PowerShell regex use case

PowerShell regex use case

If you’ve ever needed to extract specific information from a log file or validate user input in a PowerShell script, you’ve probably wished for a magic tool that could do the heavy lifting. Well, that’s exactly where regular expressions (regex) come in.

Regex is one of those tools that feels intimidating at first, but once you get the hang of it, you’ll start seeing patterns everywhere. It’s like suddenly being able to read the Matrix, except instead of dodging bullets, you’re filtering out bad email addresses or pulling MAC addresses from a system log.

Why Use Regex in PowerShell?

PowerShell has built-in support for regex, making it an incredibly powerful tool for system administrators, developers, and anyone who works with structured or unstructured text. Whether you’re:

  • Validating user input (like email addresses in a script)
  • Extracting important data from logs (like MAC or IP addresses)
  • Searching for patterns in massive amounts of text

Regex allows you to do all of this with just a few carefully crafted expressions. It’s like having a Swiss Army knife for text processing.

What We’ll Cover in This Guide

In this post, we’ll walk through three practical PowerShell regex use cases:

  1. Email Addresses – How to validate email input and extract emails from a document
  2. MAC Addresses – How to validate MAC addresses and find them in logs
  3. IP Addresses – How to check if an IP is valid and pull all IPs from a file

Before we dive into these examples, we’ll go over some regex basics, including common syntax and flags that make regex so powerful. By the end, you’ll not only understand how regex works in PowerShell but also feel confident using it in your own projects.

Let’s get started!

Understanding Regex Flags and Syntax

Regular expressions might look like a confusing mess of symbols at first, kind of like trying to understand a cat’s behavior. One minute it’s purring in your lap, the next it’s knocking your coffee off the table. But once you start recognizing the patterns—like how a tail flick means back away, human—it all starts to make sense.

Regex is the same way. At first glance, it looks like a secret code of slashes, dots, and brackets. But once you learn the building blocks, you start seeing patterns everywhere, and suddenly, text manipulation in PowerShell becomes effortless. PowerShell has native support for regex, meaning you can use it to search, validate, and extract information with just a few well-placed symbols—kind of like bribing a cat with treats to do what you want.

Character Classes: Defining What to Match

Character classes allow you to specify what kind of characters should match. Instead of listing every possibility, regex provides shorthand notations.

Common Character Classes in PowerShell Regex

Character ClassDescriptionExample Match
\dMatches any digit (0-9)123 in abc123
\wMatches any word character (A-Z, a-z, 0-9, _)hello in hello_123
\sMatches any whitespace (space, tab, newline)The space in "Hello World"
.Matches any character (except newline)H or ! in "Hi!"

Example in Powershell:

"This is a test 123" -match "\d+"  # Matches "123"

Quantifiers: Controlling Repetitions

Quantifiers define how many times a pattern should repeat.

Common Quantifiers

QuantifierDescriptionExample Match
*Matches 0 or more timesaaa in "aaaaa"
+Matches 1 or more timesabc in "abc"
?Matches 0 or 1 time (optional)a in "a" or empty string
{n}Matches exactly n times333 in "333"
{n,}Matches at least n times111 in "11111"
{n,m}Matches between n and m times55 in "5555" (if {2,3})

Example in PowerShell:

"This is 55555" -match "\d{2,3}"  # Matches "555"

Anchors: Defining Position in Text

Anchors don’t match actual characters but instead define where a match should occur.

Common Anchors

AnchorDescriptionExample Match
^Matches the start of a stringHello in "Hello world"
$Matches the end of a stringworld in "Hello world"
\bMatches a word boundarycat in "cat dog" but not "scatter"

Example in PowerShell:

"This is a test" -match "^This"  # Matches "This"

Escaping Special Characters

Some characters in regex have special meanings (like . or *). If you want to match them literally, you need to escape them with a backslash \.

Common Special Characters That Need Escaping

  • . (dot) → Matches any character, so use \. to match a literal dot.
  • * (asterisk) → Use \* to match an actual asterisk.
  • ? (question mark) → Use \? to match a literal question mark.

Example in PowerShell:

"This is version 1.0.1" -match "1\.0\.1"  # Matches "1.0.1"

How to Use Regex in PowerShell

PowerShell provides multiple ways to work with regex:

  1. -match Operator – Checks if a string matches a pattern.
  2. -replace Operator – Replaces matched patterns in a string.
  3. [regex]::matches() – Extracts all matches from a string.

Example of Finding All Matches in a String:

$text = "Emails: test@example.com, admin@company.net"
$pattern = "[\w\.-]+@[\w\.-]+\.\w+"
$matches = [regex]::Matches($text, $pattern)

$matches.Value  # Outputs: test@example.com, admin@company.net

Extracting and Validating Email Addresses with PowerShell

When working with PowerShell scripts, validating user input is crucial—especially when dealing with email addresses. You don’t want users submitting "notanemail@oops" or "hello@.com" and breaking your workflow. Thankfully, regex makes it easy to verify if an email address is properly formatted and even extract all emails from a document.

Before we get into validating and extracting emails, let’s break down the regex pattern that makes it all work.

Breaking Down the Email Regex

Email validation might seem simple at first—just look for an “@” symbol, right? But things get complicated fast. A valid email address follows these rules:

  1. A username section, which can include letters, numbers, dots, dashes, and underscores.
  2. An “@” symbol separating the username from the domain.
  3. A domain name that includes letters and numbers.
  4. A top-level domain (TLD) like .com, .net, .org, etc.

A regex pattern that matches most valid email addresses looks like this:

[\w\.-]+@[\w\.-]+\.\w+

Let’s break it down piece by piece:

Username Section: [\w\.-]+

  • \w → Matches letters, numbers, and underscores (a-z, A-Z, 0-9, _).
  • . and - → Allows dots and dashes in the username.
  • + → Ensures one or more of these characters exist.

“@” Symbol: @

  • The @ is a literal character—every valid email must have it.

Domain Name: [\w\.-]+

  • Just like the username, the domain allows letters, numbers, dots, and dashes.

Top-Level Domain (TLD): \.\w+

  • \. → Matches a literal dot before the TLD.
  • \w+ → Ensures at least one letter (like .com or .net).

Example Matches:

  • user@example.com
  • john.doe123@company.co.uk
  • admin-test@my-site.net

Invalid Matches:

  • @example.com (No username)
  • user@.com (Invalid domain name)
  • user@domain (No TLD)

This regex is great for general email validation, but in PowerShell, we need to apply it properly. Next, we’ll use this pattern in a ValidateSet to enforce correct email input in scripts.

Using Regex for PowerShell ValidateSet

PowerShell has built-in ways to enforce valid input in scripts, and one way to do this is by using regex inside a function. The function below checks if an email matches our regex pattern. If it’s valid, it returns $true; if not, it gives a reason why.

PowerShell Email Validation Function

function Test-EmailAddress {
    param (
        [string]$Email
    )

    $pattern = "^[\w\.-]+@[\w\.-]+\.\w+$"

    if (-not $Email) {
        return "False - No email provided."
    }

    if ($Email -match $pattern) {
        return "True"
    }
    
    # Now let's figure out why it failed  
    if ($Email -notmatch "@") {
        return "False - Missing '@' symbol."
    }
    
    if ($Email -match "@\." -or $Email -match "@$") {
        return "False - Invalid placement of '@' or '.'"
    }

    if ($Email -notmatch "\.\w+$") {
        return "False - Missing top-level domain (e.g., .com, .net)."
    }

    return "False - Invalid email format."
}

How It Works

  1. Checks if an email is provided – If the input is empty, it immediately returns a failure message.
  2. Validates using regex – If the input matches the regex pattern, it returns True.
  3. Identifies why the email is invalid – It checks for common issues like missing @, misplaced dots, or a missing TLD.

This function is useful for scripts that require valid emails before proceeding. Next, we’ll explore how to extract all emails from a document using regex!

Finding All Email Addresses in a Document

If you’re working with logs, reports, or any large text files, regex is your best friend for extracting structured data like email addresses. Instead of manually scanning through lines of text, PowerShell can do the heavy lifting in seconds.

Here’s a script that:

  1. Reads a file line by line.
  2. Uses regex to find all email addresses.
  3. Outputs the results to the console (or optionally saves them to another file).

PowerShell Script to Extract Emails from a File

function Get-EmailAddressesFromFile {
    param (
        [string]$FilePath
    )

    if (-not (Test-Path $FilePath)) {
        Write-Host "Error: File not found at path: $FilePath"
        return
    }

    $pattern = "[\w\.-]+@[\w\.-]+\.\w+"
    $emails = @()

    Get-Content $FilePath | ForEach-Object {
        $matches = [regex]::Matches($_, $pattern)
        if ($matches.Count -gt 0) {
            $emails += $matches.Value
        }
    }

    if ($emails.Count -eq 0) {
        Write-Host "No email addresses found in the file."
    } else {
        Write-Host "Found $($emails.Count) email addresses:"
        $emails | Sort-Object -Unique
    }
}

# **Example Usage**
Get-EmailAddressesFromFile -FilePath "C:\path\to\your\file.txt"

How It Works

  1. Checks if the file exists – Avoids errors if the file path is incorrect.
  2. Reads the file line by line – Prevents loading large files into memory at once.
  3. Uses regex to find emails – Looks for matches in each line.
  4. Stores and displays unique results – Avoids duplicates and outputs all found emails.

Example File (C:\path\to\your\file.txt)

Hello John, please contact us at support@example.com.
You can also reach admin@company.net for further assistance.
But we dont want to see a snail@the white house. 
However, we might @ your friend .com
How about a cheesecake@cheesecakefactory.com?

Script Output

Found 3 email addresses:
admin@company.net
cheesecake@cheesecakefactory.com
support@example.com

This script is super useful for extracting emails from logs, reports, or even messy text files. Next up, we’ll apply these same techniques to MAC addresses!

Extracting and Validating MAC Addresses with PowerShell

MAC addresses (Media Access Control addresses) are unique hardware identifiers assigned to network interfaces. If you’re dealing with network logs, device configurations, or security audits, you may need to validate or extract MAC addresses.

A valid MAC address follows one of these formats:

  • Colon-separated: 00:1A:2B:3C:4D:5E
  • Hyphen-separated: 00-1A-2B-3C-4D-5E
  • No separator: 001A2B3C4D5E

But Cisco devices often use a dot-separated format:

  • Cisco-style: 001A.2B3C.4D5E

Now, let’s break down the regex pattern that will help us match MAC addresses.

Breaking Down the MAC Address Regex

MAC addresses consist of six groups of two hexadecimal digits (0-9 and A-F), separated by colons, hyphens, or nothing at all. Here’s a regex pattern that matches all common formats:

([A-Fa-f0-9]{2}[:-]?){5}[A-Fa-f0-9]{2}|([A-Fa-f0-9]{4}\.){2}[A-Fa-f0-9]{4}

Breaking It Down

  1. First Half: Standard MAC Formats
    • ([A-Fa-f0-9]{2}[:-]?){5}[A-Fa-f0-9]{2} → Matches colon, hyphen, or no separator formats.
  2. Second Half: Cisco’s Dot-Format
    • ([A-Fa-f0-9]{4}\.){2}[A-Fa-f0-9]{4} → Matches two groups of four hex digits separated by dots.

Example Matches:

  • 00:1A:2B:3C:4D:5E
  • 00-1A-2B-3C-4D-5E
  • 001A2B3C4D5E
  • 001A.2B3C.4D5E (Cisco format!)

Invalid Matches:

  • 00:1A:2B:3C:4D (Only five pairs)
  • 00:1G:2B:3C:4D:5E (Invalid hex digit G)
  • 00::1A:2B:3C:4D:5E (Double colon is not valid)

Using Regex for PowerShell ValidateSet (Including Cisco Format)

We’ll now create a PowerShell function that checks if a given MAC address is valid. If it’s valid, it returns True; if not, it returns False with a reason why.

Updated PowerShell MAC Address Validation Function

function Test-MacAddress {
    param (
        [string]$MacAddress
    )

    $pattern = "^([A-Fa-f0-9]{2}[:-]?){5}[A-Fa-f0-9]{2}$|^([A-Fa-f0-9]{4}\.){2}[A-Fa-f0-9]{4}$"

    if (-not $MacAddress) {
        return "False - No MAC address provided."
    }

    if ($MacAddress -match $pattern) {
        return "True"
    }

    # Identify why it failed
    if ($MacAddress -notmatch "^[A-Fa-f0-9]+$" -and $MacAddress -notmatch "[:-\.]") {
        return "False - Contains invalid characters."
    }

    if ($MacAddress -notmatch "([A-Fa-f0-9]{2}[:-]?){5}[A-Fa-f0-9]{2}" -and $MacAddress -notmatch "([A-Fa-f0-9]{4}\.){2}[A-Fa-f0-9]{4}") {
        return "False - Incorrect format. Should be XX:XX:XX:XX:XX:XX, XX-XX-XX-XX-XX-XX, XXXXXXXX, or XXXX.XXXX.XXXX (Cisco)."
    }

    return "False - Invalid MAC address format."
}

How It Works

  1. Checks if a MAC address is provided – Ensures input isn’t empty.
  2. Uses regex for validation – If the input matches the pattern, it’s valid.
  3. Identifies specific errors – Helps users understand why an input is invalid.

Now that we can validate a single MAC address, let’s move on to extracting all MAC addresses from a file!

Finding All MAC Addresses in a Document

This next script scans a file and extracts all MAC addresses using regex. It works just like our email extraction script, but with a MAC address pattern.

PowerShell Script to Extract MAC Addresses from a File

function Get-MacAddressesFromFile {
    param (
        [string]$FilePath
    )

    if (-not (Test-Path $FilePath)) {
        Write-Host "Error: File not found at path: $FilePath"
        return
    }

    $pattern = "([A-Fa-f0-9]{2}[:-]?){5}[A-Fa-f0-9]{2}|([A-Fa-f0-9]{4}\.){2}[A-Fa-f0-9]{4}"
    $macAddresses = @()

    Get-Content $FilePath | ForEach-Object {
        $matches = [regex]::Matches($_, $pattern)
        if ($matches.Count -gt 0) {
            $macAddresses += $matches.Value
        }
    }

    if ($macAddresses.Count -eq 0) {
        Write-Host "No MAC addresses found in the file."
    } else {
        Write-Host "Found $($macAddresses.Count) MAC addresses:"
        $macAddresses | Sort-Object -Unique
    }
}

# **Example Usage**
Get-MacAddressesFromFile -FilePath "C:\path\to\your\file.txt"

How It Works

  1. Checks if the file exists – Prevents errors if the file path is wrong.
  2. Reads the file line by line – Efficient for large files.
  3. Uses regex to extract MAC addresses – Searches each line for matches.
  4. Stores and displays unique results – Removes duplicate addresses for cleaner output.

Example File (C:\path\to\your\file.txt)

Device 1: 00:1A:2B:3C:4D:5E  
Device 2: 00-1A-2B-3C-4D-5E  
Cisco Router: 001A.2B3C.4D5E  
Error Log: Invalid MAC -> 00:1A:2B:3G:4D:5E  

Script Output

Found 3 MAC addresses:
00:1A:2B:3C:4D:5E
00-1A-2B-3C-4D-5E
001A.2B3C.4D5E

This script is super useful for network admins who need to extract MAC addresses from logs or reports. Next up, we’ll do the same for IP addresses!

Extracting and Validating IP Addresses with PowerShell

IP addresses are everywhere—logs, configs, audit reports—you name it. If you’re working with networking or security, you’ll often need to validate or extract IPs from text files.

We’re going to cover IPv4 and IPv6, because while IPv4 is still dominant, IPv6 is becoming more common.

What Makes an IP Address Valid?

IPv4 Format

  • Consists of four octets (groups of numbers) separated by dots: 192.168.1.1
  • Each octet must be between 0 and 255

IPv6 Format

  • Consists of eight groups of hexadecimal numbers (0-9, A-F), separated by colons: 2001:0db8:85a3:0000:0000:8a2e:0370:7334
  • Can contain compressed notation (e.g., :: represents consecutive zero blocks)

Breaking Down the IP Address Regex

To match both IPv4 and IPv6, we’ll use two separate regex patterns.

IPv4 Regex Pattern

\b((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\b

Breaking It Down

  • 25[0-5] → Matches 250-255
  • 2[0-4][0-9] → Matches 200-249
  • 1[0-9]{2} → Matches 100-199
  • [1-9]?[0-9] → Matches 0-99
  • \. → Ensures each octet is separated by a dot
  • {3} → Ensures exactly three dots appear

IPv6 Regex Pattern

\b([A-Fa-f0-9]{1,4}:){7}[A-Fa-f0-9]{1,4}\b

Breaking It Down

  • [A-Fa-f0-9]{1,4} → Matches hexadecimal numbers (1-4 digits)
  • : → Ensures each section is separated by a colon
  • {7} → Ensures exactly seven colons appear

⚠️ This regex does not handle compressed IPv6 addresses (::), but we’ll take care of that in PowerShell logic!

Using Regex for PowerShell ValidateSet

Now, let’s create a PowerShell function to validate both IPv4 and IPv6 addresses.

PowerShell IP Address Validation Function

function Test-IPAddress {
    param (
        [string]$IPAddress
    )

    $ipv4Pattern = "^(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){3}$"
    $ipv6Pattern = "^([A-Fa-f0-9]{1,4}:){7}[A-Fa-f0-9]{1,4}$"

    if (-not $IPAddress) {
        return "False - No IP address provided."
    }

    if ($IPAddress -match $ipv4Pattern) {
        return "True (IPv4)"
    }

    if ($IPAddress -match $ipv6Pattern -or $IPAddress -match "^(::|([A-Fa-f0-9]{1,4}:){1,6}:?([A-Fa-f0-9]{1,4})?)$") {
        return "True (IPv6)"
    }

    return "False - Invalid IP address format."
}

How It Works

  1. Checks for input – Ensures an IP address was provided.
  2. Matches against IPv4 regex – If valid, returns True (IPv4).
  3. Matches against IPv6 regex – If valid, returns True (IPv6).
  4. Handles compressed IPv6 (::) – Using additional PowerShell logic.
  5. Returns an error if invalid – Helps troubleshoot incorrect formats.

Now, let’s move on to extracting all IPs from a document!

Finding All IP Addresses in a Document

This script scans a file and extracts all IPv4 and IPv6 addresses.

PowerShell Script to Extract IP Addresses from a File

function Get-IPAddressesFromFile {
    param (
        [string]$FilePath
    )

    if (-not (Test-Path $FilePath)) {
        Write-Host "Error: File not found at path: $FilePath"
        return
    }

    $ipv4Pattern = "\b((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\b"
    $ipv6Pattern = "\b([A-Fa-f0-9]{1,4}:){1,7}[A-Fa-f0-9]{1,4}\b"
    $ipAddresses = @()

    Get-Content $FilePath | ForEach-Object {
        $matchesIPv4 = [regex]::Matches($_, $ipv4Pattern)
        $matchesIPv6 = [regex]::Matches($_, $ipv6Pattern)

        if ($matchesIPv4.Count -gt 0) {
            $ipAddresses += $matchesIPv4.Value
        }
        if ($matchesIPv6.Count -gt 0) {
            $ipAddresses += $matchesIPv6.Value
        }
    }

    if ($ipAddresses.Count -eq 0) {
        Write-Host "No IP addresses found in the file."
    } else {
        Write-Host "Found $($ipAddresses.Count) IP addresses:"
        $ipAddresses | Sort-Object -Unique
    }
}

Example File (C:\path\to\your\file.txt)

Server 1: 192.168.1.1  
Server 2: 255.255.255.255  
Router: 2001:db8:85a3::8a2e:370:7334  
Log Entry: Invalid IP -> 999.999.999.999  

Script Output

Found 3 IP addresses:
192.168.1.1
255.255.255.255
2001:db8:85a3::8a2e:370:7334

Regex Exploration in PowerShell

At this point, you’ve seen how regex can validate, extract, and manipulate data in PowerShell. Whether it’s emails, MAC addresses (including Cisco formats), or IPs (both IPv4 and IPv6), you now have practical tools to handle real-world scenarios.

Why Keep Learning Regex?

Regex is one of those skills that pays off the more you use it. The same way a system admin gets better at troubleshooting networks over time, you’ll get faster at spotting patterns and writing efficient expressions.

Here are some great ways to keep sharpening your regex skills:

  • Practice on Real Logs – Take a firewall log, an Apache log, or an email report and extract useful data.
  • Use Online Regex Tools – Websites like regex101.com let you test regex patterns with real-time explanations.
  • Experiment with PowerShell – Try using -match, -replace, and [regex]::Matches() in your daily scripts.
  • Challenge Yourself – Create a script that finds phone numbers, dates, or even URLs in a document.
  • Accept Growth – A few years ago, I wrote SHD – Set Mac Structure – The Random Admin, and I am glad to say I have grown a lot since then. It feels good.

Final Thought

Regex is a skill, not magic. It may look complex at first, but like learning any new language, it becomes second nature with practice. The best way to improve? Find a problem and solve it with regex.

So, what’s your next PowerShell regex use case going to be?

What can we learn as a person today?

When a script fails, we don’t just throw our hands up and quit—we debug it. We check the logs, isolate the issue, and find a fix. But when our own minds start feeling overwhelmed, anxious, or burned out, we often just push through, hoping the problem resolves itself. What if we approached our mental health like we approach troubleshooting code? Debugging isn’t just for PowerShell scripts—it can work for stress, too.

Find the errors

The first step in debugging stress is identifying the error messages. In IT, a recurring issue in the logs might mean something deeper is wrong, and the same goes for mental health. Are you feeling exhausted every morning? Snapping at coworkers over small things? Losing focus even on tasks you usually enjoy? These could be your mind’s version of Event ID 1000: Application Crash. Instead of ignoring the warning signs, acknowledge them—just like you would in a system check.

Analyze the variables

Next, we analyze the variables. Just like a misconfigured setting can break a script, small changes in your routine can make or break your mental well-being. Are you sleeping enough? Eating well? Taking breaks? IT professionals are notorious for skipping meals, working through exhaustion, and staying up late chasing down problems. But just like an unstable system needs a reboot, your brain needs rest. Run a self-check—what’s missing from your routine that could improve stability?

Implement something

Finally, implement a fix and test the results. Maybe you start with a simple -replace—swapping out caffeine overload for proper hydration or scheduling actual breaks instead of “just five more minutes.” Maybe you automate self-care reminders, like setting a PowerShell script to remind you every hour to step away from the screen. And if the issue persists? Just like with a stubborn bug, escalate it—talk to a friend, mentor, or even a therapist. There’s no shame in calling in extra support when needed.

In IT, we don’t assume things will “just work”—we test, refine, and optimize. Treat your mental health the same way. Debug your stress, adjust your variables, and don’t be afraid to run an upgrade on your self-care routine. The best systems run smoothly when properly maintained—and that includes you.

CG-NATed Home lab

CG-NATed Home lab

Recently I switched ISP providers. The one I was using started the price increase game. We picked up the ISP while it was $70 per month for 1 GB. They are the only physical line provider in my town. The town has a law that “beautifies” the power lines. This means only one ISP with cables is allowed to use them. They also have a digging bill. It was designed by a corrupt city council to keep this one ISP as the primary provider. Well, this ISP has started their price walking. They start off with $10 fines here and there. Finally, it reaches $200 after a year for 1 GB. For years, the only other option has been HughesNet. Thankfully, T-Mobile has stepped in. However, they are CG-Nated and a home lab is hard to work with.

CG-NAT

Most people don’t know what CG-NAT is and how ugly it can get. Carrier-grade NAT is where the carrier places you inside a natted bubble. This saves IP addresses. You are essentially part of a nested network. It’s all nated inside each other. It tends to be standard to have your own network, then the carriers, then the public. So while you can reach therandomadmin.com with a public IP address, you can’t reach my home network with one. CGNs do not allow for port forwarding. These networks are ideal for simple plug-and-play networks. However, they are sad for us IT home lab people.

There is a ray of hope with these types of networks. VPN over SSL. This can be done via WireGuard and other VPN software. The thing to remember is you need an external, public-facing device. That’s where Oracle comes into play. Remember in my blog about free WordPress, we built an Oracle Cloud server. We are going to use this beast to get around our CG-NAT issue and open some of our services to the world. This makes a CG-NATed home lab really hard to work with, but we have magic on our side.

The Magical Connections

Ok, so we are going to use our Oracle Cloud server and combine it with our Tailscale network. Our Oracle Cloud server already has an Apache server on it. All we have to do is enable the reverse proxy settings on it.

sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod headers
sudo systemctl reload apache2

Now we need to take our Tailscale network and make some reverse proxies. We are going to be doing the Docker world this time around. You can read about setting up your Docker in WordPress here. Once you have your Docker setup on your home lab server, take note of the IP address and the port number of that Docker. Please ensure you can access it locally before proceeding with any other tasks. With this first step, our CG-NATed home lab is going public.

DNS

The next part is important. I use Namecheap DNS. What you need to do is set the DNS to the Oracle host. For my example, I am pointing to therandomadmin.com host IP address for it.dpb.one. DNS can take some time to populate as well. A good rule of thumb I follow is, if you can’t ping it and get the IP address you want, wait.

Reverse Proxy

Now we will make our reverse proxy on the Apache side. First you will need to make the conf file inside your site’s available location.

sudo nano /etc/apache2/sites-available/it.dpb.one.conf

The above command will create the file and drop you into the nano prompt. This is a configuration file for one of my home lab devices. I want you to read over this file.

<VirtualHost *:80>
    ServerName it.dpb.one

    ProxyPreserveHost On

    # Point directly to lab app's port (9000 in this example)
    ProxyPass / http://100.104.5.106:9000/
    ProxyPassReverse / http://100.104.5.106:9000/

    RequestHeader set X-Forwarded-Proto "http"
    RequestHeader set X-Forwarded-For "%{REMOTE_ADDR}s"

    ErrorLog ${APACHE_LOG_DIR}/it.dpb.one-error.log
    CustomLog ${APACHE_LOG_DIR}/it.dpb.one-access.log combined
</VirtualHost>

breaking it down

Just like any other virtual host, we are starting off with our tags. Then we have the name of the server. So, when DNS points the it.dpb.one to the IP address. Apache will be like, I know this. It knows it’s a reverse proxy because it sees that Proxy Preserve Host on. Then it grabs the proxypass and the proxy return pass. This is where we want to put the IP addresses.

    ProxyPass / http://100.104.5.106:9000/
    ProxyPassReverse / http://100.104.5.106:9000/

Notice this line: ProxyPass / This / is important. If you want to make a subdirectory, this is where you would place it. So, let’s say I wanted it.dpb.one/nextcloud to point to another server that hosts my Nextcloud; that is where I would place it. The next part will be the inside of your network. Notice the IP address is the Tailscale IP address.

    RequestHeader set X-Forwarded-Proto "http"
    RequestHeader set X-Forwarded-For "%{REMOTE_ADDR}s"

The next two lines are for custom items. The first tells us we are using HTTP. So the requests internally are HTTP. You can set this to HTTPS if you like. However, you will get cert errors. The second line is to pass the remote user’s IP address and not the host’s to the machine in question. If you don’t want the user’s IP address to hit your machine, then leave this line out. While the final two lines are for logging.

Now run the next two commands; the first is to enable the conf file, and the final is to load it into the Apache system.

sudo a2ensite it.dpb.one.conf
sudo systemctl reload apache2

Certbot

Finally, we like having SSL on things. I feel like if you are not using an SSL on a site, something is wrong with you. SSLs are free thanks to Certbot and the Electronic Frontier Foundation. Please donate to these people as they are doing great work. So on the Oracle Cloud server, you can run the certbot command for the domain. If you don’t have Certbot installed, here are some nice instructions.

sudo certbot --apache -d it.dpb.one

Once you have the cert setup, you will notice another file is created inside your sites-available location. Everything else is done for you at this point. Now you can access the website from the remote world. You can’t, however, access SSH remotely. This is a good protection. But, but, Random, I want to access my home lab via SSH.

Setting up SSH Jump Box

So, you want to be able to type ssh and your site’s name and go straight to your home lab. Here is what I have to say: don’t. Years of experience tell me this is a bad idea.

However, what you can do is SSH into the Oracle Cloud, then SSH into the Tailscale box. Your Oracle Cloud is your jump box now. It’s best to keep it that way for security. What’s amazing about Tailscale is if you have it on your PC, you can access your machines via the Tailscale IP address with SSH. If you don’t, just use the Oracle Cloud’s SSH.

Warnings

A CG-NATed home lab is much slower than a regular home lab. The reason why is you are going in and out of that Tailscale network over and over again. It slows things down. It gets much slower when you add the SSL. The first time you connect to it, it takes a good 10 seconds to load because it’s grabbing all of that information. So don’t use it for the following:

  • Gaming
  • Plex/Jellyfin
  • audiobooks

All of those take up large amounts of data. It’s not worth the effort. Your Plex will work locally inside your home network. You may need a DHCP box of some sort; other than that, you are good to go.

What can we learn as a person

While cutting my grass, I noticed that the grass was growing through the asphalt. A little dandelion. I like these flowers, as they make great tea. It was growing through that hard rock. While the others were growing in the grass. This little weed grew and became a beautiful yellow flower. In the plant world, if it didn’t make it through the rock, it would have died. Often times we see these “weeds” growing through these rocks, like concrete. I love seeing a dandelion growing through a concrete slab. It takes advantage of the cracks in the stone and shines.

Often times people face hardships and stop growing. These people don’t make it a habit to find a way around those hardships. Those systems that are in place to keep us locked down. For years women in the science community have been like this. They are beautiful dandelions who have brought so much to this world, but because of their physical gender, many of their discoveries were taken credit for by men. However, when you see one who gets the credit, they shine. The asphalt is the systems we are born into. The hardships we have to face. No one sees those hardships unless they look for them. It’s not part of human nature yet to look for them.

So, if you ever see someone and think, They should be farther along than they are, what hardships did they face, and how much of a dandelion are they? The same is true for those who are shining. There is a story behind everyone, and to explore that story is to find connection and community. With community we can find real joy. We are social creatures, and we all have our own unique stories. Maybe it’s time for us to share more of it with each other.

Additional Resources

Automate Windows 11 Upgrade

Automate Windows 11 Upgrade

Upgrading Windows 11 across multiple machines is one of those tasks that sounds simple—until you realize you need to manually download the ISO, mount it, and run the upgrade for every single computer. If you’re managing a fleet of devices, that’s a lot of clicking and waiting. Thankfully, PowerShell can help automate this process, saving IT admins from hours of repetitive work. So today, we will Automate Windows 11 Upgrade with PowerShell.

But before we jump in, there’s one crucial step: Microsoft requires you to manually generate the download link for the Windows 11 ISO. That’s right—no direct API calls or magic URLs here. You’ll need to visit the Microsoft website and grab the link yourself. Don’t worry, we’ll walk you through that part.

And hey, if you’re wondering why Microsoft makes you do this manually… well, let’s just say it’s like trying to convince a cat to use the expensive bed you bought instead of the random cardboard box it found in the corner. Some things just don’t make sense, but we roll with it anyway.

Alright, let’s dive in! First up: generating that all-important download link.

The Script

Write-Host "Go to: https://www.microsoft.com/en-us/software-download/windows11"
Write-Host "Select Windows 11 (multi-edition ISO for x64 devices)"
Write-Host "Click Download"
Write-Host "Select English (United States)"
Write-Host "Click Confirm"
Write-Host "Right Click '64-bit Download' and click 'Copy link'"

$DownloadURL = Read-Host "Enter the Windows 11 ISO download link (in quotes)"
$ComputerName = Read-Host "Enter the target Computer Name"

# Check if the computer is online
if ($null -ne (Test-Connection -ComputerName $ComputerName -Count 1 -Quiet)) {  
    
    # Start a remote PowerShell session
    Enter-PSSession -ComputerName $ComputerName  
    
    # Ensure C:\temp exists
    if (!(Test-Path C:\temp)) {New-Item -Path C:\ -Name temp -ItemType Directory -Force}  

    # Set download path
    $DownloadPath = "C:\temp\win11.iso"

    # Download Windows 11 ISO
    Invoke-WebRequest -Uri $DownloadURL -OutFile $DownloadPath  

    # Mount the ISO
    $DiskImage = Mount-DiskImage -ImagePath $DownloadPath -StorageType ISO -NoDriveLetter -PassThru  
    $ISOPath = (Get-Volume -DiskImage $DiskImage).UniqueId

    # Create a PSDrive for the mounted ISO
    New-PSDrive -Name ISOFile -PSProvider FileSystem -Root $ISOPath  
    Push-Location ISOFile:

    # Find and run Setup.exe with upgrade parameters
    $SetupExe = (Get-ChildItem | Where-Object {$_.Name -like "*Setup.exe*"}).FullName  
    $Arguments = "/auto upgrade /DynamicUpdate Disable /quiet /eula accept /noreboot"  
    Start-Process -Wait -FilePath $SetupExe -ArgumentList "$Arguments" -PassThru  

    # Clean up: Unmount ISO and remove PSDrive  
    Pop-Location  
    Remove-PSDrive ISOFile  
    Dismount-DiskImage -DevicePath $DiskImage.DevicePath  

    # Ask for a restart decision  
    $YN = Read-Host "Do you want to restart? (Y/N)"  
    if ($YN -like "*Y*") {Restart-Computer -Force}  
    elseif ($YN -like "*N*") {Write-Host "Ask the user to restart."}  
    else {Write-Host "Ok, whatever, ask the user to restart."}  

} else {  
    Write-Host "The target computer is not reachable. Check the network or hostname and try again."  
}

Step 1: Generate the Windows 11 ISO Download Link

Before we can automate the upgrade, we need the direct download link for the Windows 11 ISO. Microsoft doesn’t make this easy—there’s no simple API to fetch it. Instead, you have to manually grab the link from their website.

This step is non-negotiable because Microsoft generates a unique download link each time, which expires after 24 hours. So if you’re thinking, “Can’t I just reuse an old link?”—nope, Microsoft shut that door. But don’t worry, it’s a quick process:

How to Get the Windows 11 Download Link

  1. Go to the official Microsoft download page:
  2. Scroll down to ‘Download Windows 11 Disk Image (ISO)’
    • Select Windows 11 (multi-edition ISO for x64 devices) from the dropdown.
  3. Click ‘Download’ and select English (United States) as the language.
  4. Click ‘Confirm’—Microsoft will generate a download button.
  5. Right-click ‘64-bit Download’ and select ‘Copy link’ (This is the direct ISO link).

You’ll need this URL when running the PowerShell script, so paste it somewhere handy.

Now that we have the link, let’s move on to running the script!

Step 2: Running the PowerShell Script

Alright, you’ve got your Windows 11 ISO download link. Now it’s time to run the PowerShell script and start the upgrade. But before we do that, let’s talk about remote execution. This is part of the process to Automate Windows 11 Upgrade with PowerShell.

PowerShell remoting (aka WinRM) needs to be enabled on the target machine. If you’ve never set it up before, it’s kind of like getting a cat to sit still for a vet visit—it might resist at first, but once it’s done, life is easier.

Prerequisites for Running the Script

Make sure the following are true before running the script:

  • Your user account has admin privileges on both the local and remote machine.
  • WinRM (Windows Remote Management) is enabled on the target machine. Run this command on the remote PC to check:
winrm quickconfig

If WinRM isn’t enabled, you’ll need to set it up first.

  • PowerShell Execution Policy allows scripts to run. If needed, you can temporarily bypass restrictions with:
Set-ExecutionPolicy Bypass -Scope Process -Force

Running the Script

Once the prerequisites are in place, open PowerShell as Administrator on your local machine and run the script. When prompted:

  1. Paste the Windows 11 ISO download link (from Step 1).
  2. Enter the target computer’s name (the one you want to upgrade).

If all goes well, PowerShell will initiate a remote session, create a C:\temp folder, and start downloading the ISO to the remote machine.

Just like how a cat will eventually use the new bed if you keep putting treats in it, the script will do its job—as long as everything is set up correctly.

Next up: Downloading and Mounting the ISO!

Step 3: Downloading and Mounting the ISO

At this point, the PowerShell script is running, and the target computer is ready. Now comes the fun part—actually downloading and mounting the Windows 11 ISO.

If you’ve ever tried downloading a large file over a shaky network, you know it can be as frustrating as a cat deciding to sprint across the house at 3 AM for no reason. But don’t worry, the script handles it all automatically.

How the Script Handles the Download

Once you enter the download link and the computer name, the script:

  1. Creates a C:\temp folder (if it doesn’t already exist).
  2. Uses Invoke-WebRequest to download the ISO to C:\temp\win11.iso.

Here’s the key part of the script doing the work:

if (!(Test-Path C:\temp)) {New-Item -Path c:\ -Name temp -ItemType Directory -Force}  
$DownloadPath = "C:\temp\win11.iso"  
Invoke-WebRequest -Uri $DownloadURL -OutFile $DownloadPath

Mounting the ISO

Once the ISO is downloaded, PowerShell mounts it like a virtual disk, allowing access to the installation files.

$DiskImage = Mount-DiskImage -ImagePath $DownloadPath -StorageType ISO -NoDriveLetter -PassThru  
New-PSDrive -Name ISOFile -PSProvider FileSystem -Root (Get-Volume -DiskImage $DiskImage).UniqueId  
Push-Location ISOFile:

At this point, the Windows 11 setup files are accessible.

If you check File Explorer on the target computer, you should see a new virtual drive containing the ISO contents—like when a cat suddenly appears on your keyboard, except this time, it’s actually doing something useful.

Now that we have the ISO mounted, it’s time for the real action: starting the upgrade!

Step 4: Starting the Upgrade Process

Alright, the ISO is mounted, and we’re at the final stretch—actually running the Windows 11 upgrade. If everything has gone smoothly so far, congratulations! You’re officially ahead of the game.

Now, instead of manually clicking through the Windows setup (which is about as exciting as watching a cat stare at a wall for hours), PowerShell will automate the upgrade process using Setup.exe and a few command-line arguments.

Finding and Running Setup.exe

Since we mounted the ISO in the previous step, we now need to:

  1. Find Setup.exe inside the mounted ISO
  2. Run it with automation flags to start the upgrade silently

The script takes care of that with:

$FileList = Get-ChildItem  
$SetupExe = ($FileList | Where-Object {$_.name -like "*Setup.exe*"}).FullName  
$Arguments = "/auto upgrade /DynamicUpdate Disable /quiet /eula accept /noreboot"  
Start-Process -Wait -FilePath $SetupExe -ArgumentList "$Arguments" -PassThru 

Breaking Down the Command-Line Arguments

Here’s what each flag does when running Setup.exe:

  • /auto upgrade → Tells Windows to start an upgrade instead of a fresh install.
  • /DynamicUpdate Disable → Skips downloading the latest updates during the install (useful for speeding things up).
  • /quiet → Runs the installer in the background, so no annoying pop-ups.
  • /eula accept → Automatically accepts Microsoft’s End User License Agreement (because let’s be real, no one reads it).
  • /noreboot → Prevents an automatic restart so we can control when it happens.

What Happens Next?

Once this runs, the Windows 11 upgrade process kicks off in the background. There won’t be any flashy UI—just PowerShell doing its thing. You can check progress by looking at Task Manager on the target machine.

At this point, it’s like when a cat finally decides to nap on that expensive bed instead of the cardboard box—you’ve done all the hard work, and now it just has to finish on its own.

But there’s one last decision to make: When do we restart?

How are we feeling about Automate Windows 11 Upgrade with PowerShell so far?

Step 5: Restarting the Machine

At this point, the Windows 11 upgrade is in motion, but the installation won’t complete until the target machine restarts. Now, we could just force a reboot, but let’s be real—no one likes unexpected restarts (especially end users in the middle of something important).

So, instead of pulling the plug immediately, the script politely asks whether to restart now or later. Here’s how that works:

$YN = Read-Host "Do you want to restart"  

if ($YN -like "*Y*") {  
    Restart-Computer -Force  
} elseif ($YN -like "*N*") {  
    Write-Host "Ask the user to restart"  
} else {  
    Write-Host "Ok, whatever, ask the user to restart."  
}  

Breaking It Down

  • If the admin enters Y → The system restarts immediately.
  • If the admin enters N → A message reminds them to tell the user to restart manually.
  • If they enter anything else → The script shrugs and tells them to figure it out.

This gives IT teams a bit of flexibility, which is crucial in environments where timing matters—like avoiding a forced reboot during an important meeting (unless it’s for that one guy who never restarts his PC… then maybe it’s justified).

What Happens After Restart?

Once the machine reboots, Windows 11 will finish the upgrade process. The whole thing usually takes 30-90 minutes depending on the hardware. During this time, users will see the “Working on updates” screen—so if they call asking why their PC is taking forever, just tell them “It’s optimizing performance” (it sounds fancier than “it’s just installing”).

Final Thoughts

And that’s it! With this script, you can automate Windows 11 upgrades remotely with minimal effort. No more manual downloads, no more sitting through setup screens—just a smooth, scripted process. To Automate Windows 11 Upgrade with PowerShell makes life much easier.

Recap of the key steps:

  • Generate the ISO link manually from Microsoft’s website (because they make us).
  • Run the PowerShell script and provide the ISO link + target computer name.
  • Download and mount the ISO automatically.
  • Start the Windows 11 upgrade silently using Setup.exe.
  • Decide when to restart—now or later.

Now, go forth and upgrade with confidence! And if anything goes wrong, well… let’s just say this script is less stubborn than a cat, so it’s probably not the script’s fault.

What can we learn as a person?

Upgrading an operating system is a big change, but it’s the small steps that make it happen. You don’t just magically jump to Windows 11—first, you grab the ISO, then you run the script, then you mount the image, and finally, the upgrade takes place. One step at a time.

Turns out, our mental health works the same way.

A lot of us get caught up in the idea that improving our mood or reducing stress requires some huge effort—taking a long vacation, completely overhauling our routines, or mastering meditation overnight. But that’s just not how it works. Big upgrades don’t happen all at once.

Instead, try small upgrades for yourself, just like how we upgrade Windows in steps:

  • Clear out junk files → Declutter one small space
    • Just like a clean drive helps performance, tidying up one small area can help clear your mind.
  • Run a quick system check → Check in with yourself
    • Pause for a moment and ask: How am I feeling today? Just acknowledging your emotions can help.
  • Disable unnecessary background processes → Say “no” to one unnecessary thing
    • Reduce mental load by cutting out one thing that’s draining you—whether it’s skipping an unimportant meeting or ignoring a toxic group chat.
  • Reboot when needed → Take a short break
    • A quick restart helps a computer, and sometimes, five minutes away from your screen can work wonders for you too.

No Need for a Full Reinstall

You don’t need a full personality reboot or a total life upgrade to feel better. Small tweaks, small wins—they add up.

So while you’re waiting for that Windows 11 install to finish, maybe take just one small action for yourself. It doesn’t have to be big. Just enough to upgrade your mood one step at a time.

Zebra Kiosk Mode

Zebra Kiosk Mode

Last time we talked about how to get our Zebra scanners into Intune. Today we are going to talk about how to set this unit as a kiosk scanner with a web link and a store app. This setup will be in such a way that we control the wireless networks and access to the device all from one configuration policy. The configuration policy is where we will be making our Zebra Kiosk Mode.

Creating a web app

A web app is super easy to build out. Remember, the scanner should be able to access said app.

  1. Navigate to intune.microsoft.com
  2. On the left-hand side, click Apps
  3. Click Android
  4. Click the Add button.
  5. Under Select app type, we will click Web link, which is under Other.
  6. Then Click Select
  7. This is where you can edit properties.
    • Name: The web link name
    • Description: I like to put the address of the web link here and what it’s for. Some people don’t. It’s up to you.
    • Publisher: I put my company’s name, unless I know for sure who it is.
    • App URL: This is where you will put your link. For example. https://therandomadmin.com
    • Require a managed browser to open this link:
      • This is special as it will require you to have edge or another managed browser like zebra’s managed browser. In our case, this isn’t a needed feature and can cause more issues down the road.
      • Doing a managed browser would force the user into a single tab. This is great for some apps, but others not so much. So, if you want a lockdown on the tabs, this is the way to go, and you will have to make sure you set the system defaults to that browser instead of Chrome.
    • Category: That’s for you to choose
    • Show this as a featured app in the company portal: Once again, not really needed since these will be kiosk machines.
    • Information URL: If the site has an information URL, this is where it would go.
    • Privacy URL: Most websites have a privacy link; this is where you would put that.
    • Developer: Who built it? Maybe a link if you feel like it.
    • Owner: Who is the owner, once again, Maybe a link?
    • Notes: I don’t use this personally, but I have seen where people will put who all should have it.
    • Logo: A good logo for the site; now I have seen a 512×512 PNG file work best for this.
  8. Click Next
  9. Assign your groups
  10. Review and create.

That’s all it takes to make a web link. It’s nothing special.

Other Apps

Create Device Restriction Configuration

This is where we will be doing our Zebra Kiosk Mode. Based on our Microsoft Managed Home Screen, we will create a device restriction, and this app will give us unique controls over the device.

  1. Navigate to Intune.microsoft.com
  2. Navigate to Devices > Android > Configuration
  3. Create a new policy
    • Platform: Android Enterprise
    • Profile Type: Device Restrictions
    • Click Next
  4. Name the policy and give it a good description. Then hit next
  5. These are the settings I am using:
    • General
      • Default Permissions Policy (Work Profile Level) Auto Grant
      • System Update: Automatic
      • Skip first Use Hint: Enabled
      • Locate Device: Allow
      • System Error Warning: Allow
      • Enabled System Navigation Features: Home and overview buttons
      • System Notifications and Information: Show system notifications and information in device status bar

Device Experience

  1. Device Experience Type: Kiosk Mode
  2. Kiosk Mode: Multi App
  3. Custom app layout: Enabled
    • This is where we will place items on the screen. I like having the main web link and the intune app. It looks real nice with a 3×4
  4. Grid Size: 3 Columns x 4 rows
  5. Home Screen.
    • Here you can click each plus button and add the app you want, and it will show up on the machine.
  6. Lock Home Screen: Enabled
  7. App Notification Badges: Enabled
    • I enable these because it lets the end user know what’s happening with the device itself. This is important for updates and the like.
  8. Leave Kiosk Mode: Enabled
  9. Leave Kiosk Mode Code: Make a 4-6 digit pin.
  10. Set a custom URL background:
    • This background for the MC9300 is 480×800.
    • The image must be accessible from the network on its own. If it is not, then we will have issues.
  11. Shortcut to settings menu: Disabled
  12. Quick access to the debug menu: Enable
  13. Wi-fi Allow List
    • This is where you can put the SSID of the networks you want the scanner to connect to. If it’s not in this list, they will not be able to connect to it while in kiosk mode.
  14. Media Volume Controls: Enabled
    • I do this to allow them to control how loud the beeps are. Note that your DataWedge profile needs to be set to media to make this happen.
  15. Quick Access to device information: enabled
    • This bad boy has saved me so many times. It has the device’s serial number. The MC9300 serial numbers are printed on the back, but old eyes just can’t read it. So, having this information at the user’s fingertips really adds to troubleshooting.
  16. Everything else in device restrictions is default.

Users and Accounts

This area is set to block. What that does is it forces the users to only be the kiosk user.

  • Add users: Block
  • User can configure credentials: block
  • User removal: block
  • personal google account: block
  • Account changes: block.

We don’t want you to edit anything with this profile. Hand slap, please.

Customer Support Information

This is where you would place all the customer support information. Like your helpdesk number or emails. I like to have the contact for your IT admins at XYZ. The lock screen message is important because even though we didn’t set it here, if you tell the system to lock via Intune, this message will appear.

Groups and why it’s important

The next area is the groups. So, this is very important. You cannot have two device restriction policies that do kiosk items applied to the same machine! This is very important and can look very weird. So I’m going to give you a simple scenario for you to fully understand.

  • There are three policies.
    • Zebra_Default
      • Assigned Group: Zebra-MC9300-Default
        • Dynamic assignment of android zebra mc9300
    • Zebra_Redzone
      • Assigned Group: Zebra-RedZone
        • Static Assignment
    • Zebra_Bluezone
      • Assigned Group: Zebra-BlueZone
        • Static Assignment

If I have a scanner, and I assign it to group zebra-RedZone. It will get the red zone and the default. The default links the bluezone if it’s assigned to a policy. Thus, now it gets two policies and starts conflicts. So what you have to do for each policy is place all other groups, excluding your default group into the exclude assignment. So, if you want the redzone, place the zebra-redzone inside the zebra_redzone policy assignment and place zebra-bluezone in zebras_redzone exclusion assignment. The Zebra_default will need to have the two zone groups added to it’s exclusion list as well. This makes everyone happy.

Once you have everything assigned, click create. Add the scanner to your group that you want, and it will be applied. We have a few departments like this; by doing it this way, I can give out a passcode to an end user for troubleshooting and not effect any other departments. Plus, I can push out a password change for the kiosk without effecting other departments. I personally set each background to that department name. So they know when scanners float between departments. This has stopped so many fights.

What can we learn as a person?

There is a flow to things in this life. Whether it makes sense or not is a different story. The first time I set up these profiles, I was confused about why I kept getting just one icon. Instead of the four I selected. Then it locked down to the point where it was super Zebra Kiosk Mode and not a usable version. After tracking where things went, I finally figured it out. It was like watching a flow. Sometimes we have that in our lives. Things come up, and they leave you left in the what-happened mode.

I’ll give a great example from my life: car keys. I come home late the night before and place my keys in front of my bed instead of on my nightstand. The next morning, I wake up late, and I’m rushing around. I pull everything out of the nightstand, but the keys are missing. This makes me freak out. Rather than searching frantically, I’ve learned to focus on the events of the previous day. What did I do when I got home? I follow each step until I find where I put my keys. Most of the time, the cat knocked it off. He likes my chest in front of the bed. It’s always a good thing to stop and look at the flow. What’s happening, and where did things go wrong? I hope you go with your flow. You deserve it.

Additional Resources:

Enrolling Zebra Scanners into Intune

Enrolling Zebra Scanners into Intune

For the past few months, I have been working with zebra scanners. MC9300 and MC9400 to be more excat. These scanners are unique in the fact that they do not have any cameras. These scanners are Android OS devices. That means they can go into intune without to many issues. Normally, you scan a QR code with your camera and then it takes you to Google Play. However, there is no camera and no app store on these scanners by default. The idea with these units is you use a program called stagenow and have stagenow enroll them into Intune. So, how do you do that? The Zebra documentation is nice, but it has some issues. Enrolling Zebra Scanners into Intune is not for the faint of heart.

So, why? Why not use other MDMs. Good question. I like punishment, maybe? In this case, this is the option management wanted. Thus, I followed orders and made it happen. There are some things you will need before we get started.

  1. Admin access to your Intune with the proper licensing. If you have E5 licenses and a P2 plan, you should be golden.
  2. A computer with stage now.
  3. A wireless network that has access to the stage now computer and to the interent. At this stagenow computer will be running an FTP service.

Creating the Enrollment

Before we start our first steps, we want to create a Kisok scanner device. This will have one or two apps on it. Thats’ important to think about. We can create a large number of deployment types, and not all of them fit with our goals. These devices will be used to scan boxes and nothing else. So we will be using corporate-owned dedicated devices. The first step is to create the enrollment in Intune.

  1. We navigate to your intune instance.
  2. Devices > Android > Enrollment > Corporate-owned Dedicated devices
  3. Click Create Policy
    • Name: Zebra Enrollment
    • Description: This policy is to enroll zebra devices into corporate-owned dedicated devices
    • Token Type: Corporate-Owned Dedicated devices
    • Token expiration data: Input a reasonable date
  4. Click Next
  5. Click Create

We will be taken to the policy screen. From here, we need to go into our new policy. Here we will see all the information you just put in. Now we need to get that token.

  1. Click on the policy
  2. Manage > Token > Show Token
  3. Using your cell phone and a QR app, scan the QR to gather its information.
    • I have a Samsung phone. I just use the scan QR code feature. Then select the show text.
  4. Send this text to yourself. I used teams.
  5. Below is what the code will look like.
{"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME":"com.google.android.apps.work.clouddpc/.receivers.CloudDeviceAdminReceiver","android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM":"&lt;Hash Number>","android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION":"https://play.google.com/managed/downloadManagingApp?identifier=setup
","android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN":"&lt;Your Token>"}}

Inside this text, you will see a variety of links and something called “Extra_Enrollment_Token” You will need the string of numbers that follows this. You will also see a CHECKSUM, you will need this hash. Finally, you will see something called Provisioning_Device_Admin_Package_Download_Location followed by a link. Click this link. It will download an APK. This APK is very import and cannot be renamed. You will want to transfer this app to your stage now machine.

Stage Now Setup

Now that we have created the enrollment, downloaded our app and gotten our token, it’s time to make the stage now profile. The stage now profile is going to consist of the following configurations.

  • Stager now Network
  • Wifi
  • FileMgr
  • AppMgr
  • Intent

Start your stage now application and log into the admin portal. You will need the average MX version of your zebra scanners. On average, I have seen a range from 8.4 all the way to 13.1 in my environment. Thus, we must select our lowest version. In my case, it will be 8.4. I will post a blog post in the future on how to standardize our MX versions with Intune.

  1. Click Create New Profile
  2. Click Xpert Mode
  3. Name the policy. I like to have the mx version in the name and what it’s doing. So for our example, I used “Enroll_Intune_8.4” Notice, no spaces.
  4. Now we are sent to the add/edit window. Click Wizard.
  5. Scroll down until you see the “StageNow Network” and click the plus sign. You will notice that it is added to the right-hand menu.
  6. Click the settings tab
  7. Add Wifi, Filemgr, AppMgr and Intent
  8. Click ok

Now we will start creating the profile itself. We are thrilled with the first item in our list, “stageNow Network.”. Here we will have drop-downs and other options. So follow along.

Connect a network

  1. Drop Down: The devices I wish to provision are currently not connected to a network. I will define a network with this profile that can be used for staging.
  2. Click Continue
  3. Network Type > Drop Down: WiFi
  4. Certificate Management: No
    • Please note that if your network uses a cert, you will need to set it up here.
  5. Disconnect Networks: No
    • We select No because the next section disconnects the networks for us.
  6. Disalbe Network: Yes
    • This will disconnect from all of the other networks
  7. Click Continue
  8. Add Network: Yes
  9. SSID: Your SSID
  10. Security Mode: Personal
    • In this example, we are going to use a basic wifi setup with a password.
  11. WPA Mode: WPA/WPA2
  12. Encryption Type: Do not change
    • We don’t change because by default it is aes-ccmp/tkip
  13. Key Type: Passphrase
  14. Protected Key: Checked
  15. Passphrase: <Enter your passphrase>
  16. Use DHCP: Check
  17. Keep everything else as default.
  18. Click continue.
  19. Connect Network: Confirm everything here and click continue

Wifi

After you click the continue button, you are brought to review. Let’s click the StageNow Config button at the top. To get back into the configuration window. This is the network we will use for Enrolling Zebra Scanners into Intune. We are doing this here to change some basic settings. Like, is the wifi enabled? Is there a sleep policy? Stuff like that. We want to make sure we can get as much possible out of the way now before we deal with it later.

  1. Target OS: Android
  2. Wi-Fi Enable: Enabled
  3. Sleep Policy: Never Sleep
  4. Network Notification: Use Network Notifications
  5. Enable Wi-Fi Verbose Logging: Do not change
    • If you want this feature, you can set it; however, it eats resources on the scanner.
  6. Configure Country: Check
    • Country: USA
    • Notes: By leaving it unchecked, it will perform an auto setup. This can be a problem if you have scanners around the world.
  7. RF Band: Unchanged
    • This is something you will need to communicate with your network team. Some places use 2.4, some use 5. You can tell it which channels to work with as well. This is a very advanced system for the most part.
  8. Leave all the other settings the way they are.
    • The network action is do nothing because you are already connected to your staging network from the previous set.

FileMGR

The file manager area is import for us our Enrolling Zebra Scanners into Intune as it allows us to get the intune onto the device itself. After we click continue on the wifi, we will come into the new settings.

  1. File Actions: Transfer/Copy File
  2. Target Access Method: File in the device file system
  3. Target Path and File Name: /sdcard/AndroidDevicePolicy.apk
  4. Source Access Method: File on a remote server
  5. Source File URL:
    • Click the three dots
    • Search for the file and add it.
  6. Continue

AppMGR

Now the app is on the scanner from the stage now profile, it’s time to install the app. We are going to select upgrade as upgrade is install and upgrade at the same time.

  1. Action: Upgrade
  2. APK Path and Name: /sdcard/AndroidDSevicePolicy.apk
  3. Protected list action: Do nothing
    • Here you can add this app to the protected list, thus making it unchangeable. This could cause Intune to fail. You can also remove it from said list.
  4. Access to app information action: Do nothing
  5. Click Continue

Intent

This final stage joins it to intune. We will be creating a json file before we continue. Remember that code we got from the qr code. This is where we are going to be using it. This json is our butter for Enrolling Zebra Scanners into Intune. Here is the json.

{
"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME":"com.google.android.apps.work.clouddpc/.receivers.CloudDeviceAdminReceiver",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM": "<Oh a has code from ealier.> ",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION":"https://play.google.com/managed/downloadManagingApp?identifier=setup",
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED": true,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN":"<YourTokenYall>"}
}

Remember we grabbed the check sum and the token from before? Well, this is where we are going to use it. Replace where I have the <> and you should be good to go with the file. Make sure to save this in the same folder on the stagenow computer as the app from before and save the file as a.json file.

Now back to stage now.

  1. Action: Enroll a Device Owner
  2. Package name: com.google.android.apps.work.clouddpc
  3. Class Name: com.google.android.apps.work.clouddpc.receivers.CloudDeviceAdminReceiver
  4. Json Value: Json File
  5. Json File:
    • Click the three dots and navigate to your newly created json file.
  6. Click continue

Final steps of stage now

Once you click the stage now button, you will be set to the review screen. Here you can make sure all of your settings are correct by clicking the expand button. By default, the bar codes are encrypted. If you don’t want that, this is where you can change it. I always suggest encryption. Once you have everything the way you want, all you have to do is click complete profile.

Now here is the next important aspect of the whole setup. Creating the barcodes to scan. After you click the Complete Profile, you will be taken to the bar code window. There will be options for linear and PDF417 barcodes. The linear is going to give you a lot of bar codes. So pick the PDF417.

CATCH! Android 11 and down use PDF417, for Android 13 and above, use JS PDF417.

So we want to click the StageNow client check for what we want to use. Then I like to test. You can click the test to generate the barcodes. Finally, you can click publish to publish the profile.

Using the barcodes

Once you have the bar codes, Enrolling Zebra Scanners into Intune is so much easier. From a recently wiped scanner, open stage now and scan the bar codes. The scanner will connect to your wifi of choice. Then, if the stage is now up and running, it will download the file. Then it will install the app. Finally, if the network is running correctly, it will join intune. From there, intune takes over and stage now is no longer needed.

Import gotchas at this stage is stagenow has to be active with this setup. The reason is because each time the application is active, it spins up an FTP. The FTP username and password are embedded into the QR code from where you encrypted it. So, if your network can’t reach this server, this means it will not work as well. So make sure the network team is good to go.

What can we learn as a person?

Things don’t always go as planned, no matter how much we prepare. I spent six months perfecting an MDM transition while managing my regular duties. My Intune setup was nearly flawless: scanners were configured in under 30 minutes, upgraded to the optimal OS for our company (not Android 13), and everything seemed ready. I created detailed instructions and videos for end users, tested the process with multiple people, and received praise for how well it worked.

The rollout began smoothly at our northern office, where everything connected as expected. Then things unraveled. At other locations, wireless networks failed due to improperly configured DHCP, incomplete AP broadcasting, poisoned ARP tables on switches, and more. It felt like every fix led to another failure. Users blamed me since I handled the transition, but the root issue was network-related—something I had no access to or control over.

Despite my setup being perfect, it failed because of factors outside my control. And that’s okay. Failure doesn’t define us, even when others assign blame. IT is a team effort, and sometimes you must navigate challenges with colleagues who may not be as invested or responsive.

In this case, waiting for the network admin to confirm readiness and documenting everything (CYA!) saved me. It’s a reminder that our worth isn’t tied to mistakes—ours or others’. Sometimes, patience and accountability are the real wins.

Additional Reading

Force Intune apps to redeploy

Force Intune apps to redeploy

Last month, I had an app that had some issues for a single end user. I wasn’t sure why it was causing issues, but one of the troubleshooting steps we needed to do was uninstall it and have Intune reinstall it. We uninstalled the application. However, Intune, being Intune, sat there. We forced a sync, and nothing. I wish there was a redeploy option in the Intune interface, but there isn’t. So what can you do? Well, there is a small secret. Intune has registry keys that keep track of the deployments on the machine itself. These linger even after uninstalling the app. So, removing them is the gravey. So today we are going to force Intune apps to redeploy.

Intune Registry Keys / App ID Number

Intune’s registry keys are located in the Local Machine > Software > Microsoft > IntuneManagementExtension > Win32App. Let me tell you what now. My southern is going to come out some yall. This is where we can see the users. The system has it’s own user, which is the all zeros, but each other user has it’s own code.

When you open this folder, you will be taken to a beautiful list of what? Yeah, it’s a mess. You need to know some things about this list in order to force intune apps to redeploy. You will need to have the app’s ID number. To get this number, you will need to navigate to your Intune. We will be heading to the app you want to uninstall. I’m doing my 7zip today as an example. At the end of the url, you will see the appID. That’s what you will need.

Once you have that code, you will be ready. What you will need to do now is delete the folder with that code. Then navigate to the GRS folder. It will have a bunch of hashes. No, not the drug, but math code. Wait, is hash still what people call it now days? I feel old. Anyway, you have two options here. One, you can go to the logs and search the logs for the hash. This can take a while, and shockingly, it is not reliable as logs get deleted. The other way is to go through this registry folder, folder by folder, until you find the key, as seen below. I prefer PowerShell. Once you delete the required registry keys, all you have to do is restart the Microsoft Intune Management Extension service.

Powershell To the Rescue

If you have read this blog long enough, you know PowerShell is coming somehow. Today’s script will save you a crap ton of time. Let’s dive right in.

$Path = "HKLM:\SOFTWARE\Microsoft\IntuneManagementExtension\Win32Apps"
$AppID = "Your-App-Code-Goes-Here"

$Users = (Get-ChildItem -Path "$Path").name | Where-Object {($_ -like "*-*-*-*-*") -and ($_ -notlike "*00000000-0000-0000-0000-*")}

foreach ($user in $Users) {
    $Name = $User -replace "HKEY_LOCAL_MACHINE","HKLM:"
    $UserID = $user.split("\")[-1]
    $Applications = Get-ChildItem -Path $Name | Where-Object {$_.name -like "*$($AppID)*"}
    foreach ($App in $Applications) {
        $AppName = $App -replace "HKEY_LOCAL_MACHINE","HKLM:"
        Write-Host "App Name: $AppName"
        remove-item -Path $AppName -Recurse -Verbose -force
    }
    $GRSPath = "HKLM:\SOFTWARE\Microsoft\IntuneManagementExtension\Win32Apps\$UserID\GRS"
    $GRSes = Get-childitem -path $GRSPath
    foreach ($GRS in $GRSes) {
        $GRSProps = $GRS | Get-ItemProperty
        $Count = $GRSProps.psobject.Properties.count 
        if ($Count.count -gt 5) {
            $TotalKey = $GRSProps.psobject.Properties.name | where-object {$_ -like "*-*-*-*-*"}
            if ($TotalKey -like "*$($AppID)*") {
                $PathToRemove = $GRS.name -replace "HKEY_LOCAL_MACHINE","HKLM:"
                Remove-Item -Path $PathToRemove -Recurse -Force -Verbose
            }
        }
    }
}
Get-Service -DisplayName "Microsoft Intune Management Extension" | Restart-Service -Verbose

There are many versions online for this script. Most use the logs, and that’s cool. This script doesn’t use the logs, and for a good cause. In my case, the logs were deleted. Why were they deleted, you shall ask? Humans, that’s always going to be my answer until it’s AI.

The break down

Let’s break this bad boy down, shall we? The first part of the script is the path we are going to be playing with, followed by the code of the app. You will have to grab this from your intune.

$Path = "HKLM:\SOFTWARE\Microsoft\IntuneManagementExtension\Win32Apps"
$AppID = "Your-App-Code-Goes-Here"

Next, we want to grab all the users. So, remember I said the system uses all zeros. Well, we want to exclude those. However, users use the hypens. It’s the Fantastic 4, hypens, not the Marvel characters. Using a basic where object, we sort through all of the ones that have our hypens and are not the system and drop their ID numbers into the users variable.

$Users = (Get-ChildItem -Path "$Path").name | Where-Object {($_ -like "*-*-*-*") -and ($_ -notlike "*00000000-0000-0000-0000-*")}

Handling the App Side

Now we start our loop. Everyone should like a good loop. Each user will have it’s own path. The first thing we run into is that the above command gave us HKEY_Local_Machine instead of a searchable HKLM. So we change them using the replace. Then we grab the userID for later. Finally, we grab all the applications. Notice the name is the new name we made. It’s important to have the HKLM: because without it, you will get an error with get-childitem.
No candy was stolen from any children while writing this blog post.

    $Name = $User -replace "HKEY_LOCAL_MACHINE","HKLM:"
    $UserID = $user.split("\")[-1]
    $Applications = Get-ChildItem -Path $Name | Where-Object {$_.name -like "*$($AppID)*"}

Notice we are looking for the appid at the end. Sometimes, there will be more than one entry like this. To force Intune apps to redeploy, we must remove all of them. I liken them to bed bugs. Burn them all. With that said, we start our loop. For each App inside the applications. We will get the app name and then remove it. Once again, we used get-childitem. Goodness, I need to stop still items from kids. So we need to convert the name like we did before changing the HKEY_Local_machine to HKLM: with a nice replace. Once we have it, we delete the path and everything inside by force.

foreach ($App in $Applications) {
        $AppName = $App -replace "HKEY_LOCAL_MACHINE","HKLM:"
        Write-Host "App Name: $AppName"
        remove-item -Path $AppName -Recurse -Verbose
 }

Handling GRS Side

Now we need to handle the GRS side. The GRS keeps the datetime stamps. Like I said before, most people use the logs. Today we will navigate through the registry. The first thing we are going to do is set the path and get the kids on that path. This is where the UserID we made at the start of this big loop comes into play.

$GRSPath = "HKLM:\SOFTWARE\Microsoft\IntuneManagementExtension\Win32Apps\$UserID\GRS"
$GRSes = Get-childitem -path $GRSPath

Now we have the children’s items. We start our looping. The first thing we get is our GRS properties with the get-itemproperty commands. Now here is the magic. A standard check has only 1 or maybe 2 items inside the folder. While more advanced items will have more than that. So, if we convert the properties into a Powershell object, we can count them.

$GRSProps = $GRS | Get-ItemProperty
$Count = $GRSProps.psobject.Properties.count 

Yes, the second line works. You can pretty much convert anything into a PowerShell object. All we have to do now is count how many counts per object are there. When we convert the item property into a powershell object, we gain a few extra items. So, anything past 5 in this case will be our special stuff. So, if it is past 5, we get to work.

We first look at the keys, looking for our fantastic 4. We will do this by calling the psobject.properties.name because it will be the name of the property. Then we will compare it to the appid. If they are the same, we correct the hkey_local_machine and drop our nuke, remove-item. Nested ifs are fun, but can get complex quick if you don’t watch out.

if ($Count.count -gt 5) {
        $TotalKey = $GRSProps.psobject.Properties.name | where-object {$_ -like "*-*-*-*-*"}
        if ($TotalKey -like "*$($AppID)*") {
            $PathToRemove = $GRS.name -replace "HKEY_LOCAL_MACHINE","HKLM:"
            Remove-Item -Path $PathToRemove -Recurse -Force -Verbose
        }
}

The GRS has been removed after this.

Restarting the service

After the large loop of Fantastic Four, we have to restart the intune extension. So, using get service, we pipe it into restart service. Then we are done! Right? Well, kind of.

Get-Service -DisplayName "Microsoft Intune Management Extension" | Restart-Service -Verbose

Final Step

After the script has done it’s thing and stolen candy for kids and nuked stuff, you will need to resync the computer. You can do this via the Accounts setting, or you can do this via Intune. In my case, the application we were redeploying was our remote application. So, I had to do it via Intune.

Navigate to the device under Windows > Device Name and hit the sync button. Now you are done. Force Intune apps to redeploy, check.

What can we learn as a person?

Restarting is sometimes the only option. Taking a step back, clearing things away, and starting new is good, whether you’re troubleshooting an Intune app deployment or dealing with a hard time in life.

When an app in Intune stops working, we don’t just sit around and hope it gets fixed (at least for a while). After we empty the registry and do some troubleshooting, we gently push it to redeploy. Life is no different. When things don’t work out the way you expected, that’s okay; setbacks are inevitable. Starting over equalizes the situation; it’s not a sign of surrender.

Restarts, in reality, are chances for growth. By doing so, they demonstrate our flexibility, competence, determination and insight to put things right. Our fantasic four. When something feels stuck, whether it’s an app or your thinking, don’t be scared to reset. Do not be afraid, especially with our thinking. That’s where real change happens.