Field notes.
Short, practical write-ups from real client work. Migrations, security hardening, licensing fixes, and the occasional Windows fleet headache.
WLapsAdmin or Administrator? Auditing Windows LAPS at fleet scale.
The reason some devices show Administrator instead of WLapsAdmin in the recovery portal is one Windows 11 build number nobody talks about. The end-to-end Microsoft Graph PowerShell audit, with cross-reference, OS eligibility, and the per-device account name lookup Microsoft blocks in bulk.
read post →Legacy BIOS to UEFI, then on to Windows 11 25H2, without nuking the disk.
A non-destructive upgrade path for the boxes still running CSM. MBR2GPT, the firmware switch, and the actual 25H2 install, including the gotchas that brick the boot loader if you skip a step.
read post →Bulk mailbox cleanup with Microsoft Graph: CSV-driven, dry-run first, throttle-aware.
When legal asks you to remove specific senders from two hundred mailboxes by Friday. App-only Graph, a sender allowlist, multi-pass deletes, and the per-mailbox transient ceiling that stops one bad mailbox stalling a six-hour run.
read post →Sortable mailbox size reports, without the Excel cleanup ritual.
Get-MailboxStatistics returns sizes as text and Excel sorts them lexically. A small PowerShell script that does the byte-string conversion in PowerShell where it belongs and hands you a real numeric GB column for migration planning.
read post →When LAPS silently refuses to escrow on hybrid Entra devices.
Five compliant Intune-enrolled PCs that quietly refused to escrow LAPS passwords. The diagnostic field the Entra portal never shows. The two-restart fix that takes 15 hours to confirm, and the one thing you must not do during the wait.
read post →