Jet Mariano

Tag: Windows 11

  • The Problem Lives Below Windows

    Most system failures don’t begin in Windows. They begin deeper, where firmware, drivers, and hardware quietly decide whether the OS will be allowed to run.

    Intro

    When a system reboots unexpectedly, freezes during a video call, or crashes the moment a camera turns on, Windows is usually the first thing blamed. But in most real-world cases, the operating system is only the messenger. The real problem lives below Windows, in layers most people never see until something breaks.

    Over the years, I’ve learned that stability is not something you install. It’s something you negotiate between hardware, firmware, drivers, and the operating system, all trying to work together under load.

    The invisible stack beneath Windows

    Modern endpoints are layered systems.

    Below Windows 11 sits firmware, BIOS, chipset drivers, GPU drivers, and kernel-mode components that operate outside the visibility of most logging tools. These layers handle power management, graphics acceleration, memory access, and hardware interrupts. When they disagree, Windows doesn’t always get a vote.

    A failure in these layers doesn’t always generate a blue screen. Sometimes the system simply resets. From the outside, it looks random. Underneath, it’s not.

    Why Windows 11 gets blamed

    Windows 11 sits at the intersection of modern hardware acceleration and modern applications. Tools like Microsoft Teams, browsers, and Office apps make heavy use of GPU pipelines, video encoders, and camera drivers.

    When something goes wrong at that boundary, the crash surfaces when the app is launched, the camera turns on, or a video stream initializes. Windows appears guilty because it’s present when the failure occurs, but the fault often belongs to a driver, firmware interaction, or hardware acceleration path that Windows merely exposed.

    Why visibility tools don’t always catch it

    Tools like Sysmon are excellent at recording what happens inside the operating system. They act like a flight recorder for processes, network connections, and file activity.

    But Sysmon can’t log what never reaches the OS.

    A reboot triggered by firmware, a GPU driver reset, or a kernel-mode failure can occur before logging completes. From an administrator’s perspective, it feels like the system went silent without warning. In reality, the failure happened below the level where logs exist.

    The thin line between stable and broken

    Stability often comes down to small decisions.

    A BIOS update here.
    A GPU driver change there.
    Hardware acceleration enabled or disabled in a single application.

    None of these changes look dramatic on their own, but together they determine whether a system runs quietly for months or reboots under pressure. That line between stable and broken is thinner than most people realize.

    What I’ve learned

    When troubleshooting modern Windows systems, I no longer ask, “What did Windows do wrong?” first.

    I ask:

    • What changed below the OS
    • Which drivers are involved
    • What hardware path is being exercised
    • Whether the failure happens under load or acceleration

    More often than not, the answer reveals itself there.

    Final thought

    Windows 11 is rarely the villain in these stories. It’s the surface where deeper tensions finally show themselves.

    Understanding that difference changes how you troubleshoot, how you update, and how you design systems meant to stay online.

    © 2012–2026 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

  • Windows 11 Is Not the Problem

    Most Windows 11 instability doesn’t live in the OS itself, but at the edges where hardware, drivers, and applications meet.

    Understanding Failure at the Boundaries

    Why this post exists

    When something breaks after a Windows 11 update, the operating system is usually the first thing blamed.

    That reaction is understandable.
    It is also often wrong.

    Most Windows 11 issues I’ve seen in production environments were not caused by Windows itself, but by interactions at the boundaries — drivers, firmware, graphics acceleration, and modern hardware pipelines colliding under load.

    This post is about recognizing that pattern before making changes you can’t easily undo.

    Windows 11 changed the execution model

    Windows 11 didn’t just refresh the UI.
    It tightened and modernized how the system interacts with hardware.

    Notable shifts include:

    • heavier GPU offloading
    • deeper integration with modern drivers
    • stricter timing and power management
    • increased reliance on hardware acceleration

    These changes improved performance and security — but they also exposed weaknesses that were previously hidden.

    Where failures actually occur

    Most Windows 11 instability I’ve seen does not originate in the OS core.

    It shows up at the edges:

    • camera pipelines invoking GPU acceleration
    • browsers rendering complex content
    • collaboration tools engaging media stacks
    • document editors interacting with graphics layers

    When these systems overlap, failure is rarely clean.

    The result can look dramatic:

    • sudden reboots
    • frozen screens
    • applications triggering system instability

    But the OS is often just the messenger.

    Why blaming the OS is tempting

    Blaming Windows feels productive because it is visible and recent.

    But doing so can lead to:

    • unnecessary registry changes
    • disabling core protections
    • rolling back updates prematurely
    • introducing instability elsewhere

    Experienced engineers pause here.

    They ask a different question:
    “What interaction just occurred?”

    A real-world pattern

    In several recent incidents, systems rebooted only when:

    • the camera was enabled
    • a browser rendered media-heavy pages
    • a document triggered graphics rendering

    The same machines were otherwise stable.

    That pattern points away from Windows itself and toward:

    • GPU drivers
    • hardware acceleration paths
    • firmware timing
    • vendor-specific optimizations

    The fix is rarely global.
    It is almost always surgical.

    Why restraint matters

    Windows 11 gives us many levers:

    • registry overrides
    • advanced graphics settings
    • feature toggles

    Just because a lever exists does not mean it should be pulled.

    Sometimes the most correct decision is:

    • identify the root cause
    • mitigate user impact
    • document the behavior
    • wait for vendor correction

    Stability is not always achieved by action.
    Sometimes it is preserved by restraint.

    What Windows 11 is actually doing well

    Despite the noise, Windows 11 has proven to be:

    • more secure by default
    • more consistent under load
    • better integrated with modern hardware
    • less tolerant of outdated assumptions

    Those are strengths, not weaknesses.

    They require us to think more holistically about the stack.

    The lesson Windows 11 keeps teaching

    Modern systems fail at the seams.

    Operating systems, drivers, firmware, and applications now behave as a single organism.

    When one part misbehaves, symptoms surface elsewhere.

    The job is not to assign blame quickly.
    The job is to understand interaction.

    Final reflection

    Windows 11 didn’t break our environments.

    It revealed where we were already fragile.

    Once you see that pattern, troubleshooting becomes calmer, more precise, and far less reactive.

    © 2012–2026 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

  • How to Install Sysmon on Windows 11 (Step-by-Step Guide)

    System Monitoring Made Simple for IT Admins & Security Pros

    Sysmon (System Monitor) is part of Microsoft’s Sysinternals Suite, and it gives you deep visibility into process creation, network connections, file changes, and system activity. For threat detection, forensics, and baselining, Sysmon is one of the most powerful free tools you can deploy.

    In this guide, I’ll walk through the step-by-step process of installing Sysmon cleanly on a Windows 11 machine, loading a hardened configuration, enabling the event log, and validating that everything is working.

    This is the exact method I used on my laptop — clean, repeatable, and production-ready.

    1. Prerequisites

    Before you start:

    • Log in as a user with Local Administrator rights.
    • Open PowerShell as Administrator.

    You’ll be using a mixture of PowerShell commands and Event Viewer, so make sure you have admin elevation.

    2. Download Sysinternals Suite

    Microsoft distributes Sysmon inside the Sysinternals Suite ZIP.

    1. Download Sysinternals Suite from Microsoft’s official site.
    2. Create a clean directory:
    New-Item -ItemType Directory -Path "C:\Sysinternals" -Force
    1. Extract the ZIP:
    Expand-Archive "$env:USERPROFILE\Downloads\SysinternalsSuite.zip" `
  -DestinationPath "C:\Sysinternals" -Force
    1. Verify Sysmon64.exe exists:
    Get-ChildItem "C:\Sysinternals" -Filter Sysmon64.exe -Recurse

    You should see something similar to:

    Sysmon64.exe   Length: 4563248

    If the file is non-zero in size, it’s valid.

    3. Prepare Your Sysmon Configuration File

    Sysmon must be installed with a configuration that tells it what to monitor.
    You can use:

    • A basic config
    • A hardened config
    • The community-recommended SwiftOnSecurity config

    Here’s how to set up a config folder:

    New-Item -ItemType Directory -Path "C:\Scripts\Sysmon" -Force

    Copy your Sysmon config into it:

    Copy-Item "$env:USERPROFILE\Downloads\sysmonconfig-export.xml" `
  "C:\Scripts\Sysmon\sysmonconfig.xml" -Force

    Verify it:

    Get-ChildItem "C:\Scripts\Sysmon"

    You should see:

    sysmonconfig.xml   Length: (non-zero)

    4. Install Sysmon with the Config

    Navigate to the Sysinternals directory:

    cd "C:\Sysinternals"

    If Sysmon was previously installed, uninstall it first:

    .\Sysmon64.exe -u force

    Then install it cleanly with your XML config:

    .\Sysmon64.exe -i C:\Scripts\Sysmon\sysmonconfig.xml

    Expected output:

    Sysmon64 installed.
SysmonDrv installed.
Sysmon64 started.

    Check service status:

    Get-Service Sysmon64

    You should see:

    Running  Sysmon64

    5. Register the Sysmon Event Manifest

    This step ensures the Sysmon event log is visible in Event Viewer.

    .\Sysmon64.exe -m

    Output:

    Event manifest/format registered successfully

    6. Enable the Sysmon Event Log

    Check if the Sysmon log exists:

    wevtutil el | Select-String "Sysmon"

    You should see:

    Microsoft-Windows-Sysmon/Operational

    Enable the log:

    wevtutil sl "Microsoft-Windows-Sysmon/Operational" /e:true

    7. Validate That Sysmon Is Working

    Method A: Quick PowerShell validation

    wevtutil qe Microsoft-Windows-Sysmon/Operational /c:5 /f:text

    If you see any events (Event ID 1, 5, etc.), Sysmon is working.

    Method B: Event Viewer

    Open Event Viewer:

    Applications and Services Logs
  → Microsoft
      → Windows
          → Sysmon
              → Operational

    You should start seeing:

    • Event ID 1 – Process Create
    • Event ID 5 – Process Terminate
    • Other IDs depending on your config

    Method C: Live test

    Run:

    Start-Process notepad.exe

    Then refresh Sysmon → Operational log.

    You should immediately see a new Event ID 1 logging Notepad’s process creation.

    If you see this event, Sysmon is fully operational.

    8. Optional: Create a Shortcut for Faster Access

    Desktop Shortcut

    1. Right-click Desktop → New → Shortcut
    2. Enter:
    eventvwr.msc /c:Microsoft-Windows-Sysmon/Operational
    1. Name it Sysmon Log

    Now you can open Sysmon in one click.

    Event Viewer Favorites

    Right-click Sysmon → OperationalAdd to Favorites.

    9. Updating the Sysmon Config Later

    If you want to modify or replace the config:

    cd C:\Sysinternals
.\Sysmon64.exe -c C:\Scripts\Sysmon\sysmonconfig.xml

    You should see:

    Configuration updated.

    No reinstall required.

    10. Uninstall Sysmon (if needed)

    cd C:\Sysinternals
.\Sysmon64.exe -u force

    This removes:

    • Sysmon64 service
    • SysmonDrv driver
    • Registry entries
    • Event manifest

    Conclusion

    Once installed, Sysmon becomes a powerful source of system telemetry for:

    • Threat hunting
    • Malware investigation
    • Lateral movement detection
    • Process monitoring
    • Incident response
    • Forensic analysis

    With a hardened config, Sysmon gives deep visibility with minimal overhead — making it an essential component of any Windows security stack.

    If you’re deploying Sysmon across multiple endpoints (like we do at work), you can automate it using Intune, GPO, or a custom PowerShell deployment package.

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

  • Beat the 99% Wall: Upgrade Windows 10 → 11 the Easy Offline Way (Do This Before Oct 5, 2025)

    When the upgrade sits at 99%… don’t panic. Go offline and run the ISO upgrade the smart way

    Windows 10 reaches end of life on Oct 5, 2025. After that, it won’t get security updates. If you stay on Win10, your machine is a sitting duck for malware and attackers. Don’t procrastinate.

    If Windows Update keeps failing—or hangs forever at 99%—use this clean, offline upgrade that skips the flaky “checking for updates” step.

    1) First, confirm your PC is Windows 11–ready

    Use Microsoft’s official checker:
    https://support.microsoft.com/en-us/windows/check-if-a-device-meets-windows-11-system-requirements-after-changing-device-hardware-f3bc0aeb-6884-41a1-ab57-88258df6812b

    Important: The most common blockers are the CPU and motherboard (TPM 2.0, UEFI/Secure Boot). If your device doesn’t meet Windows 11 requirements, it’s unsupported after Oct 5, 2025. Treat that Windows 10 PC as unsafe for internet use—either upgrade/replace the hardware, reassign it to offline tasks, or retire it.

    2) Prep (5–10 minutes)

    • Unplug non-essential USB devices (drives, printers, docks).
    • Ensure ≥30 GB free on C:.
    • Suspend BitLocker (if enabled): Control Panel → BitLocker → Suspend.
    • Temporarily disable third-party AV/VPN.
    • Clean Boot: msconfigServicesHide Microsoft servicesDisable all; Startup → disable everything.

    3) Reset Windows Update & appraiser caches (PowerShell)

    Open PowerShell as Administrator and run:

    net stop wuauserv
net stop bits
net stop cryptsvc

ren "C:\Windows\SoftwareDistribution" SoftwareDistribution.old
ren "C:\Windows\System32\catroot2" catroot2.old

rd /s /q "C:\$WINDOWS.~BT"
rd /s /q "C:\$WINDOWS.~WS"
rd /s /q "C:\Windows\Panther"
md "C:\Windows\Panther"

net start cryptsvc
net start bits
net start wuauserv

    Then heal the image:

    DISM /Online /Cleanup-Image /RestoreHealth
sfc /scannow

    4) Run the upgrade offline from ISO (no update checks)

    1. Download the official Windows 11 ISO (same edition/language/arch) from Microsoft.
    2. Right-click the ISO → Mount → note the drive letter (e.g., E:).
    3. Disconnect the network (unplug Ethernet / disable Wi-Fi).
    4. In elevated PowerShell, launch Setup with Dynamic Update disabled:
    Start-Process -FilePath 'E:\setup.exe' -ArgumentList '/auto upgrade /dynamicupdate disable /copylogs C:\$UpgradeLogs' -Verb RunAs -Wait

    (Optional quick blocker scan without upgrading):

    Start-Process -FilePath 'E:\setup.exe' -ArgumentList '/compat scanonly /dynamicupdate disable' -Verb RunAs -Wait

    5) If it still stalls

    • Drivers (most common):
      • Storage: Device Manager → Storage controllers → switch to Microsoft Standard controller (Update driver → Let me pick).
      • Display: use Microsoft Basic Display Adapter temporarily.
      • Remove extra language packs, old VPN clients, and heavy OEM utilities.
    • BIOS/Chipset: update from your PC maker’s support page.
    • Rerun the offline setup command.

    6) Pinpoint the exact blocker (2 minutes)

    If it fails again, run Microsoft SetupDiag and read the summary:

    mkdir C:\SetupDiag; cd C:\SetupDiag
.\SetupDiag.exe /Output:C:\SetupDiag\SetupDiagResults.log
    • Codes like 0xC1900101-0x… usually name a driver (oem*.inf)—remove/roll it back and retry.
    • Dynamic-Update/Appraiser errors → repeat Step 3 and ensure you’re truly offline with /dynamicupdate disable.

    7) After success

    • Re-enable BitLocker, AV/VPN, and normal startup apps.
    • Reconnect the network and run Windows Update to pull fresh drivers and features.

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

  • 5-Minute Fix: Why Your Windows PC Feels Slow (and what to try before calling IT)

    Top memory consumers at a glance—captured with PowerShell to diagnose a sluggish system.

    TL;DR: Check Task Manager → close the hog → restart apps/PC → free space → trim startup apps → update → quick scan. If it’s still slow, capture a screenshot and call IT.

    1) Is it one app or everything?

    • Press Ctrl+Shift+EscTask ManagerProcesses.
    • If CPU / Memory / Disk sits >90% for a minute, note the top app.
    • Right-click → End task (only on apps you opened). If speed returns, you found the culprit.

    2) Quick reset (fastest real fix)

    • Save work → Restart the PC (not Shut down). Restarts clear memory leaks and stuck updates.

    3) Free up space

    • Open File Explorer → This PC. If your C: drive has <10 GB free, Windows will crawl.
    • Settings → System → Storage → Storage Sense → Run cleanup now.
    • Empty Downloads and Recycle Bin if safe.

    4) Trim startup apps (the slow-boot killers)

    • Ctrl+Shift+Esc → Startup apps.
    • Set non-essentials to Disabled (music updaters, PDF helpers, “helper” launchers, etc.). Leave security/backup tools enabled.

    5) Browser bloat check

    • Close tabs you don’t need.
    • Disable heavy extensions (Edge/Chrome → … → Extensions).
    • Consider “Continue running background apps” Off (Chrome → System).

    6) Updates (do it once, then restart)

    • Settings → Windows Update → Check for updates.
    • Install → Restart outside your busiest hour.

    7) Quick malware scan

    • Windows Security → Virus & threat protection → Quick scan.

    8) Network ≠ computer

    • If only web/video is slow, run a quick speed test. If speed is normal but the PC lags, it’s local; if speed is bad on all devices, it’s the network.

    Optional: Simple PowerShell checks (for confident users)

    Open PowerShell as your normal user.

    Top memory users

    Get-Process | Sort-Object -Descending WorkingSet |
 Select-Object -First 10 Name,Id,@{n='RAM(MB)';e={[math]::Round($_.WorkingSet/1MB)}}

    Disk space by drive

    Get-PSDrive -PSProvider FileSystem |
 Select Name,@{n='Free(GB)';e={[math]::Round($_.Free/1GB,1)}},
        @{n='Used(GB)';e={[math]::Round(($_.Used)/1GB,1)}}

    List startup items (view only)

    Get-CimInstance Win32_StartupCommand | Select Name,Command,Location

    Tip: Disable startup apps in Task Manager, not via the registry.

    When to call IT (and what to send)

    If it’s still slow after these steps, send:

    • A screenshot of Task Manager → Processes (sorted by CPU and then Memory),
    • Your free disk space (C: drive),
    • What you were doing when it slowed down.

    That info turns a 30-minute back-and-forth into a 5-minute fix.

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

  • Hot-cloning a Running Windows 11 VM in vSphere (Forensic, Redacted Runbook)

    This guide covers hot cloning a Windows 11 VM in vSphere with PowerCLI

    Goal. Create a new Windows 11 jump VM (WIN11-Jumpbox-6) by cloning a running source (WIN11-Jumpbox-2) in vCenter—without interrupting the source—and bring the clone up with a fresh identity (Sysprep), correct name, and domain join.

    Applies to. vCenter/vSphere with vSAN (or any datastore), Windows 11 guest, PowerCLI.

    Redaction note: All names below are placeholders. Replace the ALL_CAPS parts with local values.
    vCenter: VCENTER.FQDN
    Source VM: WIN11-Jumpbox-2
    New VM: WIN11-Jumpbox-6
    Target ESXi host: esxi-03.example.local
    Datastore: vsanDatastore
    Domain (optional): corp.local
    Join account: corp.local\joinaccount

    Constraints & safety

    • No source outage. Clone while the source is powered on (vCenter snapshots and clones from it).
    • Fresh identity. Use guest customization (Sysprep) so the clone receives a new SID and hostname.
    • Parameter sets. When cloning with -VM, avoid -NetworkName/-NumCPU/-MemoryGB in the same New-VM call; set those after the clone boots.
    • VMware Tools must be running in the guest for customization to apply.

    Pre-flight checks (30–60 seconds)

    # Connect
Connect-VIServer VCENTER.FQDN

# Capacity snapshot (optional)
Get-VMHost | Select Name,
 @{N="CPU MHz Used";E={$_.CpuUsageMhz}},
 @{N="CPU MHz Total";E={$_.CpuTotalMhz}},
 @{N="Mem GB Used";E={[math]::Round($_.MemoryUsageGB,2)}},
 @{N="Mem GB Total";E={[math]::Round($_.MemoryTotalGB,2)}}

Get-Datastore -Name "vsanDatastore" | Select Name,Type,State,
 @{N="CapacityGB";E={[math]::Round($_.CapacityGB,2)}},
 @{N="FreeGB";E={[math]::Round($_.FreeSpaceGB,2)}},
 @{N="Free%";E={[math]::Round(($_.FreeSpaceGB/$_.CapacityGB)*100,2)}}

    Rule of thumb: keep vSAN Free% ≥ 20–25% to avoid slack-space pressure during resync/rebuild.

    Method A — Clone with one-time guest customization (recommended)

    This path Syspreps the clone, renames it, and (optionally) joins the domain. It also avoids the PowerShell reserved variable $host (use $targetHost).

    # -------- Vars --------
$srcName        = "WIN11-Jumpbox-2"
$newName        = "WIN11-Jumpbox-6"
$targetHostName = "esxi-03.example.local"
$dsName         = "vsanDatastore"
$domainFqdn     = "corp.local"                 # leave blank if no domain join
$joinUser       = "corp.local\joinaccount"     # account allowed to join computers

# -------- Objects --------
$src        = Get-VM -Name $srcName -ErrorAction Stop
$targetHost = Get-VMHost -Name $targetHostName -ErrorAction Stop
$ds         = Get-Datastore -Name $dsName -ErrorAction Stop
$pg         = ($src | Get-NetworkAdapter | Select-Object -First 1).NetworkName

# -------- One-time Windows customization spec (NonPersistent) --------
$specName = "TMP-Join-Redacted"
$existing = Get-OSCustomizationSpec -Name $specName -ErrorAction SilentlyContinue
if ($existing) { Remove-OSCustomizationSpec -OSCustomizationSpec $existing -Confirm:$false }

# If domain join is desired
$spec = if ($domainFqdn) {
  $joinCred = Get-Credential -UserName $joinUser -Message "Password for $joinUser"
  New-OSCustomizationSpec -Name $specName -Type NonPersistent `
    -OSType Windows -NamingScheme VMName -FullName "IT" -OrgName "Redacted" `
    -Domain $domainFqdn -DomainCredentials $joinCred
}
else {
  New-OSCustomizationSpec -Name $specName -Type NonPersistent `
    -OSType Windows -NamingScheme VMName -FullName "IT" -OrgName "Redacted"
}

# NIC(s) -> DHCP (switch to static if needed)
Get-OSCustomizationNicMapping -OSCustomizationSpec $spec |
  ForEach-Object { Set-OSCustomizationNicMapping -OSCustomizationNicMapping $_ -IpMode UseDhcp | Out-Null }

# -------- Clone (do NOT pass -NetworkName/-NumCPU/-MemoryGB here) --------
$newVM = New-VM -Name $newName -VM $src -VMHost $targetHost -Datastore $ds -OSCustomizationSpec $spec

Start-VM $newVM
$newVM | Wait-Tools -TimeoutSeconds 900

# -------- Post-boot tuning --------
Set-VM -VM $newVM -NumCPU 4 -MemoryGB 8 -Confirm:$false
Get-NetworkAdapter -VM $newVM | Set-NetworkAdapter -NetworkName $pg -Connected:$true -Confirm:$false

    Why this works (and common pitfalls)

    • Reserved variable. Cannot overwrite variable Host… appears when assigning to $host (PowerShell reserved). Use $targetHost.
    • Missing spec. Get-OSCustomizationSpec … ObjectNotFound indicates the named spec didn’t exist. The runbook creates a NonPersistent spec on the fly.
    • Ambiguous parameter set. New-VM : Parameter set cannot be resolved… occurs when mixing clone parameter -VM with -NetworkName/-NumCPU/-MemoryGB. Clone first, then adjust CPU/RAM/NIC after boot.

    Method B — Fallback: clone now, join inside the guest

    If guest customization is blocked (e.g., Tools not running, limited join rights), clone without customization, then rename/join inside the guest.

    # Clone without customization
$src        = Get-VM -Name "WIN11-Jumpbox-2"
$targetHost = Get-VMHost -Name "esxi-03.example.local"
$ds         = Get-Datastore -Name "vsanDatastore"
$newName    = "WIN11-Jumpbox-6"

$newVM = New-VM -Name $newName -VM $src -VMHost $targetHost -Datastore $ds
Start-VM $newVM
$newVM | Wait-Tools -TimeoutSeconds 900

# Rename to match VM name (inside guest)
$localAdminCred = Get-Credential -Message "Local Administrator on the cloned VM"
Invoke-VMScript -VM $newVM -GuestCredential $localAdminCred -ScriptType Powershell -ScriptText `
 'Rename-Computer -NewName "WIN11-Jumpbox-6" -Force; Restart-Computer -Force'

$newVM | Wait-Tools -TimeoutSeconds 900

# Optional domain join (inside guest)
$joinCred = Get-Credential -UserName "corp.local\joinaccount"
Invoke-VMScript -VM $newVM -GuestCredential $localAdminCred -ScriptType Powershell -ScriptText `
 'Add-Computer -DomainName "corp.local" -Credential (New-Object System.Management.Automation.PSCredential("corp.local\joinaccount",(Read-Host -AsSecureString))) -Force -Restart'

    Verification (quick, non-invasive)

    # Where did it land? (host, datastore, portgroup)
Get-VM -Name "WIN11-Jumpbox-6" | Select Name,PowerState,
 @{N="Host";E={$_.VMHost.Name}},
 @{N="Datastore(s)";E={($_ | Get-Datastore).Name -join ", "}},
 @{N="PortGroup";E={(Get-NetworkAdapter -VM $_ | Select -First 1).NetworkName}}

# Optional: ensure VM files are on the intended datastore
Get-VM -Name "WIN11-Jumpbox-6" | Get-HardDisk | Select Parent,Name,FileName

    Post-build hygiene

    • RDP enabled; restricted to an AD group.
    • Endpoint agents (AV/EDR/RMM) register as a new device (fresh identity).
    • Patching applied; baseline GPO/Intune policies targeted; backup/monitoring added.

    Forensic addendum: errors & remediation

    • Cannot overwrite variable Host…
      Cause: attempted $host = Get-VMHost … (PowerShell reserved).
      Fix: rename the variable to $targetHost.
    • Get-OSCustomizationSpec … ObjectNotFound
      Cause: referenced a non-existent customization spec.
      Fix: create a NonPersistent spec in-line.
    • New-VM … Parameter set cannot be resolved…
      Cause: mixed -VM (clone) with create-new switches.
      Fix: keep New-VM to the clone parameter set; tune CPU/RAM/NIC after boot.

    Security & privacy guardrails

    • No real hostnames, domains, IPs, or identifying screenshots in public artifacts.
    • Least-privilege join accounts or pre-staged computer objects in AD.
    • When publishing logs, hash or redact VM names and datastore paths.

    Summary

    Hot-cloning a Windows 11 VM in vSphere is reliable for a jump host when the process (1) allows vCenter to snapshot and clone a powered-on source, (2) applies Sysprep guest customization for a clean identity, and (3) keeps New-VM to a single parameter set. The runbook above is deterministic, quiet, and free of sensitive fingerprints.

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

error: Content is protected !!