove friction instead of adding complexity.

Once ripping CDs became something I could start and mostly ignore, I knew the workflow was right.

Below this post you will find instructions for installing abcde on Fedora KDE, Ubuntu, and similar Linux setups, along with the full ripcd script. Everything is shared directly on the page so you can copy, paste, and tweak it for your own system.

Installing ripcd

ripcd is a simple shell script. There is no installer. Copy it into place, make it executable, and you are done.

You can install it per user or system-wide.

The Script

#!/usr/bin/env bash
set -euo pipefail

# Detect optical drives with media inserted
get_drives_with_media() {
  for dev in /dev/sr*; do
    [[ -e "$dev" ]] || continue
    
    # Check if media is present
    if udevadm info -q property -n "$dev" 2>/dev/null | grep -qx 'ID_CDROM_MEDIA=1'; then
      echo "$dev"
    fi
  done
}

# Detect available terminal emulator
detect_terminal() {
  if command -v konsole >/dev/null 2>&1; then
    echo "konsole"
  elif command -v gnome-terminal >/dev/null 2>&1; then
    echo "gnome-terminal"
  elif command -v xterm >/dev/null 2>&1; then
    echo "xterm"
  else
    echo ""
  fi
}

# Find drives with media
mapfile -t drives < <(get_drives_with_media)

if (( ${#drives[@]} == 0 )); then
  echo "No discs detected in any optical drives."
  exit 1
fi

# Show menu
echo "Discs detected:"
echo
for i in "${!drives[@]}"; do
  echo "  $((i+1))) ${drives[$i]}"
done
echo
echo "  a) ALL (rip all drives simultaneously in tabs)"
echo "  q) Quit"
echo

read -rp "Select (1-${#drives[@]}, a, q): " choice

# Handle choice
case "${choice,,}" in
  q)
    echo "Quitting."
    exit 0
    ;;
    
  a|all)
    term="$(detect_terminal)"
    
    if [[ -z "$term" ]]; then
      echo "No supported terminal found. Cannot open tabs."
      exit 1
    fi
    
    case "$term" in
      konsole)
        echo "Opening Konsole with ${#drives[@]} tabs..."
        
        # Start an empty Konsole window
        konsole &
        konsole_pid=$!
        sleep 1.5
        
        # Find the D-Bus service
        service="org.kde.konsole-$konsole_pid"
        
        # Check if the service exists
        if ! qdbus | grep -q "$service"; then
          echo "Could not connect to Konsole via D-Bus, opening separate windows instead..."
          for dev in "${drives[@]}"; do
            konsole -e bash -lc "abcde -d '$dev' -o flac; echo; echo 'Done. Press Enter to close.'; read" &
            sleep 0.3
          done
          exit 0
        fi
        
        # Process each drive
        for i in "${!drives[@]}"; do
          dev="${drives[$i]}"
          
          if (( i == 0 )); then
            # First drive: use the existing session
            session=$(qdbus $service /Windows/1 currentSession 2>/dev/null)
          else
            # Additional drives: create new tabs
            session=$(qdbus $service /Windows/1 newSession 2>/dev/null)
            sleep 0.5
          fi
          
          if [[ -n "$session" ]]; then
            # Set tab title
            qdbus $service /Sessions/$session setTitle 1 "abcde $(basename "$dev")" 2>/dev/null
            
            # Send the command
            qdbus $service /Sessions/$session sendText "abcde -d '$dev' -o flac" 2>/dev/null
            qdbus $service /Sessions/$session sendText "$(printf '\r')" 2>/dev/null
            
            echo "Started ripping $dev in tab $((i+1))"
          fi
        done
        
        echo ""
        echo "All tabs created! You can:"
        echo "  - Press Ctrl+Shift+* to split tabs side-by-side"
        echo "  - Use Ctrl+Shift+Left/Right to switch between tabs"
        ;;
        
      gnome-terminal)
        echo "Opening ${#drives[@]} tabs in GNOME Terminal..."
        cmd="gnome-terminal"
        for dev in "${drives[@]}"; do
          cmd="$cmd --tab --title='abcde $(basename "$dev")' -- bash -lc \"abcde -d '$dev' -o flac; echo; echo 'Done. Press Enter to close.'; read\""
        done
        eval "$cmd" &
        ;;
        
      xterm)
        echo "Opening ${#drives[@]} separate xterm windows..."
        for dev in "${drives[@]}"; do
          xterm -title "abcde $(basename "$dev")" -e bash -lc "abcde -d '$dev' -o flac; echo; echo 'Done. Press Enter to close.'; read" &
        done
        ;;
    esac
    
    echo "All ripping processes started!"
    exit 0
    ;;
    
  *)
    # Check if it's a valid number
    if [[ "$choice" =~ ^[0-9]+$ ]] && (( choice >= 1 && choice <= ${#drives[@]} )); then
      dev="${drives[$((choice-1))]}"
      echo "Ripping ${dev}..."
      exec abcde -d "$dev" -o flac
    else
      echo "Invalid selection."
      exit 1
    fi
    ;;
esac

Option A: User-only install (recommended)

Copy the script to:

~/.local/bin/ripcd

Make it executable:

chmod +x ~/.local/bin/ripcd

Most modern distros already include ~/.local/bin in your PATH.

Option B: System-wide install

Copy the script to:

/usr/local/bin/ripcd

Make it executable:

sudo chmod +x /usr/local/bin/ripcd

This makes ripcd available to all users.

Optional: Close the launching terminal

If you want the terminal you run ripcd from to close after launching abcde, add an alias

User-only alias

Add to ~/.bashrc:

alias ripcd='~/.local/bin/ripcd && exit' 

Reload your shell:

source ~/.bashrc

System-wide alias

Create:

sudo nano /etc/profile.d/ripcd.sh

Add:

alias ripcd='ripcd && exit'

Using ripcd

Run:

ripcd 

The script will:

• Detect all connected optical drives

• Check which drives have discs loaded

• Show a menu of available options

Select a single drive or press a to rip all loaded CDs at once.

When ripping multiple discs, each CD opens in its own terminal tab or window. abcde then runs normally and prompts for metadata as needed.

Notes

• abcde must already be installed and working.

• All rips are done in lossless FLAC.

• Supported terminals: Konsole, GNOME Terminal, xterm.

• The abcde command inside the script can be modified if you want different options.

I’ve been running into this issue repeatedly for a few clients lately, usually showing up as Microsoft Teams or OneDrive throwing a vague “We’ve run into an issue” message and prompting the user to download Edge WebView2. After fixing it manually more times than I care to admit, I finally got annoyed with the repetitiveness and decided to automate the fix into a single batch script you can run with a double click.

In most cases, reinstalling Teams or OneDrive does nothing. That’s because the underlying problem usually isn’t the app itself.

What’s Actually Breaking

In my experience, this issue almost always comes down to a broken or partially corrupted Microsoft Edge WebView2 runtime. WebView2 is a shared system-level component that Microsoft uses to render UI inside apps like Teams and OneDrive. When it’s missing, corrupted, or stuck in a bad state, multiple apps can fail in similar and confusing ways.

Common causes I’ve seen include:

• Interrupted or failed WebView2 updates

• Corrupted installer files

• Pathing issues where WebView2 exists on disk but apps can’t resolve it correctly

Because WebView2 is installed separately from Teams and OneDrive, reinstalling those apps usually leaves the broken runtime untouched.

Why This Is Annoying to Fix Manually

One of the more frustrating parts of this issue is that WebView2 installs itself into a versioned folder under its application directory. The folder name is a numeric version string, for example 144.0.3719.82, and that version changes constantly as updates roll out.

That means:

• You can’t reliably hardcode the path

• The registry is not always trustworthy when the runtime is partially broken

• The installer you need is buried under a version-specific folder

This is exactly the kind of problem that’s easy to fix once, but painful to repeat across multiple machines.

What the Script Does

This script is designed to fix the “We’ve Run Into an Issue” / “Download Edge WebView2” error in a repeatable way.

At a high level, it does three things:

1. Allows WebView2 to be repaired

   • It updates two registry values that control whether the Edge WebView2 runtime can be reinstalled or repaired.

   • In certain failure states, those flags prevent the installer from doing anything useful.

2. Automatically finds the installed WebView2 version

   • Instead of relying on the registry or hardcoded paths, the script locates the active WebView2 version folder directly on disk.

   • It identifies the numeric version directory dynamically, so it works regardless of the installed version.

3. Runs a proper system-level repair

   • It executes the correct setup.exe from the discovered version folder.

   • This forces a clean, system-level repair install of the WebView2 runtime.

The end result is a repaired WebView2 runtime without having to uninstall Edge, reinstall Teams, or manually hunt through folders.

Usage Notes

• The script must be run as administrator.

• It will close Edge and WebView2 processes to avoid file locks.

• It returns an exit code of 0 when the repair completes successfully.

• It’s designed to be portable, you can drop it onto an affected machine and run it directly.

I’ve tried to keep this as universal as possible so it can be used across different systems without modification. If you do run into edge cases or failures in your environment, let me know, but this approach has been reliable for me and has saved a lot of repetitive cleanup work.

@ECHO OFF
SETLOCAL ENABLEEXTENSIONS
setlocal enabledelayedexpansion
COLOR 09
TITLE JOSHFRIDEY.COM WEBVIEWW2 FIX
:: --- Elevation Check ---
:: Check if script is running as admin (no redirection)
NET SESSION
IF %ERRORLEVEL% NEQ 0 (
   ECHO Requesting administrative privileges...
   PowerShell -Command "Start-Process '%~f0' -ArgumentList '/elevated' -Verb RunAs"
   EXIT /B
)
:: Check for elevation flag
IF "%1"=="/elevated" SHIFT
set "REGKEY=HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft EdgeWebView"
set "VALNAME=SystemComponent"
set "VALNAME2=NoRemove"
echo Setting %REGKEY% %VALNAME% to 0...
reg add "%REGKEY%" /v "%VALNAME%" /t REG_DWORD /d 0 /f
if errorlevel 1 (
 echo Failed to set registry value %VALNAME%.
)
reg add "%REGKEY%" /v "%VALNAME2%" /t REG_DWORD /d 0 /f
if errorlevel 1 (
 echo Failed to set registry value %VALNAME2%.
)
REM --- Determine WebView2 folder version from disk ---
set "APPROOT=C:\Program Files (x86)\Microsoft\EdgeWebView\Application"
set "RAW="
REM Find the only folder whose name contains only digits and dots, like 144.0.3719.82
for /d %%D in ("%APPROOT%\*") do (
 set "NAME=%%~nxD"
 set "TMP=!NAME!"
 REM Strip digits and dots
 for %%C in (0 1 2 3 4 5 6 7 8 9 .) do set "TMP=!TMP:%%C=!"
 REM If nothing remains, NAME was only digits and dots
 if "!TMP!"=="" (
   set "RAW=!NAME!"
   goto :FoundVersion
 )
)

:FoundVersion
Echo Version %RAW%

set "EXE=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\!RAW!\Installer\setup.exe"
echo Stopping WebView2 and Edge processes..
taskkill /f /im msedgewebview2.exe
taskkill /f /im msedge.exe
start "" /wait "%EXE%" --msedgewebview --system-level --verbose-logging
set "EC=%ERRORLEVEL%"
echo WebView2 reinstall exit code: %EC%
ECHO === WEBVIEW2 FIX COMPLETE ===
ECHO Press any key to exit...
PAUSE
EXIT

Ran into a strange printer issue the other day that had me mutter a few things I probably shouldn’t repeat here. Thought I’d share it, just in case it saves someone else the same hassle.

Everything Worked—At First

I was setting up two network printers on a Windows 11 machine. Nothing fancy—just your standard TCP/IP installs. They tested fine, so I handed the machine off and went on my way.

Not long after, I checked in—and both printers were showing as offline. No changes made, nothing unplugged, just… not working.

Manual Printer Setup Was Locked Down

I went to remove and re-add the printers like I’ve done a hundred times before. But when I got to the install screen, the usual options—manual setup, finding older printers—were all greyed out.

That’s when I knew something odd was going on.

The Fix: Turn Off Protected Print Mode

After a bunch of digging, I found a setting under Settings > Bluetooth & devices > Printers & scanners called Windows Protected Print Mode. It was turned on.

I switched it off—and boom, everything started working again. The manual printer options came back, and I could reinstall both printers without any issues.

What Is Protected Print Mode?

Basically, it’s a newer Windows security feature that blocks most third-party printer drivers and only allows Microsoft’s built-in print driver.

The idea is to make printing more secure—but the tradeoff is that you lose a lot of useful features like:

• Tray selection

• Advanced print settings

• Some multifunction options

For most users, that’s a pretty big limitation.

Microsoft Plans to Make This the Default by 2027

Yep, this setting isn’t just some random toggle—it’s part of Microsoft’s longer-term plan. Protected Print Mode is expected to be the default print setup starting sometime around 2027.

We’ll see if that timeline sticks, but it’s something IT folks should start getting familiar with now.

Final Thoughts

I’m still not sure how the setting got turned on—could’ve been a Windows update, a vendor tool, or maybe I just clicked too fast. But if your printers randomly stop working and the manual install options are missing, check that Protected Print Mode setting. It might be the culprit.

I put off building a proper all in one Windows maintenance batch script for years. I had smaller scripts here and there to speed things up, but nothing consolidated. Starting this blog finally gave me a good reason to sit down, build a single script I actually use, and share it so anyone else can grab it.

This script is simple, practical, and includes a few small touches that make it easy to run again later.

Key Features

1 Automatic admin elevation

If you forget to run it as Administrator, it restarts itself with elevated permissions. No extra steps.

2 Clears conflicting processes

Right up front it stops common Windows servicing processes like DISM and TiWorker so maintenance tasks are not fighting for the same resources.

3 Flexible startup options

On launch you choose whether to continue with a reboot, without a reboot, or exit. You stay in control.

4 Live status updates

Every step reports what it is doing so you are not guessing about progress behind the scenes.

What It Does

After you pick your preferences, the script runs a set of routine Windows maintenance tasks:

• Defrags and optimizes all hard drives
• Cleans the TEMP directory
• Checks for and installs Windows Updates
• Performs a DISM cleanup
• Runs sfc /scannow twice for good measure

The Script

The full batch script is below. Copy it into Notepad, save it as a .bat file, and run it when you need a quick tune up. Modify it to fit your workflow. It is a solid foundation for keeping a system in good shape with minimal effort.

@ECHO OFF
SETLOCAL ENABLEEXTENSIONS
COLOR 09
TITLE JOSHFRIDEY.COM SYSTEM MAINTENANCE BATCH
:: --- Elevation Check ---
:: Check if script is running as admin
NET SESSION >NUL 2>&1
IF %ERRORLEVEL% NEQ 0 (
    ECHO Requesting administrative privileges...
    PowerShell -Command "Start-Process '%~f0' -ArgumentList '/elevated' -Verb RunAs"
    EXIT /B
)
:: Check for elevation flag
IF "%1"=="/elevated" SHIFT
:: -- Show Menu --
:MENU
CLS
ECHO ====================================
ECHO # SYSTEM MAINTENANCE OPTIONS
ECHO ====================================
ECHO.
ECHO [1] WINDOWS UPDATES WITHOUT REBOOT
ECHO [2] WINDOWS UPDATES WITH REBOOT
ECHO [3] EXIT SCRIPT
ECHO.
CHOICE /C 123 /N /M "Choose an option: "
IF ERRORLEVEL 3 GOTO :EOF
IF ERRORLEVEL 2 SET FLAG=REBOOT&GOTO MAINTENANCE
IF ERRORLEVEL 1 SET FLAG=NOREBOOT&GOTO MAINTENANCE
:: --- Maintenance Logic ---
:MAINTENANCE
CLS
ECHO ====================================
ECHO # REBOOT DISM and TIWORKER
ECHO ====================================
TASKLIST | FINDSTR "Dism.exe TiWorker.exe" >NUL && TASKKILL /F /IM "Dism.exe" /IM "TiWorker.exe" /T >NUL 2>&1
ECHO.
ECHO ====================================
ECHO # Disk Cleanup Automation
ECHO ====================================
ECHO # Clearing CleanMgr.exe automation settings.
powershell -Command "Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\*' -Name StateFlags0001 -ErrorAction SilentlyContinue | Remove-ItemProperty -Name StateFlags0001 -ErrorAction SilentlyContinue"
ECHO # Enabling Update Cleanup. This is done automatically in Windows 10 via a scheduled task.
powershell -Command "New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Update Cleanup' -Name StateFlags0001 -Value 2 -PropertyType DWord"
ECHO # Enabling Temporary Files Cleanup.
powershell -Command "New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Temporary Files' -Name StateFlags0001 -Value 2 -PropertyType DWord"
ECHO # Starting CleanMgr.exe...
powershell -Command "Start-Process -FilePath CleanMgr.exe -ArgumentList '/sagerun:1' -Wait"
ECHO # Waiting for CleanMgr and DismHost processes. Second wait neccesary as CleanMgr.exe spins off separate processes.
powershell -Command "Get-Process -Name cleanmgr,dismhost -ErrorAction SilentlyContinue | Wait-Process"
ECHO.
ECHO ====================================
ECHO # INSTALLING PSWindowsUpdate MODULE
ECHO ====================================
ECHO # Setting Execution Policy to Remote Signed...
powershell -Command "Set-ExecutionPolicy RemoteSigned -Force -ErrorAction SilentlyContinue"
ECHO # Installing Package Provider NuGet...
powershell -Command "Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force -ErrorAction SilentlyContinue"
ECHO # Installing Module PSWindowsUpdate...
powershell -Command "Install-Module PSWindowsUpdate -Force -ErrorAction SilentlyContinue"
ECHO # Importing Module PSWindowsUpdate...
powershell -Command "Import-Module PSWindowsUpdate -Force -ErrorAction SilentlyContinue"
ECHO.
ECHO ====================================
ECHO # CHECKING FOR WINDOWS UPDATES
ECHO ====================================
powershell -Command "Get-WindowsUpdate -ErrorAction SilentlyContinue"
ECHO.
ECHO ====================================
ECHO # RESTART & CLEAR PRINT SPOOLER
ECHO ====================================
net stop spooler
taskkill.exe /f /im printfilterpipelinesvc.exe
del /F /Q %systemroot%\System32\spool\PRINTERS\*
del /F /Q %systemroot%\System32\spool\SERVERS\*
net start spooler
ECHO ====================================
ECHO # RUNNING DISM CLEANUP
ECHO ====================================
DISM /Online /Cleanup-Image /RestoreHealth /StartComponentCleanup
ECHO.
ECHO ====================================
ECHO # RUNNING DISM RESTOREHEALTH
ECHO ====================================
DISM /Online /Cleanup-Image /RestoreHealth
ECHO ====================================
ECHO # RUNNING SFC
ECHO ====================================
SFC /SCANNOW
SFC /SCANNOW
ECHO.
ECHO ====================================
ECHO # RUNNING DEFRAG
ECHO ====================================
DEFRAG /C /O /U
ECHO.
ECHO ====================================
ECHO # INSTALLING APP UPDATES
ECHO ====================================
winget update --force --all
ECHO ====================================
ECHO # INSTALLING WINDOWS UPDATES
ECHO ====================================
IF "%FLAG%"=="REBOOT" (
    powershell -Command "Install-WindowsUpdate -AcceptAll -Install -AutoReboot -ErrorAction SilentlyContinue"
    shutdown -r -t 00
) ELSE (
    powershell -Command "Install-WindowsUpdate -AcceptAll -Install -IgnoreReboot -ErrorAction SilentlyContinue"
)
ECHO.
:FINISH
ECHO.
ECHO === MAINTENANCE COMPLETE ===
ECHO Press any key to exit...
PAUSE >NUL
EXIT /B

This might be a bit of a hot take, but it’s worth saying: while a well-maintained on-prem Windows file server—or even a NAS—can offer excellent stability and performance, cloud-based tools are quickly becoming the go-to for modern businesses.

Solutions like Microsoft SharePoint bring a lot to the table: remote access, collaboration tools, and seamless integration with the Microsoft 365 ecosystem. But that doesn’t mean they’re always easy to manage—especially without an experienced IT team.

Where Microsoft Teams Comes In

Over the years, I’ve seen many clients run into challenges managing folder structures and permissions within SharePoint. It’s a powerful tool, no doubt—but it’s not the most intuitive. Without proper guidance or support, it’s easy to end up with a cluttered mess of disconnected sites and folders that eventually get lost in the shuffle.

Microsoft Teams offers a more streamlined, user-friendly approach. It allows clients to manage their file structure in a more organized and accessible way. Teams Channels act like folders, and with built-in permission controls, it’s much easier to restrict access when needed. Plus, everything ties directly into other Microsoft tools like OneNote, Planner, Tasks, and Lists—making collaboration much more cohesive.

How I Recommend Setting Up a Team for File Sharing

If you’re looking to move your file sharing into Microsoft Teams, here’s a setup process I often recommend:

1 Open Microsoft Teams

navigate to either the Teams or Chat section, depending on your setup.

2 Click Create a New Team. 

I usually suggest setting it up as a Public team so that all staff members can join and access shared files without needing an invite.

3 Give the default channel a clear and relevant name

something like “General”, “Shared Files”, or a department-specific name like “Accounting”.

4 Use additional Channels

To create top-level folders within the team. Each channel will have its own files section, and you can configure permissions separately to control access based on roles or teams.

By using Teams for file sharing, you’re giving your organization a cleaner, more manageable solution that supports collaboration—without the complexity that sometimes comes with SharePoint.

If you're managing Microsoft 365 for Business, you may eventually need to perform tasks in Exchange Online that aren’t available through the standard web interface. To do this, you’ll need to connect via PowerShell, which gives you direct access to advanced configuration options through command-line commands.

When I was first learning this process, I had no problem finding documentation on the individual commands for Exchange—but I struggled to find clear instructions on how to connect to a client’s Microsoft 365 tenant using PowerShell. This guide breaks down that connection process step by step. In future posts, I’ll dive deeper into useful Exchange Online commands, and I’ll be linking back to this post so it’s easy to follow along.

Connect to Exchange Online with PowerShell, step by step

1 Open PowerShell

Note: Be sure to run PowerShell as Administrator

2 Set the Execution Policy

Before installing modules, you'll want to ensure PowerShell allows trusted remote scripts to run:

Set-ExecutionPolicy RemoteSigned

3 Install the Exchange Online Management Module

This command installs the module that gives you access to Exchange Online cmdlets:

Import-Module ExchangeOnlineManagement

💡 If prompted, go ahead and accept installation of NuGet and trust the repository.

4 Connect to Exchange Online

Now you're ready to sign in using your Microsoft 365 admin credentials:

Connect-ExchangeOnline -UserPrincipalName "admin-user@microsoftaccount-clientdomain.com"

Once connected, you're ready to start issuing Exchange Online commands.

Recently, while working with businesses of various sizes, I’ve encountered issues with password less file shares on systems running Windows 11 24H2. This problem has appeared on both Windows file shares and NAS devices that support SMB.

The Best Solution?

Secure Your File Shares Ideally, the best approach is to update your file share security to require usernames and passwords for access. Implementing proper authentication helps protect sensitive data and reduces security risks. However, I know that not every environment is ready for that change right away. Whether you’re waiting to plan a security upgrade or dealing with clients reluctant to make changes, I get it. Sometimes, you just need a quick fix to keep things running smoothly. In the next section, I’ll go over some temporary workarounds to help you bypass this issue while you work toward a long-term solution.

Temporary Workarounds

If you need to access password less file shares on Windows 11 24H2, here are a few potential workarounds:

1 Enable Guest Access in Group Policy (Not Recommended for Security Reasons) 

While enabling guest access isn't ideal, it may help in situations where legacy devices or specific workflows require it.

1. Open Group Policy Editor (gpedit.msc).

2. Navigate to:

   Computer Configuration → Administrative Templates → Network → Lanman Workstation

3. Locate and Enable the policy: "Enable insecure guest logons"
4. Restart your computer for the changes to take effect.

Warning: This reduces security and should only be used as a temporary fix.

2 Adjust Windows Registry (If Group Policy Is Unavailable)

If you don’t have access to Group Policy on certain Windows editions, you can modify the registry:

1. Open Registry Editor (regedit).

2. Navigate to:

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters

    

3. Look for a DWORD entry named "AllowInsecureGuestAuth" (or create it if missing).
4. Set its value to 1.
5. Restart your computer.

3 Check SMB Protocol Version

If you're connecting to a NAS or older file server, it may not support newer SMB versions. To check and enable older SMB versions:

1. Open PowerShell (Admin) and run:

   Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol

2. If SMB1 is disabled but required, enable it temporarily:

   Set-SmbServerConfiguration -EnableSMB1Protocol $true -Force

3. Restart your computer.

Security Note: SMB1 is deprecated due to security vulnerabilities. If possible, update your NAS or file server to support SMB2/SMB3 instead.

Remote Desktop Protocol (RDP) is an essential tool for IT professionals and end users alike, allowing seamless remote management and access to multiple devices. However, with the transition to Microsoft Entra ID (formerly Azure Active Directory), the traditional process of accessing remote devices has changed slightly, introducing a few additional steps.

In this guide, I’ll share my preferred method for accessing Microsoft Entra ID-joined devices via RDP. Keep in mind that there are multiple ways to accomplish this, some potentially easier. However, this method works effectively for both onsite and offsite configurations.

Prerequisites

To ensure a successful remote connection, you’ll need the following:

• VPN Connection if wanting off-site access.

Configuring the Remote Device (The device you want to access)

1. Set a Static Local IP Address

   1. This helps maintain a consistent connection and prevents address changes from affecting access.

2. Enable Remote Desktop Protocol (RDP)

   1. Go to Settings > System > Remote Desktop and enable Remote Desktop.

3. Network Level Authentication (NLA), recommended enabled. Keep this checked for security. If you are having trouble connecting and suspect NLA is the blocker, you can temporarily disable it to test.

   1. Open System Properties › Remote.
   2. Under Remote Desktop, uncheck Allow connections only from computers running Remote Desktop with Network Level Authentication (NLA).
   3. Try the connection again. If it works, address the root cause, then re-enable NLA.

Configuring the Local Device (The device you’re accessing from)

1. (For Offsite Access) Connect to VPN

   1. Ensure you’re connected to your organization’s VPN before proceeding.

2. Modify the Host File

   1. Open Notepad as Administrator
   2. Navigate to C:\Windows\System32\drivers\etc\hosts
   3. Add the static IP address and exact computer name of the remote device to the file.
   4. Note: The computer name must be exact, as Microsoft Entra ID requires an exact match for authentication.

3. Launch the Remote Desktop Application

   1. Open the Remote Desktop app and enter the host name of your remote device.
   2. Important: IP addresses will not work with this method; you must use the computer name.

4. Enter Login Credentials

   1. Username: Enter your Microsoft 365 email address
   2. Navigate to the Advanced tab > User Authentication section
   3. Check the box for “Use a web account to sign into the remote computer”

Conclusion

By following these steps, you can successfully remote into a Microsoft Entra ID joined device using RDP. This method ensures compatibility with both onsite and offsite (with VPN) setups, allowing seamless access across different environments.