Printing
Older HP / Brother / Canon printer stops printing after Windows update
Your printer is older than the latest Windows version, and Microsoft tightened up how Windows talks to printers a few years back to stop hackers. We've got three options: a) use a universal driver from the printer maker, b) trick Windows into talking to it through a different protocol, or c) replace the printer with one that just works. The first one is free and usually works within 15 minutes.
What to do
Path A — Use vendor's latest universal driver (preferred):
- Download HP Universal Print Driver (UPD) PCL6 or PostScript from HP support site. Works for most HP devices 2005 onward.
- For Brother: download "Brother Universal Printer Driver" from brother.com support.
- For Canon: try Canon Generic Plus PCL6 / UFR II driver.
- Install the universal driver. Add the printer using the new driver: Settings → Bluetooth & devices → Printers & scanners → Add device → "The printer I want isn't listed" → Add a local printer or network printer with manual settings.
Path B — Force inbox / Microsoft IPP driver (when vendor has no Win 11 driver):
- Settings → Printers & scanners → Add device → "The printer I want isn't listed".
- Select "Add a printer using an IP address or hostname".
- Device type: "TCP/IP Device". Enter printer IP. Wait for detection.
- When prompted for driver: pick Microsoft IPP Class Driver or Generic / Text Only.
- Test print.
Path C — USB-only printer with no signed driver:
- Buy a small print server (TP-Link TL-WPS510U, StarTech NETPRINT2) or convert via a Raspberry Pi running CUPS.
- The print server speaks IPP / IPPS to Windows — bypasses the vendor driver dependency entirely.
- On the PC, add the printer as an IPP network printer using Microsoft IPP Class Driver.
Path D — Replace the printer (recommended for pre-2012 models being used in a business):
- Modern entry-level laser: Brother HL-L2460DW ($230). Modern entry-level inkjet: HP OfficeJet Pro 8135e ($230).
- Both support AirPrint, Mopria, IPP — no driver hell on any OS.
Confirm it's fixed
- Test print from Notepad succeeds.
- Test print from Word succeeds (richer format).
- Reboot the PC. Print again — confirms driver persists.
- Check Event Viewer → Microsoft → Windows → PrintService → Operational — no errors logged.
Still stuck? Multiple printers fail across the office after a Windows feature update; or the vendor has marked the model 'end of support'; or the customer is on Win Server with print sharing affected.
Printer not printing / job stuck in queue
Your printer and your computer aren't seeing eye to eye. Usually one stuck job blocks everything behind it, or Windows decided the printer is offline. We'll clear the queue, restart the print service, and make sure the printer is reachable. Should be one of the faster fixes.
What to do
If queue stuck:
- Stop Print Spooler service.
- Open
C:\Windows\System32\spool\PRINTERS\— delete all files inside. - Start Print Spooler.
- Re-send job.
If "Offline" persists:
- Power-cycle printer (off 30 sec, on, wait 2 min for boot).
- Verify network: ping printer IP. If fails, DHCP changed IP — reconfigure printer port to current IP, or use hostname.
If wrong / stale driver:
- Settings → Printers & scanners → printer → Remove device.
- Re-add: + Add device → wait for discovery → install.
- For corporate printers, use the print server queue (
\\printserver\printername) instead of direct IP.
If hardware error on display:
- Note exact error code from printer (e.g., HP "59.40", Brother "TS-02").
- Refer to printer's manual or vendor support.
- Often fixed by reseating toner cartridge or clearing paper path.
If garbage output:
- Wrong driver — uninstall, install printer's exact model driver from vendor site (not the generic).
Confirm it's fixed
- Test page prints cleanly (Settings → printer → Open queue → Printer → Properties → Print Test Page).
- Real document from Word prints to correct printer.
- Print queue empty after job completes.
- Printer status shows "Ready" or "Idle".
Still stuck? Print server side error, or driver requires admin install, or hardware error code on display
Printer prints garbled / unreadable / wrong characters
The printer is getting confused about what it should print. Almost always it's the driver — the translator between your computer and the printer is using the wrong dictionary. We'll swap to the right one and you'll get clean output. Should take a few minutes.
What to do
Wrong driver type:
- Identify printer model (label on physical printer).
- Visit vendor support site → download "PCL 6" driver if printer supports PCL, or "PostScript / PS" for PS printers (most modern enterprise printers prefer PCL 6 for Windows).
- Settings → Printers & scanners → remove existing printer.
- Install fresh driver from downloaded package (vendor's installer is best).
- Re-add printer.
Corrupt driver:
- Print Management (
printmanagement.msc) → All Drivers → right-click old driver → Remove driver package. - Reinstall fresh.
Stuck job poisoning queue:
- Stop spooler service.
- Delete files in
C:\Windows\System32\spool\PRINTERS\. - Start spooler.
- Re-add the print job from Word/Excel/etc.
Universal driver issue:
- For HP devices, "HP Universal Print Driver" can confuse some printers. Use the device-specific PCL 6 driver instead.
Application-side issue:
- Try Print to PDF first, then send PDF to printer. If PDF looks fine but printed garbage → driver. If PDF is also garbage → app problem.
Confirm it's fixed
- Test print from Notepad reads correctly.
- Word doc prints with proper layout, fonts, images.
- Color output (if applicable) matches screen.
- Multiple pages print without corruption.
- 5+ documents printed without recurrence.
Still stuck? Replacing driver doesn't resolve, or print server queue produces same output for all users
VPN & Remote Desktop
SASE, SSE, and ZTNA fundamentals and troubleshooting
SASE/SSE replaces the old 'connect to the VPN and you're inside the whole network' model. Instead, every time you open an app, the service checks who you are and whether your device is healthy, then connects you to only that app — nothing else. So if one app won't open while everything else works, it's usually a permission, device-health, or app-routing check, not a broken internet connection. We look at the access logs to see exactly which check said no, and fix that.
What to do
A. Agent won't connect:
- Restart agent; if still failing, re-enroll/re-authenticate the device.
- Verify outbound reachability to the vendor's PoP/cloud (corporate firewall/proxy may block required ports/FQDNs — allow them).
- Clear a captive-portal state on hotel/guest Wi-Fi (open a plain HTTP site to trigger the portal, authenticate, then reconnect).
B. "Can't reach internal app" (ZTNA triage):
- Confirm the app is published in the ZTNA policy and the user/group is entitled.
- Confirm the connector for that app's network segment is online (vendor console shows connector health).
- Resolve the app's hostname while connected — it should resolve to the ZTNA service, not a public/stale IP.
- Verify posture is passing; a posture failure silently removes entitlement to sensitive apps.
- Test from a second known-good user to isolate user-specific vs app-wide.
C. Access denied / posture/identity block:
- Read the policy decision in the vendor logs (which rule denied, on what attribute).
- Remediate the failing posture attribute (update OS, enable encryption, restart EDR, reissue cert) or correct group membership.
- Re-evaluate posture / re-sign-in and retest.
D. App breaks only with agent on (inspection):
- Identify if TLS decryption is applied; install/trust the SWG root CA on the device.
- Add cert-pinned or sensitive apps (banking, native clients) to a bypass/no-decrypt policy.
Confirm it's fixed
- Agent shows connected to a healthy PoP with the correct identity.
- The previously failing app loads and functions end-to-end while connected.
- Vendor policy logs show an allow decision for the user/app with posture pass.
- Internet egress and the private app both work without one breaking the other.
- A second user reproduces success, confirming the fix is policy/infra-level not local.
Still stuck? A ZTNA private-application connector or the SASE/SSE vendor cloud is down, or policy changes are required that exceed local administrative scope.
VPN won't connect / disconnects randomly
The VPN is the secure tunnel back to your company's network. If it can't connect, it's usually one of three things: your password got out of sync, your network is blocking it, or the security certificate needs refreshing. We'll try the simplest fixes first — different network, fresh sign-in, restart the client — and most of the time you're back on in five minutes.
What to do
Authentication issue:
- Sign in to https://office.com first to confirm password works for cloud.
- Approve any MFA prompt on phone.
- Update VPN client to latest version.
Network blocking:
- Switch to mobile hotspot to confirm.
- For public Wi-Fi, complete captive portal first, then try VPN.
- Disable IPv6 temporarily if VPN client doesn't handle dual-stack: Network adapter → Properties → uncheck IPv6.
Certificate issue:
- For corporate device cert: connect on corporate LAN once to refresh; or contact L2 to push new cert.
- For user cert: re-enroll via portal.
DNS resolution failure:
- Switch DNS to 1.1.1.1 / 8.8.8.8 → retry.
Split-tunnel routes wrong:
- After connect, run
route print(Windows) → corporate subnets should appear via VPN tunnel adapter. - If missing, reconnect; persistent fix from L2 (gateway config).
Reinstall:
- Settings → Apps → uninstall VPN client → reinstall current version from corporate portal or vendor.
Confirm it's fixed
- VPN client shows green / "Connected".
- Internal site (e.g., intranet.company.com) loads.
- File share / printer accessible.
- Speed acceptable (within 70% of base ISP, allowing for VPN overhead).
- Connection holds 30+ minutes idle.
Still stuck? Multiple users in same office / region cannot connect, or certificate revoked, or VPN gateway error reported by client
Teams & Zoom
Microsoft Teams won't load / stuck on splash screen
Teams gets confused if its memory of past sessions gets corrupted. We'll wipe that little stash, sign you in fresh, and it almost always opens straight up. If a bigger fix is needed we'll reinstall the app. Should be done in a few minutes.
What to do
Cache clear (most common fix):
- New Teams: close → File Explorer →
%localappdata%\Packages\MSTeams_8wekyb3d8bbwe\LocalCache→ delete contents → relaunch. - Classic Teams: close →
%appdata%\Microsoft\Teams\→ delete contents (or justCache,Code Cache,Local Storage,IndexedDB).
Credential clear:
- Control Panel → Credential Manager → Windows Credentials → remove
msteams_*andMicrosoftAccount:user=*(related entries) → relaunch Teams.
Reinstall:
- Settings → Apps → Installed apps → uninstall both "Microsoft Teams" and "Microsoft Teams (work or school)" if both present.
- Also remove
%localappdata%\Microsoft\Teams\folder. - Reinstall: New Teams via Microsoft Store, or via M365 admin pushed app, or https://teams.microsoft.com/downloads.
Antivirus check:
- Temporarily allow Teams in security software (whitelisting
Teams.exeand the Microsoft Store ms-teams package). - Re-enable AV after testing.
Confirm it's fixed
- Teams loads to chats list within 30 seconds.
- Presence shows correct status (green/Available).
- Test call works (Settings → Devices → Make a test call).
- Send test message in a chat and receive.
Still stuck? Reinstall fails, Teams admin center reports incident, or all users on tenant unable to load
Microsoft Teams: no audio in meetings (mic or speaker not working)
Teams is sending audio to the wrong place, or Windows hasn't given Teams permission to use your mic. We'll point Teams at your real headset, run a quick test call so you can hear yourself, and check Windows didn't block the microphone. Most calls fix in under five minutes. If your headset isn't even showing up, we'll look at drivers next.
What to do
If wrong device selected:
- In Teams Settings → Devices, pick the correct hardware. Teams will remember per device.
If permission denied:
- Settings → Privacy → Microphone → Enable for Teams. Restart Teams.
If exclusive access conflict:
- Right-click speaker icon (taskbar) → Sound settings → More sound settings → Recording tab → device → Properties → Advanced → uncheck "Allow apps to take exclusive control".
If Teams is misbehaving:
- Quit Teams completely (right-click tray icon → Quit, AND Task Manager kill
Teams.exeandms-teams.exe). - Clear Teams cache:
- Classic Teams:
%appdata%\Microsoft\Teams— close, delete contents, reopen. - New Teams:
%localappdata%\Packages\MSTeams_8wekyb3d8bbwe\LocalCache— close, delete contents, reopen. - Reopen Teams, sign back in.
If Bluetooth headset:
- Pair fresh: Settings → Bluetooth & devices → Remove device → re-pair.
- Many headsets require selecting "Hands-free profile" vs "Stereo" — Teams audio works on hands-free.
If Windows doesn't see device at all:
- Device Manager → Audio inputs and outputs → check for warnings.
- Update driver (right-click → Update driver).
- For Realtek issues, get latest from OEM support page (NOT third-party "driver booster").
Confirm it's fixed
- Teams test call records and plays back voice clearly.
- In a real meeting, two-way audio confirmed by other party.
- No echo or feedback.
- Audio holds for 30+ minutes without dropouts.
Still stuck? USB audio device not detected by Windows at all (driver/hardware), or all users on tenant report similar
Webcam / camera not working in Teams, Zoom, or other apps
Cameras get tripped up in three usual ways: a sliding cover, a permission switch, or another app that's already holding the camera. We'll check all three in under a minute. If the LED next to your camera lights up but you still see black, that's almost always an app permission. If the LED never comes on at all, it's the cover or a driver. Either way, this is a quick fix.
What to do
If OS Camera app works but Teams/Zoom doesn't:
- Sign out and back into the app.
- In Teams: Settings → Devices → Camera dropdown → pick the right device.
- In Zoom: Settings → Video → Camera dropdown.
If OS Camera app shows "We can't find your camera" (Windows):
- Device Manager → Cameras → right-click your device → Update driver → Search automatically.
- If still failing → right-click → Uninstall device → reboot. Windows will reinstall on boot.
If on macOS and the Camera privacy panel doesn't list the app:
- Quit the app completely (Cmd+Q).
- Re-open. macOS will prompt for camera permission on first use.
External webcam not detected at all:
- Try a different USB port (preferably directly on the laptop, not a hub).
- Test on another machine to rule out hardware failure.
Confirm it's fixed
- LED next to lens lights up when the app shows the preview.
- You can see yourself in the in-app preview.
- A test call shows your video to the other side.
- Camera does NOT stay locked when you close the app — opening another video app works immediately.
Still stuck? Camera not detected in Device Manager / System Information after driver reinstall, or hardware shutter physically broken
Email & Outlook
Deepfake Video / Executive Impersonation (BEC 2.0)
Attackers can now fake a video of your boss on a call, telling you to send money or hand over access — and it can look real. Because your eyes and ears can be fooled, the rule is the same as for any high-stakes request: stop, and verify through a separate, trusted channel before you act. Hang up or step away, look the person up yourself, call them on a number you already have, and use a code word. Real requests survive that check; fakes do not.
What to do
- Do not act on the video's instructions until identity is confirmed out-of-band.
- Look for detection cues: lip-sync drift, irregular blinking, facial-edge/lighting artifacts, unnatural head/body motion, audio-video desync, evasive responses to spontaneous questions.
- Attempt a live liveness check (see protocol below) — deepfakes often fail real-time, unscripted interaction.
- Check whether action already occurred; if so, pivot to incident response/fraud handling immediately.
Confirm it's fixed
- The request was confirmed (or refused) via an attacker-independent channel before any action.
- The callback-verification protocol and dual-control were applied to the high-risk request.
- Staff can recite the protocol steps and the code-word challenge from memory.
- If fraud occurred, bank recall and IR were engaged without delay and the event is documented.
Still stuck? A video call or recording of an executive directs an urgent payment, sensitive disclosure, or access change that cannot be verified out-of-band.
Email authentication: SPF, DKIM, and DMARC setup and troubleshooting
These three records prove your mail is really from you. SPF lists the servers allowed to send on your behalf, DKIM stamps each message with a tamper-proof signature, and DMARC tells the world what to do if a message fails those checks — and emails you reports of who's pretending to be you. Set them up correctly and your legitimate mail stops landing in spam while impostors get blocked.
What to do
SPF — build/repair the record:
- One TXT record only:
v=spf1 include:spf.protection.outlook.com include:_spf.google.com ip4:203.0.113.10 -all(use only the includes/IPs your senders actually need). ~all= SoftFail (mark suspicious);-all= HardFail (reject). Start with~allwhile validating, move to-allonce all senders are confirmed.- If over 10 lookups: remove unused includes, replace bulky includes with specific
ip4:/ip6:entries, or flatten/consolidate. Never publish twov=spf1records.
DKIM — enable signing:
- At the mail provider, enable DKIM for the domain; it generates one or more selectors.
- Publish the provider's CNAME records (e.g.
selector1._domainkey→ provider host) or the TXT public key. - Turn signing on only after the DNS records resolve. Rotate selectors per provider guidance; keep old selector live until rotation completes.
DMARC — deploy gradually:
- Start monitoring:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain; fo=1. - Read aggregate (
rua) reports for ~2–4 weeks; identify and authenticate every legitimate source via SPF/DKIM until they show aligned pass. - Tighten to
p=quarantine(optionally withpct=ramp), then top=rejectonce reports are clean. - Optionally add
ruf=for forensic/failure reports andaspf/adkimfor strict alignment if needed.
Diagnose specific complaints:
- *Mail to spam:* ensure SPF + DKIM both pass and align; missing DKIM is a common cause.
- *Being spoofed:* a
p=rejectDMARC (once legit mail is authenticated) is what stops spoofing. - *External mail rejected:* find which check failed in the bounce, authenticate that source, or correct alignment.
Confirm it's fixed
- Send a test to an external mailbox and inspect headers:
Authentication-Resultsshowsspf=pass,dkim=pass,dmarc=pass. - SPF lookup count is ≤ 10 with no PermError; exactly one
v=spf1record exists. - DKIM selector(s) resolve and the test message is signed with
d=aligned to the From domain. - DMARC aggregate reports over the following days show legitimate sources passing and unauthorized sources failing.
- Spoofing test (where authorized) is rejected/quarantined per the policy.
Still stuck? Legitimate business mail is being rejected/quarantined by a strict DMARC or third-party policy and the sending source cannot be authenticated without changes to a system outside IT's control.
Exchange Online: mail flow troubleshooting / NDR analysis
What to do
Message trace:
- Exchange Admin Center → Mail flow → Message trace.
- Recipient + date range → click traced message → see hop-by-hop.
- Status: Delivered, Filtered as spam, Failed, Pending, Expanded.
For inbound from external:
- Check anti-spam / anti-malware policies (Defender for O365).
- Check connectors (especially partner orgs with hybrid).
For outbound to external:
- DKIM signed: Defender → Policies → DKIM → enabled per domain.
- SPF record correct in DNS:
v=spf1 include:spf.protection.outlook.com -all. - DMARC published, enforcement level matches readiness.
Still stuck? Tenant-wide mail flow outage, or domain reputation block, or DMARC enforcement failure
New Outlook vs Classic Outlook in 2026 — which one to use and how to switch
Microsoft has two versions of Outlook right now — a "Classic" one that's been around for years, and a "New" one that's leaner and has more AI features. Most businesses are still on Classic because the New one is missing a few things. You can flip a switch in the corner to go either way. If you flipped to New by mistake and something broke, flip it back. If you want the new AI features and don't use older add-ins, the New one is great.
What to do
Path A — Stay on Classic Outlook for now (recommended for most business users mid-2026):
- In New Outlook, click the toggle in the top-right corner: "New Outlook" → switch OFF.
- Outlook closes. Classic Outlook (
OUTLOOK.EXE) opens next time you launch. - If toggle is missing: open Settings → General → Switch to classic Outlook.
- Group Policy or Intune can lock the experience: search "Default Outlook" policy.
Path B — Switch TO New Outlook (when Copilot and lightweight UX matter more than legacy features):
- In Classic Outlook, top right "Try the new Outlook" toggle ON.
- New Outlook downloads + opens. Sign in if prompted.
- Mail, calendar, contacts sync via M365 — no PST migration needed (server-side).
- Pre-migration checklist:
- Export any PST data you need locally to a server location (OneDrive or shared drive).
- List your COM add-ins (Classic → File → Options → Add-ins) — flag any that aren't yet web add-ins.
- Note your client-side rules — manually recreate any server-side rule isn't already covering.
Path C — Use both side-by-side (developer / power user pattern):
- Both Outlook clients can be installed concurrently on Windows 11.
- New Outlook from the Start menu, Classic from
OUTLOOK.EXE(Microsoft 365 Apps install). - Two profiles, two sets of running rules — be cautious about duplicate / overlapping rules.
Confirm it's fixed
- After switching to Classic: Outlook 2016-style ribbon visible, File → Account Settings shows your accounts, PST files accessible.
- After switching to New: top-right has user avatar + lightweight modern shell, settings is a gear icon, Copilot button visible in compose.
- Mail counts match across devices (sanity check sync).
Still stuck? Customer relies on a feature New Outlook doesn't support (PST import for offline work, third-party COM add-ins) and is forced to migrate — assess workflow rework before forcing.
Office 2010 / 2013 Outlook stopped sending or receiving mail in 2026
Your Outlook is from 2010 or 2013. Microsoft and email providers turned off the older way of signing in last year, and the old Outlook can't talk to the new system. The fix is to install a current version of Outlook — your emails, contacts, and calendar will all come with you. We can do it now and you'll be sending mail again within 20 minutes.
What to do
Path A — Replace Outlook 2010/2013 with a supported client (preferred and almost always required):
- Best: install Microsoft 365 Apps (subscription) or buy Office 2021 / 2024 perpetual license. New Outlook supports Modern Auth out of the box.
- Free fallbacks: Outlook on the Web (https://outlook.office.com), or eM Client free tier (supports OAuth to M365 / Gmail).
- Re-import old PST: in new Outlook, File → Open & Export → Import/Export → Import from another program → Outlook Data File (.pst) → point to old PST.
- Set up the account fresh using auto-discovery (just enter email + password, modern client handles OAuth redirect).
Path B — Use IMAP / SMTP via an app password (works only on Gmail-style providers, NOT M365):
- Sign in to the email provider's web UI.
- Enable 2FA on the account.
- Generate an "app password" (Google: Security → App passwords; Yahoo: Account Security → Generate app password).
- In Outlook 2010/2013: Account Settings → Change → use IMAP server settings with the app password.
- Note: Microsoft 365 / Exchange Online does NOT issue app passwords for Outlook 2010/2013 — Path A is required.
Path C — On-prem mail relay (for businesses that genuinely can't upgrade):
- Stand up a small SMTP relay (hMailServer, Postfix, or Exchange 2019 in mailbox-less hybrid mode) on a modern Windows Server.
- Configure the legacy Outlook to send through the relay over plain SMTP / no TLS or TLS 1.0.
- Relay authenticates to M365 with Modern Auth on the outbound leg.
- Inbound: configure transport rules to forward to a shared mailbox the legacy client reads via POP3 over the relay.
- This is non-trivial L2/L3 work — escalate.
Confirm it's fixed
- New Outlook receives mail within 60 seconds of webmail receiving it.
- Send a test email out, confirm it arrives at an external address (e.g., gmail).
- No more password prompts within first hour.
Still stuck? Customer is dependent on Office 2010/2013 with no upgrade budget AND needs to keep using Microsoft 365 / Exchange Online; engineering needs to design a relay or migration path.
Outlook can't send emails / messages stuck in Outbox
Your email isn't leaving your computer. It's usually one of three things: a too-big attachment, the message got stuck so nothing else can leave, or your password changed and Outlook hasn't caught up. We'll move the stuck one out of the way, retry with a smaller file via OneDrive if needed, and re-sign you in if that's the issue. Should be back to sending in a couple of minutes.
What to do
If a stuck message blocks Outbox:
- Outlook → Send/Receive → Work Offline (toggle ON to halt sending).
- Drag the stuck message from Outbox to Drafts.
- Toggle Work Offline OFF.
- Open the Drafts copy — re-attach files if needed — Send.
If attachment too large:
- For corporate users: upload to OneDrive → share link → paste link in email instead.
- M365 default 25 MB per send (some tenants 35 MB or 150 MB). External providers vary.
If NDR cites 5.7.x (security/policy):
- 5.7.1 → recipient or domain blocked your tenant. Contact recipient via phone.
- 5.7.135 → SPF/DKIM authentication block. Escalate to L2.
- 5.7.708 → access denied; user may be on M365 sender block list. Escalate.
If authentication issue (recent password change):
- File → Account Settings → Account Settings → highlight account → Change → re-enter password.
- If MFA recently enabled, complete the modern auth prompt.
- If repeated auth pop-ups: File → Account Settings → Account Settings → Email → Repair.
If quota:
- Cannot send while over quota. Archive or delete old items first (see l1-outlook-001 §5).
Confirm it's fixed
- Stuck message no longer in Outbox.
- Test message to self arrives within 60 seconds.
- External test (to personal email or coworker) arrives without NDR.
- Status bar shows "Connected to: Microsoft Exchange".
Still stuck? Multiple users on same tenant cannot send, or NDR shows 5.7.x policy violation, or DKIM/SPF/DMARC failure
Outlook is slow, freezes, or hangs on 'Processing' / 'Not Responding'
Outlook gets sluggish when it's trying to keep too much mail on your laptop, when an add-in is misbehaving, or when its local cache file gets corrupted. We'll start it in a clean mode to spot a bad add-in, trim how much mail it stores locally, and rebuild its cache from the server — none of your email is lost because the real copy lives in the cloud. It should feel snappy again after that.
What to do
Disable problem add-ins:
- File → Options → Add-ins → Manage: COM Add-ins → Go.
- Uncheck all non-essential add-ins → OK → restart Outlook. Re-enable one at a time to find the offender.
Right-size Cached Exchange Mode (big win on large mailboxes):
- File → Account Settings → Account Settings → double-click the Exchange account → set "Mail to keep offline" to 3 or 6 months instead of "All".
- Restart Outlook; it rebuilds a smaller OST. Confirm OST shrinks under
%LOCALAPPDATA%\Microsoft\Outlook.
Rebuild the OST (clears local corruption):
- Close Outlook. Rename the
.ost(e.g.,outlook.ost→outlook.ost.old) in%LOCALAPPDATA%\Microsoft\Outlook. - Reopen Outlook — it rebuilds the OST from Exchange Online (no data loss; the mailbox is the source of truth). Allow time to re-sync.
Rebuild the search index (if search is the slow part):
- File → Options → Search → Indexing Options → Advanced → Rebuild. Let it complete (can take an hour on large mailboxes).
Create a fresh Outlook profile (if still slow / profile corruption):
- Control Panel → Mail (Microsoft Outlook) → Show Profiles → Add a new profile → configure the account.
- Set Outlook to "Prompt for a profile" or set the new one as default → launch with the new profile.
Reduce/relocate PSTs:
- Move large archive
.pstfiles off network shares to local disk, or migrate them into Online Archive. PSTs on network shares are unsupported and slow.
Confirm it's fixed
- Outlook launches and reaches the inbox in a reasonable time (target < 15s on SSD).
- Folder switching and search return quickly with no "Not Responding".
- OST size is sane for the offline window chosen.
- A 10-minute working session shows no freezes; send/receive completes promptly.
Still stuck? Slowness affects many users on the same mailbox database or Exchange server, or mailbox/OST corruption persists after profile rebuild — that is an Exchange/server-side (L3) problem.
Outlook not receiving new emails
Outlook isn't pulling new mail from the server. Often it's stuck in Offline mode, or it's filtered something into Junk. We'll get it talking to the server again, peek in Junk, and double-check no rule is moving things. If we still can't see your latest emails, we'll log into the web version to confirm where they actually are, then fix the right piece.
What to do
If Outlook is offline:
- Send/Receive → uncheck Work Offline.
If specific senders only:
- Home → Junk → Junk E-mail Options → check Blocked Senders, Safe Senders, and Filters.
- Ask sender to resend; check delivery in Outlook Web first.
If OST file corrupted:
- Close Outlook completely (verify no
OUTLOOK.EXEin Task Manager). - File → Account Settings → Account Settings → Data Files tab.
- Note the OST file location.
- Open File Explorer to that folder, rename
*.ostto*.ost.old. - Reopen Outlook — it will rebuild the OST from server (15–60 min for typical mailbox).
If quota:
- Archive items: File → Cleanup Tools → Archive (or Online Archive if licensed).
- Empty Deleted Items.
- Empty Junk.
- For corporate: request quota increase from L2.
Confirm it's fixed
- Sender to user test: have someone send a test message; user receives within 60 seconds.
- Outlook status bar shows "Connected to: Microsoft Exchange".
- Send/Receive completes with no error in the progress dialog.
- Inbox count matches Outlook Web inbox count.
Still stuck? Send/Receive returns 0x8004... errors, or issue affects multiple users in same tenant
Set up work email on a personal or mobile phone
Adding work email to your phone is usually a two-minute job: install the Outlook app, type your email and password, then approve the security prompt on your phone. The reason we steer you to the Outlook app instead of your phone's built-in Mail is that it keeps work data in a protected space and follows our security rules. If your phone asks to 'register' during setup, that's normal and expected — it's just confirming the phone is allowed to receive company mail.
What to do
iPhone (iOS) — recommended (Outlook app):
- Install Microsoft Outlook from the App Store and open it.
- Tap Add Account, enter your full work email, tap Continue.
- Enter your password, then approve the MFA prompt in Authenticator or via text/call.
- If asked, allow notifications and complete any device registration step.
- Wait a minute for mail, calendar, and contacts to sync.
Android — recommended (Outlook app):
- Install Microsoft Outlook from Google Play and open it.
- Tap Add account, enter your work email, tap Continue.
- Enter your password and approve the MFA prompt.
- Complete any "register device" / Company Portal step if prompted.
- Wait for the inbox to populate.
If your company uses Exchange via the built-in Mail app instead:
- iOS: Settings → Mail → Accounts → Add Account → Microsoft Exchange → enter email → sign in → approve MFA.
- Android: Settings → Accounts → Add account → Exchange / Corporate (varies by phone) → enter email → sign in.
Confirm it's fixed
- New work email appears in the inbox and you can send a test message to yourself.
- Calendar shows your work meetings.
- A test email sent from a computer arrives on the phone within a minute or two.
- No repeated password prompts after setup.
Still stuck? Account adds but cannot connect after correct password + MFA, or enrollment/Conditional Access blocks the device from receiving mail.
Suspicious email / suspected phishing — what to do
That email looks like a scam. Don't click anything in it. The safest move is to report it using Outlook's Report button — that tells our security system to clean it from everyone's inbox. If you already clicked or typed your password, tell us right now: every minute matters when an attacker has your credentials. We'll change your password, kick them out of your account, and make sure nothing was stolen. There's no shame in clicking — phishers are good at this. Just tell us fast.
What to do
If you have NOT interacted with it:
- In Outlook → select message → Home tab → Report dropdown → "Report Phishing".
- Or: forward email as attachment to your IT phishing inbox (e.g.,
phishing@iisupp.net) — drag-drop into a new message to preserve headers. - After reporting, delete from Inbox AND Deleted Items.
- Block the sender if pattern continues (Junk → Block Sender).
If you HAVE clicked a link:
- Don't enter anything; close the tab/window.
- Run a full antivirus scan: Windows Security → Virus & threat protection → Scan options → Full scan.
- Report the email to IT — escalate.
If you HAVE entered credentials:
- Immediately change your password from a known-good device.
- Sign out of all sessions: https://mysignins.microsoft.com → Sign out everywhere.
- Notify IT immediately — escalate to L2/L3.
- Watch your inbox for unexpected sent items, mailbox rules, MFA-prompts.
If you HAVE replied with information (BEC):
- Do NOT engage further.
- Notify IT and finance leadership — wires can sometimes be reversed within 24h.
- File an IC3 report (US) or local equivalent if money was sent.
Confirm it's fixed
- Email reported and removed from inbox.
- If credential exposure, password change confirmed, sessions revoked.
- Antivirus scan clean.
- No unfamiliar Outlook rules under File → Manage Rules & Alerts.
- No unfamiliar device under https://mysignins.microsoft.com.
Still stuck? User clicked link or entered credentials, or executive impersonation, or active BEC suspected
Microsoft 365 & Office
Active Directory: account lockout / repeating lockouts after password change
Some device of yours is still trying to log in with your old password. We need to find which one — usually a phone, mapped drive, or saved Wi-Fi — and update it. Once we do, the lockouts stop.
What to do
Cached creds on phone (Outlook / ActiveSync):
- Have user remove + re-add the work profile / mail account on phone with new password.
- For Intune-enrolled phones, force update profile.
Mapped drive with saved cred:
- On caller machine:
cmdkey /delete:server.domain.local. - Reconnect drive with current creds (or via GPO).
Scheduled task with old password:
- Task Scheduler → identify tasks running as user → Actions → update creds.
Wi-Fi enterprise SSID:
- Forget + reconnect with current creds.
Service account:
- Find every place the password is used (DSC, SCCM, scripts, services).
- Change all in coordination, then reset AD password.
- Best practice: convert to Group Managed Service Account (gMSA) — auto-rotated.
Brute force:
- Check 4625 source IPs and counts. If external, escalate to L3/Security.
- Consider implementing Smart Lockout in Azure AD / Microsoft Defender for Identity.
Confirm it's fixed
- 24 hours with no Event 4740 for the user.
- LockoutStatus.exe shows account "Not Locked Out" across all DCs.
- User signs in normally everywhere.
Still stuck? Lockout source unidentifiable, or service account, or pattern across many accounts (possible attack)
Can't sign in to Microsoft 365 / repeated password prompts
Your computer has saved an old version of your password and is fighting with the new one. We'll clear the saved one, restart Office, and sign you in fresh. If your phone hasn't approved the security prompt yet, that'll be the next thing we check. Should take just a few minutes.
What to do
If password recently changed:
- Sign in fresh on each Office app; for Outlook, also: File → Account Settings → Email → Change → re-enter.
If MFA prompt is missed:
- Open Microsoft Authenticator app on phone — manually scroll for any pending request, approve.
- Or use https://aka.ms/mfasetup to verify methods are current.
If account locked (AADSTS50053):
- Wait 30 minutes for soft unlock OR request L2 to unlock via Azure AD admin.
If Conditional Access block (AADSTS53003):
- Compliant device required — verify Intune / Endpoint enrollment status.
- Or switch to a compliant network if location-based.
If clock skew:
- Reset time via Settings; also check BIOS clock if persistent (laptop battery often dead).
Confirm it's fixed
- Sign-in completes without prompts after 1 attempt.
- Office.com loads tenant home page within 5 seconds.
- Outlook status bar reads "Connected".
- Teams shows green presence.
- 24h with no recurring prompt.
Still stuck? AADSTS50053 (account locked), AADSTS50126, or pattern across multiple users on same tenant
Microsoft 365 / Google Workspace tenant-to-tenant migration
Moving your organization from one cloud tenant to another (for a merger, sale, or rebrand) is like relocating an entire office: people, email, files, shared sites, and chats all have to move without losing anything or breaking how you work. The tricky parts are identity (your email domain can only "live" in one place at a time, so the switch has to be timed precisely) and the sheer volume of data, which the platforms deliberately rate-limit. We reduce risk by inventorying everything, testing with a small pilot group, pre-copying data so the final switch is quick, and keeping the old tenant intact until we've confirmed the new one works. There's a short, planned window where email cuts over to the new home.
What to do
> Section 5 is for a senior engineer running the project. Irreversible steps (domain move, MX cutover) require sponsor sign-off; vendor engagement is noted.
- Prepare the target tenant: licensing, provisioned users/groups, SharePoint/Teams scaffolding, security/compliance settings, and verified routing domains.
- Pilot migration: migrate a representative pilot group end-to-end (mail, OneDrive, SharePoint, Teams), validate fidelity and permissions, and measure throughput vs throttling. Fix issues before scaling.
- Pre-stage bulk data: run incremental/pre-sync passes so the final delta at cutover is small (lowers downtime). Stagger batches within throttling limits.
- Stand up coexistence: enable cross-tenant mail routing and free/busy so users in both tenants interoperate during a staged move.
- Cutover (the irreversible part — sponsor sign-off): schedule the maintenance window; perform the final delta sync; move the custom domain (remove from source, verify in target) and cut MX/Autodiscover/SPF/DKIM/DMARC/CNAME DNS to the target. Sequence carefully — the domain can exist in only one tenant at this moment.
- Engage vendors for blockers: the migration-tool vendor for fidelity/permission/throttling issues; Microsoft/Google for tenant-side domain-move, throttling, or routing problems.
- Hold a rollback plan: keep the source tenant intact and data retained until validation passes; define per-batch rollback (re-point routing back, re-enable source) so a failed batch doesn't strand users. True cutover rollback is costly — minimize risk with pilot + pre-staging rather than relying on it.
Confirm it's fixed
- Mail flows correctly to/from the target tenant; no NDRs or mis-routing; SPF/DKIM/DMARC valid; Autodiscover resolves; no mail looping between tenants.
- Mailboxes, OneDrive, SharePoint, and Teams content migrated with correct permissions, versions, and structures (spot-check across user types).
- Distribution/M365 groups, shared/resource mailboxes, and guest access function as expected.
- Users sign in with the correct UPN/SMTP; the custom domain is verified only in the target and removed from source.
- Pilot/batch validation sign-offs recorded; no orphaned or duplicated objects.
- Integrated apps re-authorized and working; source tenant retained per rollback/retention plan until acceptance.
Still stuck? Engage the migration-tooling vendor and the platform vendor (Microsoft/Google) for unresolved throttling, identity/domain-move conflicts, or data-integrity issues; escalate to project sponsor before any irreversible cutover step.
Microsoft 365 license / activation issues — apps in reduced functionality
Your Office apps can't confirm your subscription right now. Most often it's signed in with a different account than the one with your license, or the license needs to be reassigned. We'll check who you're signed in as, sign you back in with the right account, and your full Office should come back. If we still see issues, we'll get a quick admin to verify your license is active.
What to do
If wrong account signed in:
- File → Account → Sign Out → confirm.
- Close all Office apps (verify in Task Manager).
- Reopen Word, sign in with correct work email.
- Activation completes silently if license is assigned.
If duplicate installs:
- Settings → Apps → Installed apps.
- Uninstall any non-current Office version.
- Repair the M365 install: right-click Microsoft 365 Apps → Modify → Quick Repair (then Online Repair if needed).
If proxy / network blocking activation:
- Confirm device can reach
https://officeclient.microsoft.com,https://login.microsoftonline.com,https://activation.sls.microsoft.com. - On corporate proxy, request whitelisting per Microsoft's published M365 endpoint list.
If license truly missing:
- Tenant admin (or L2): M365 admin center → Users → Active users → user → Licenses & apps → ensure correct SKU assigned.
- After assignment, allow up to 30 minutes for propagation; user signs out + back in.
Confirm it's fixed
- File → Account shows green check + "Microsoft 365 Apps for Enterprise" (or assigned SKU) + activation date.
- All Office features (Track Changes, advanced editing) available — no read-only banner.
- No "(Unlicensed Product)" in title bar.
- Outlook can send/receive normally.
Still stuck? License unassigned in admin center or tenant has no available licenses for required SKU
Office router is WPA2-PSK only — modern devices misbehave, Wi-Fi 6/7 clients drop
Your office Wi-Fi router is using a security standard from 2004. Most of your newer phones and laptops know it's old and complain about it, and your VPN apps may refuse to use it. We can swap in a modern mesh system with proper office, guest, and smart-device networks — phones stop warning, the Wi-Fi gets faster, and your team stops wrestling with the connection. The mid-range option lands around $1,000 for hardware plus an afternoon to set up.
What to do
Path A — Replace consumer router with prosumer Wi-Fi 6E / 7 mesh (most offices < 5,000 sq ft):
- Pick a mesh kit:
- TP-Link Deco BE85 (Wi-Fi 7, $999/3-pack) — best value for 4,000-6,000 sq ft.
- eero Pro 7 (Wi-Fi 7, $599-1,499) — easiest setup, Amazon ecosystem.
- Ubiquiti UniFi Express 7 Pro (Wi-Fi 7, $279 per AP + $199 dream router) — best for offices wanting VLANs and growth.
- Set 3 SSIDs minimum:
iisupp-corp— WPA3-SAE only, VLAN 10iisupp-iot— WPA2/WPA3 mixed (some smart devices still need WPA2), VLAN 20, isolatediisupp-guest— WPA3-SAE + captive portal, VLAN 30, internet-only
- Configure band steering: prefer 6 GHz for Wi-Fi 6E/7 clients, 5 GHz for older devices, 2.4 GHz only for IoT.
- Enable MLO (Multi-Link Operation) for Wi-Fi 7 clients — gives 30%+ latency improvement on video calls.
Path B — UniFi structured deployment (offices > 5,000 sq ft, multi-floor, or compliance):
- UniFi Dream Machine Pro Max + 3-6 U7 Pro APs ($1,400-3,000 hardware).
- Cat6A drops to each AP location, PoE+ injectors or PoE switch.
- Site-to-site VPN to remote workers, RADIUS for 802.1X enterprise auth on
iisupp-corpSSID. - ~2-day install for licensed cable + AP placement.
Path C — Cheapest stop-gap (until budget allows replacement):
- Buy a single ASUS RT-AX86U Pro ($230) — Wi-Fi 6, supports WPA3.
- Replace ISP-supplied router. Keep ISP modem in bridge mode.
- Configure: WPA3-SAE primary SSID + WPA2/WPA3 transitional for legacy IoT.
Confirm it's fixed
- iPhone shows no "Weak Security" warning on
iisupp-corp. - Speedtest on Wi-Fi 7 laptop: at least 70% of wired throughput within 30 ft of an AP.
- VPN clients (AnyConnect, GlobalProtect) connect without security warnings.
- Roaming test: walk across the office on a continuous Zoom call — no drop.
Still stuck? Office has 30+ devices, multi-floor coverage, or any compliance requirement (PCI-DSS 4.0 requires WPA3 by Mar 2025); design with structured cabling + APs not consumer router.
Password reset / forgotten password (self-service)
You can reset your own password without needing to call IT, as long as you've registered a phone or the Authenticator app. We'll go to the reset page, prove it's you with a code on your phone, and pick a new password. If your laptop still wants the old one after, we'll connect to the company network for a moment so it catches up.
What to do
Self-service reset (SSPR):
- From sign-in page, click "Can't access your account?" / "Forgot password?".
- Enter UPN (email) and the captcha.
- Pick a verification method (phone text, phone call, Authenticator code, or email).
- Receive code → enter.
- Set new password (must satisfy: min length 8, mix of upper/lower/number/symbol, not reused).
- Wait 30 seconds for sync.
- Sign in.
For a Windows-joined device, when a remote user resets cloud password but local cache is stale:
- Connect to corporate VPN, then lock + unlock with new password to refresh local cached credentials.
- Or: use "Reset password" link on Windows lock screen if SSPR-from-Windows is enabled.
For password expired:
- Sign-in normally prompts "Your password has expired" — change in-flow.
- If sign-in screen doesn't show option: log in via web (office.com), it'll prompt there.
Confirm it's fixed
- Sign-in succeeds with new password on web.
- Outlook, Teams, Office apps sign back in successfully.
- Lock + unlock Windows session works with new password.
- 24h with no further "wrong password" issues.
Still stuck? User cannot complete SSPR (no verification methods or expired), or admin reset required, or local-account-only PC with lost password
Set up and sign in with a passkey (passwordless / FIDO2 / Windows Hello)
A passkey replaces your password with something only you have — your phone, your laptop, or a little security key — unlocked by your face, fingerprint, or PIN. There's nothing to type and nothing for an attacker to phish, because the secret never leaves your device. You can store a passkey right on your computer (Windows Hello), on your phone (scan a QR code to use it on other computers), or on a USB security key. The golden rule: set up two of them, so losing one device never locks you out.
What to do
A. Enroll a passkey on Windows (Windows Hello as the passkey):
- Go to your account security/My Sign-Ins page (for M365: https://aka.ms/mysignins → Security info).
- Choose Add sign-in method → Passkey (or "Security key / Passkey").
- When prompted "Where do you want to save this passkey?", choose This device (Windows Hello).
- Approve with your fingerprint, face, or Hello PIN. The passkey is now stored in the PC's secure hardware (TPM).
B. Enroll a passkey on a phone (phone-as-passkey):
- On the account security page on your computer, choose Add passkey → iPhone, iPad, or Android device (or "Use a different device").
- A QR code appears on the computer screen.
- Scan the QR code with the phone's camera. The phone connects over Bluetooth (keep both devices close and Bluetooth on).
- Approve on the phone with Face ID / fingerprint / screen lock. The passkey is saved to the phone's keychain (iCloud Keychain on iPhone, Google Password Manager on Android).
C. Enroll a roaming passkey on a security key (USB/NFC FIDO2 key):
- Choose Add passkey → Security key.
- Insert the USB key (or tap an NFC key to the device).
- Create or enter the key's PIN, then touch the gold disc/sensor to confirm presence.
- The passkey now lives on the physical key and works on any device you plug it into.
D. Sign in with a passkey afterward:
- At the sign-in screen, enter the username (or it may be remembered), then choose Sign in with a passkey / other ways to sign in → Passkey.
- For a device passkey: approve with Hello/Touch ID/PIN.
- For a phone passkey on a different computer: choose "phone," scan the QR with the phone, approve on the phone.
- For a security key: insert/tap the key, enter its PIN, touch the sensor.
Confirm it's fixed
- The new passkey is listed under Security info / Sign-in options with the device name and the date added.
- Open a fresh private/incognito browser window and complete one full passkey sign-in successfully.
- Confirm the user has at least one backup sign-in method (a second passkey, the Authenticator app, or a phone number) — see l1-passkey-002.
- For phone-as-passkey, confirm it works against a different computer (the cross-device flow), not only the enrolling computer.
Still stuck? User cannot enroll a passkey because the tenant has not enabled the passkey/FIDO2 authentication method, or the device does not support a platform authenticator.
Wi-Fi 7 in the office — 320 MHz, MLO, and backward compatibility with Wi-Fi 6/6E/5 clients
Wi-Fi 7 is the new standard. It's roughly twice as fast as Wi-Fi 6 if your phone or laptop also supports Wi-Fi 7. Older devices keep working at their own speed — they're not slowed down. If you're getting a new router, get Wi-Fi 7. If you want your existing laptop to also be Wi-Fi 7, sometimes we can swap in a small card for around $30; phones and iPads can't be upgraded so they'll stay on whatever Wi-Fi they came with.
What to do
To deliver Wi-Fi 7 throughput to clients that support it:
- Use single SSID with band steering rather than separate 6 GHz SSID. Modern routers do this well (eero, Deco, UniFi U7 Pro).
- Enable 320 MHz channel width on 6 GHz radio (router admin → 6 GHz → channel width: 320 MHz auto). 320 MHz only available in 6 GHz.
- Enable MLO (Multi-Link Operation) — clients can use 2.4 / 5 / 6 GHz simultaneously, ~30% latency drop, much smoother for video calls. Requires Wi-Fi 7 on both ends.
- Enable 4K-QAM — higher modulation = more throughput on short range. Most Wi-Fi 7 routers ON by default.
- Use WPA3-SAE or WPA3 + WPA2 transitional. 6 GHz spec requires WPA3 — Wi-Fi 7 clients refuse WPA2-only on 6 GHz.
For older clients on the same network:
- Wi-Fi 6E client → 6 GHz, max ~1.6 Gbps real-world.
- Wi-Fi 6 client → 5 GHz, max ~800 Mbps real-world.
- Wi-Fi 5 client → 5 GHz, max ~400 Mbps real-world.
- Wi-Fi 4 / b/g/n client → 2.4 GHz, max ~50 Mbps real-world.
Common upgrades to unlock Wi-Fi 7 on existing fleet:
- Replace internal Wi-Fi card on desktop / older laptop: Intel BE200/202 (M.2 module, ~$30) → upgrades a Wi-Fi 6E laptop to Wi-Fi 7 if mainboard + driver support it. Check vendor / Linux kernel compat.
- USB Wi-Fi 7 adapter for desktops: not many shipping yet (early 2026), early ones from MediaTek, ASUS.
- For phones / iPads: no upgrade path — must buy newer hardware.
Confirm it's fixed
- Priority Wi-Fi 7 laptop: speedtest at 1.5+ Gbps within 15 feet of AP.
- MLO active: Win 11 Wi-Fi details shows "Wi-Fi 7" protocol AND multiple link addresses; macOS shows "Multi-Link".
- Latency on video call < 30ms RTT to home Wi-Fi → server (use
pingto a regional server). - All older devices continue working without manual intervention (proves band steering).
Still stuck? Deploying Wi-Fi 7 across 20+ APs, multi-floor, or regulated industry → L3 network design with proper spectrum management.
Accounts, Sign-in & MFA
Agent Identity Onboarding & Offboarding
Treat each AI agent like a staff member with their own badge. Give it its own login (not a person's), only the access it actually needs, and keys that get changed regularly and kept in a safe place. When the agent is no longer used, deactivate its badge and take back its keys — the same way you would offboard an employee who leaves. The biggest risk is a "ghost" agent whose login still works long after the agent is gone.
What to do
- Onboarding (issue): Every agent gets a dedicated, named non-human/service identity — never a person's login, never a broad shared account.
- Least privilege: Grant only the specific scopes/tools the agent needs for its job; deny by default and add narrowly.
- Secrets management: Store credentials in a secrets store (not in code/config/chat). Use short-lived, scoped tokens where possible.
- Rotation: Define and automate a rotation schedule for keys/secrets; rotate immediately on suspected compromise or after an incident (t4-aigov-002).
- Lifecycle binding: Tie the identity's existence to the agent's lifecycle in the register — created when the agent is approved, reviewed periodically.
- Offboarding (deprovision): When an agent is retired or re-scoped, disable its identity, revoke and delete its keys/tokens, and remove its access. Confirm no orphaned credentials remain.
- Attribution: Per-agent identities also enable cost attribution (t4-aigov-004) and clean audit trails (t4-aigov-003).
Confirm it's fixed
- Every agent uses a dedicated non-human identity, not a personal or broad shared account.
- Each identity's permissions match its job (spot-check confirms no excess scope).
- Secrets live in a secrets store and have a rotation schedule that has actually run.
- A test offboarding leaves no live keys/tokens for the retired agent (re-auth fails).
- No orphaned agent identities remain in the directory/key inventory.
Still stuck? A retired agent's credentials are still active, or an agent is running on a human's personal login or an over-privileged shared account.
Conditional Access blocking sign-in (AADSTS53003 / 53000)
A security rule blocked your sign-in because something didn't match what we require — usually it's that your device isn't checked in as managed, or you're in a place we don't expect you. We'll find which rule and fix it for you.
What to do
Device not compliant:
- Have user open Company Portal → Check status. Resolve any flagged item (encryption, updates).
- Or: temporarily exclude user from policy for break-fix; re-include after device fixed.
Policy misconfiguration (target/exclude wrong):
- Edit policy → Users → adjust group inclusion/exclusion.
- Bring up CA "What If" tool to verify before save.
Location-based block (legitimate user travel):
- Add the user's country to a Trusted Locations or excluded location for the policy.
Break-glass scenario:
- Use the documented break-glass account (always excluded from all CA policies) to make the change.
- After fix, audit-log the use.
Token theft suspicion:
- Revoke sessions:
Revoke-MgUserSignInSession -UserId <id>. - Reset password.
- Investigate sign-in logs for foreign IPs / devices.
Confirm it's fixed
- User signs in successfully and CA tab on the success record shows policies = Success.
- "What If" tool returns Allow for user/app/location combination.
- No new failures in 24h.
Still stuck? Policy change required affecting >10 users, or break-glass account also blocked, or signs of token replay attack
Multi-factor authentication (MFA): setup, lost device, and recovery
MFA is the extra check that protects your account from someone who guessed or stole your password. If your phone's gone or unhappy, we have a few ways to get you back in: try a backup method like text-to-phone, restore your authenticator from cloud backup, or have IT reset it after we confirm it's really you. Adding a second method now is the best favor you can do for future-you.
What to do
Setting up MFA for the first time:
- Visit https://aka.ms/mfasetup (or follow the prompt during sign-in).
- Click "Add sign-in method" → choose Microsoft Authenticator.
- Install Microsoft Authenticator on phone (iOS App Store / Google Play).
- In the app: Add account → Work or school account → Scan QR code shown on the website.
- Approve the test prompt.
- Add a backup method (phone number for text, in case device lost).
New phone (old phone still works):
- Install Authenticator on new phone.
- On old phone, in Authenticator: Settings → Backup → ensure cloud backup ON (with iCloud / Microsoft account).
- On new phone, in Authenticator: Begin recovery → sign in with same recovery account → entries restore.
- Re-verify each entry — Authenticator may require re-verification on new device.
New phone (old phone gone):
- Try sign-in with backup method (text/call to phone number on file).
- If backup works → https://aka.ms/mfasetup → remove old Authenticator entry → add new.
- If no backup methods work → Escalate (admin reset).
Lost phone, no backup methods:
- Submit identity verification request to IT (photo ID, manager confirmation per policy).
- Admin (L2) clears MFA registration via Entra portal.
- User signs in once with password only → re-enrolls fresh.
Confirm it's fixed
- Sign-in test from a different browser session succeeds with MFA.
- Authenticator shows current account with green "Active" status.
- Two registered methods minimum (one primary + one backup).
- "Sign-in activity" in My Sign-Ins shows recent successful MFA challenges.
Still stuck? User locked out with no recovery method, or admin reset required for MFA, or token replay/abuse suspected
Recover passkey access after a lost, replaced, or broken device
If the device that held your passkey is gone, don't panic — but don't keep tapping the missing passkey either. The fix is to sign in another way (a second passkey, the Authenticator app, or a text code), then add a fresh passkey on your new device and delete the old device from your account so nobody else can use it. If you've truly lost every way in, IT can reset things once we confirm it's really you. The lesson for next time: always keep two ways to sign in.
What to do
A. Sign in with a backup method (preferred — no admin needed):
- At sign-in, choose Other ways to sign in / I can't use my passkey.
- Pick a remaining method: a second passkey, the Microsoft Authenticator app, or a text/call to a registered phone number.
- Complete sign-in with that method.
B. Register a new passkey on the replacement device:
- Once signed in, go to Security info (work/school: https://aka.ms/mysignins → Security info; personal: account.microsoft.com → Security → Advanced security options).
- Choose Add sign-in method → Passkey and follow l1-passkey-001 to enroll on the new device or phone.
C. Remove the lost device's passkey from the account:
- In Security info / sign-in methods, find the entry for the old/lost device (named by device, with the date added).
- Select it and choose Delete / Remove. This revokes that passkey so a thief cannot use it.
- Repeat for any other stale entries.
D. All passkeys lost and NO backup method (admin reset):
- Contact IT to verify identity per policy (photo ID, manager confirmation).
- An admin (L2) resets the account's authentication methods in Entra.
- The user signs in with the temporary method provided, then immediately enrolls a fresh passkey and a second backup method.
Confirm it's fixed
- The user can complete a full sign-in on the new device with a newly enrolled passkey.
- The lost device's passkey no longer appears under sign-in methods.
- At least two working methods are now registered (e.g., new passkey + Authenticator or phone).
- Recent sign-in activity shows the successful recovery and no unexpected sign-ins from the lost device.
Still stuck? User has lost all passkeys and has no remaining backup sign-in method, requiring an admin to reset authentication methods after identity verification.
Set up a new work laptop — first boot and sign-in
A new work laptop sets itself up mostly on its own once you connect to Wi-Fi and sign in with your work email. After you sign in, it spends 10-30 minutes quietly applying our security settings and installing your apps — that 'getting ready' screen is normal, so just leave it plugged in. Your files aren't missing; they live in OneDrive and download once you sign in. Within about half an hour you'll have email, Teams, and your apps ready to go.
What to do
Windows (OOBE / Autopilot):
- Power on; choose region and keyboard.
- Connect to Wi-Fi or Ethernet.
- At the sign-in screen, enter your work email and password, then approve the MFA prompt.
- Let the device run "Setting up your device / account" (Autopilot Enrollment Status Page) — it applies security settings and installs core apps. Leave it plugged in and online.
- When you reach the desktop, open the Company Portal / Software Center (if present) to install any optional apps you need.
- Sign in to OneDrive so your files start syncing; sign in to Outlook and Teams.
macOS (company-enrolled):
- Power on; choose region, keyboard, and connect to a network.
- Sign in / complete Remote Management / enrollment when prompted (this registers the Mac with the company).
- Create your local account, then sign in to Microsoft 365 apps (Outlook, Teams) with your work account and approve MFA.
- Let managed apps install, then sign in to OneDrive to sync files.
Confirm it's fixed
- You reach the desktop and can open Outlook with email flowing.
- Teams signs in and shows green presence.
- OneDrive shows it is syncing / "Up to date."
- Core company apps are installed (or installing) without errors.
- The device shows as enrolled/compliant in IT's console (IT can confirm).
Still stuck? Setup stalls during enrollment/provisioning, the device won't join the company account, or required apps never install after sign-in.
SSO / SAML / OIDC: federation troubleshooting
What to do
- Capture SAML / OIDC trace: SAML-tracer Firefox / Chrome ext, or browser DevTools network.
- Decode SAML assertion: Base64 → XML; or jwt.io for OIDC tokens.
- Verify timestamps (not before / not on or after).
- Verify signatures with IdP cert.
- Verify Audience / Issuer / Subject.
Still stuck? Federation-wide outage, IdP cert compromise, SAML response replay attack
SSO onboarding: add a user to an app, or connect a new SaaS app to SSO
Single sign-on means you log in once with your work account and the app just lets you in — no separate password. To give you access we add you to the group that's allowed into that app; if the app also needs an account created on its side, our system provisions it automatically. For a brand-new app we set up a trust between our login system and the vendor once, then everyone gets in the same easy way. You'll find your apps at the My Apps portal.
What to do
A) Add an existing user to an already-integrated app (most common):
- Entra ID → Enterprise applications → select the app → Users and groups → Add user/group.
- Prefer adding the user to the security group that grants the app (group-based access) rather than a direct assignment — it scales and audits cleanly.
- Assign the correct role if the app exposes app roles.
- If the app uses SCIM provisioning, confirm the user appears in Provisioning → on-demand provision (provision them on demand to avoid waiting for the sync cycle).
- Confirm a license is assigned if the app requires one.
B) Onboard a brand-new SaaS app to SSO (SAML):
- Entra ID → Enterprise applications → New application → search the gallery; if present, add it (pre-built claims). If not, "Create your own application" → non-gallery.
- Single sign-on → SAML. Exchange metadata with the app owner:
- Give the app the IdP metadata / Login URL / Entity ID / signing certificate.
- Enter the app's Reply URL (ACS), Identifier (Entity ID), and Sign-on URL.
- Set Attributes & Claims to match what the app keys on (commonly NameID =
user.mailoruser.userprincipalname). - Download the federation metadata XML (or Base64 cert) and hand it to the app owner to finish their side.
- Assign the pilot user/group under Users and groups and test.
C) Turn on automatic provisioning (SCIM) so accounts auto-create:
- App → Provisioning → mode Automatic → enter the app's Tenant URL and Secret Token (from the SaaS admin).
- Test Connection, map attributes, set scope to "assigned users and groups", then turn provisioning On.
Confirm it's fixed
- The user sees the app tile at https://myapps.microsoft.com and can launch it.
- Sign-in completes end-to-end into the app (not just the IdP) without a redirect loop.
- For SCIM/JIT: the user's account now exists in the SaaS app with correct attributes/role.
- Entra ID → Sign-in logs shows a successful interactive sign-in to that app for the user.
- Removing a test user from the group revokes access (de-provision verified) before go-live.
Still stuck? Custom SAML claim mapping, federation/trust changes, or tenant-wide identity policy changes — design-level work for L3 identity engineering.
Security (phishing, malware, scams)
AI Voice Phishing (Vishing) & Deepfake Audio
Criminals can now copy someone's voice from a few seconds of audio and call you sounding exactly like your boss or a vendor, demanding an urgent payment or password. The voice is fake even though it sounds real. The defense is simple: never act on an urgent voice request without checking through a separate channel you trust — hang up and call the person back on their known number, or use a pre-agreed code word. Real, legitimate requests will survive a quick verification; scams fall apart under it.
What to do
- If nothing has happened yet: halt the request, verify out-of-band, and only proceed once identity is independently confirmed.
- Callback verification: hang up and call back on a number from your own directory/records, never a number the caller supplied.
- Use a verification challenge: a pre-agreed code word/passphrase or a question only the real person can answer (and that is not findable online).
- Enforce dual-control for money/credentials: any wire, banking-detail change, credential reset, or MFA bypass requires a second approver and out-of-band confirmation — no single-call authorization.
- If action already taken (fraud in progress):
- For wires: contact the bank immediately to recall/freeze; time is critical.
- For credentials/MFA: treat as account compromise — reset, revoke sessions/tokens, investigate access.
- Engage security IR and management.
- Report: preserve the voicemail/call details and report internally (and to relevant authorities/bank as appropriate).
Confirm it's fixed
- The request was independently confirmed via a known, attacker-independent channel before any action.
- Dual-control was applied to any financial/credential request.
- If fraud occurred, the bank/account-recovery and IR processes were engaged without delay.
- Staff can describe the callback protocol and the code-word challenge.
- The incident is documented and reported per policy.
Still stuck? A caller using a recognized voice requests an urgent wire transfer, credential reset, or MFA bypass that cannot be verified out-of-band.
DDoS attack response (volumetric / protocol / application-layer)
A DDoS attack floods your services with junk traffic from many sources to crowd out real users — like a mob jamming the doors of a shop. There are three flavors: brute-force "fill the pipe" floods, attacks that exhaust your equipment's capacity to track connections, and sneaky ones that send normal-looking requests to overwhelm the application. The most effective defense usually happens upstream, so we engage your internet provider and a DDoS-protection service to filter the bad traffic before it reaches you, while keeping real customers connected. In extreme cases we may temporarily sacrifice a single attacked address to protect everything else. We never negotiate with or pay attackers.
What to do
> Section 5 is for a senior network/security engineer, frequently in a bridge with the ISP and DDoS vendor. Upstream engagement is mandatory at scale.
- Engage the ISP and DDoS-protection/scrubbing vendor early to divert traffic through scrubbing (often via DNS redirection or BGP advertisement to the scrubbing center) and to apply upstream filtering. This is the primary lever for volumetric attacks.
- Volumetric: request upstream rate-limiting/filtering; as a blunt last resort, remote-triggered black-hole (RTBH) of the targeted IP at the ISP drops all traffic to it (it sacrifices that IP to save the rest of the network — a deliberate trade-off, decided with the ISP).
- Protocol/state-exhaustion: enable SYN cookies, tune connection/rate limits, drop malformed/fragmented traffic, and lean on stateful protections at the edge/scrubber.
- Application-layer (L7): front the service with a CDN/WAF; apply rate-limiting, challenge/CAPTCHA or JS challenges, bot management, and targeted rules for the abused endpoints. Hide/relocate the origin and restrict it to accept only CDN/WAF traffic.
- Tactical filters: apply geo/ACL/source filtering only when it reliably separates attack from legitimate traffic — the goal is keeping real users up, so avoid over-broad blocks that cause self-inflicted outage.
- If exploited as cover for intrusion, run incident response in parallel (l3-security-001). For ransom-DDoS, do not communicate with or pay attackers without leadership/legal direction.
Confirm it's fixed
- Legitimate traffic flows normally; service latency/availability back to baseline for priority services.
- Attack traffic is being absorbed/scrubbed upstream; edge devices (firewall/LB) back to healthy CPU/state-table levels.
- Origin no longer directly reachable by attack traffic (CDN/WAF-only ingress confirmed where applicable).
- Mitigations are documented and reversible; over-broad geo/ACL blocks reviewed to confirm they aren't dropping real users.
- Monitoring/logging intact; no evidence of a concurrent breach (or IR handling it).
- ISP/vendor case documented; post-incident review scheduled.
Still stuck? Engage the ISP and DDoS-protection/scrubbing vendor immediately when attack volume approaches link/edge capacity or an application-layer attack evades on-box mitigation; loop in security leadership for any extortion/ransom-DDoS note.
Digital forensic evidence preservation during a suspected breach
When we suspect a break-in, the natural reaction is to wipe the affected computer and move on — but that's like scrubbing a crime scene before investigators arrive. We need to find out how the attacker got in, what they touched, and whether they're still inside, and that evidence lives in the computer's memory and disk. So we keep affected systems powered but cut off from the network, make exact protected copies (with a tracked chain of custody, like an evidence bag), and preserve the logs before they age out. We also avoid obvious moves that would warn the attacker we've noticed. Specialists — an incident-response firm, your lawyers, and your cyber-insurer — guide this, and only then do we clean up and recover.
What to do
> Section 5 is for a senior responder, ideally the external IR firm. Acquisition must preserve integrity (write-blocking, hashing, custody). Mandatory human/vendor/legal engagement is called out.
- Engage the external IR firm, legal/privacy counsel, and cyber-insurance now. Insurance often dictates approved vendors and notification timing; legal involvement helps preserve privilege. This step gates the rest.
- Acquire volatile data first: capture a memory image from the live, isolated system using forensically sound tooling before any shutdown; record running processes/connections. Memory is lost the instant power is removed.
- Acquire disk images as forensic (bit-for-bit) copies using write-blocking; compute and record cryptographic hashes of each image to prove integrity. Work from copies — never investigate on the original.
- Establish chain of custody: label evidence, record every handler/transfer with timestamps, and store securely. Gaps in custody can render evidence unusable.
- Preserve cloud/SaaS and identity evidence (audit logs, sign-in logs, mailbox/audit exports, snapshots) per provider guidance before retention windows expire.
- Build the timeline from preserved sources to establish initial access, scope, and impact — this drives the eventual eradication/recovery in l3-security-001, which only proceeds once evidence is secured and IR approves.
- Coordinate law-enforcement notification where applicable through legal — do not contact attackers; preserve any extortion communications as evidence.
Confirm it's fixed
- Suspect systems isolated but intact (still powered where memory was needed); no remediation/reboot/re-image occurred prematurely.
- Memory and disk images acquired with recorded hashes that verify; originals untouched and secured.
- Chain-of-custody records complete and continuous for every evidence item.
- Volatile and short-retention logs (endpoint/network/cloud/identity) exported and preserved before rotation.
- IR firm, legal, and cyber-insurance engaged and steering; notification obligations being tracked by counsel.
- Investigation timeline underway; no actions taken that tipped off the attacker ahead of the containment plan.
Still stuck? Stop and engage the external IR firm, legal/privacy counsel, cyber-insurance, and (where applicable) law enforcement before remediating; do not power off, re-image, or alter suspect systems until evidence is preserved.
Enterprise Wearables
Enterprise wearables — like rugged smartwatches — give workers quick alerts, scanning, or safety check-ins without pulling out a phone. IT manages and secures them like other devices, makes sure they pair and stay connected, and plans charging for long shifts. Because wearables can sense things like location or movement, we only collect what's needed for the job and set clear privacy rules. Important: any health-related readings are not medical-grade and aren't used for medical decisions.
What to do
- Provision under management: enroll via the supported path; apply passcode/lock, encryption where available, app controls, and managed updates.
- Secure access + loss handling: scope corporate access to the minimum; ensure a remote lock/wipe or access-revoke path for lost/stolen units.
- Stabilize connectivity: fix pairing/coverage issues; plan failover where field reliability matters (t4-frontier-004) and cellular where needed (t4-frontier-003).
- Apply data minimization + privacy: collect only what the use case needs; define storage, retention, and access for sensor data; obtain consent where required; restrict location/health-adjacent data per policy.
- Plan battery/charging logistics for shifts; standardize a clean reset/handoff for shared units.
- Document setup, common fixes, and the privacy/data-handling posture.
Confirm it's fixed
- Wearables are enrolled/managed under policy with security settings and updates applied.
- Pairing/connectivity is stable across the work environment; battery meets shift needs.
- Data collection is minimized and documented; sensor/location/health-adjacent data is handled per privacy policy.
- A lost/stolen device can be locked/wiped or have access revoked.
- Shared-device reset/handoff works cleanly.
Still stuck? A wearable cannot be managed/secured under policy, or sensor/health data handling conflicts with privacy obligations.
Lost or stolen work laptop or phone — report and secure it now
The single most important thing is to tell us right away — even before you finish looking for it. The moment we know, we can lock the device, sign it out of everything, and erase the company data on it remotely. Your laptop and phone are also encrypted, which means that even if someone takes the drive out, they can't read your files. So a lost device is usually a lost piece of hardware, not a lost data event — as long as we hear about it quickly. After we secure your account, we'll get you back to work on another device.
What to do
What you should do:
- Report the loss to IT/security through the normal channel as your first action.
- From a trusted device, change your account password and sign out of all sessions where the option exists (for example, in your account security page).
- If the device had cellular service and is a phone, consider asking your carrier to suspend the SIM (IT can advise).
- If theft is involved, file a police report and keep the report number — IT and insurance may need it.
What IT does (so you know what to expect):
- Revoke active sessions and tokens so existing sign-ins on the device stop working.
- Remote lock or remote wipe the device through MDM (for example, Microsoft Intune) or Find My — this can lock the screen and erase company data remotely once the device is online.
- Reset or require re-registration of MFA if the device was an authenticator.
- Disable or reset the account temporarily if needed, then re-enable once you are secured.
- Confirm disk encryption (BitLocker on Windows, FileVault on macOS) so that even if the disk is removed, the data stays unreadable.
Confirm it's fixed
- IT confirms the device is reported and a lock/wipe command has been queued or completed.
- Your password is changed and old sessions are signed out.
- You can sign in normally on a replacement or trusted device with your new password and MFA.
- No unexpected MFA prompts continue to arrive.
- If wiped, the device shows as wiped/retired in the management console (IT confirms).
Still stuck? Any confirmed or suspected loss/theft of a work device is reported to IT/security immediately so sessions can be revoked and the device locked or wiped.
Older Mac stuck on macOS 10.13-10.15 — app compatibility and security
Your Mac is from before Apple started using their newer chips. Apple stopped giving it security updates a couple of years ago, and websites are starting to refuse to load. You've got three real choices: upgrade to a newer macOS if your Mac will take it (free, 30 minutes), replace the Mac with a current model (best for security, $600-1,300), or limp along by using different browsers for specific sites (risky for banking and work data).
What to do
Path A — Upgrade to the latest supported macOS for the hardware (preferred):
- System Settings → Software Update → install the offered upgrade.
- Back up first via Time Machine to an external drive.
- Verify essential apps still work post-upgrade before retiring the old install.
Path B — Replace the Mac (recommended for business-critical use):
- Mac mini M4 ($599) is the cheapest path to a current Mac that will get OS support through ~2032.
- MacBook Air M3 ($999-1,299) for portability.
- All current Macs are Apple Silicon — confirm any business app has an Apple Silicon native or Rosetta-compatible build before buying.
Path C — OpenCore Legacy Patcher (technician judgment, NOT for compliance / regulated use):
- Free open-source tool that patches macOS Ventura / Sonoma onto Macs Apple dropped (2009-2017 hardware).
- Risks: kernel patches may be unstable; Apple updates may break the patch; no Apple support; some peripherals (T2 chip Macs, certain Wi-Fi cards) lose features.
- Reasonable for personal / home use or single-purpose machines. Do NOT use for regulated data or production line.
Path D — Browser + app workarounds (until budget allows replacement):
- Switch to Firefox ESR for sites that reject Chrome 116.
- Use webmail / web-based versions of apps instead of native (Outlook web, Zoom web client, etc.).
- Move banking / sensitive sites to a phone or a modern computer.
- Never enter banking credentials on an unsupported OS — keyloggers / malware risk is real.
Confirm it's fixed
- After Path A upgrade: System Settings → Software Update shows "macOS [N] is up to date".
- Critical apps launch and function (test the top 3 the user named).
- Browser passes a TLS check at https://www.howsmyssl.com — should report TLS 1.3.
Still stuck? Mac is being used for sensitive business work AND cannot be upgraded; recommend hardware replacement or OpenCore Legacy Patcher per technician judgment.
Prompt Injection & RAG/Data Leakage
Prompt injection is when text that an AI reads — a web page, an email, a document — secretly tells it to do something it should not, like leaking data or taking an unwanted action. Because the AI can be tricked by what it reads, the fixes are: do not give a reading AI dangerous powers, keep a human in the loop for risky actions, check anything the AI outputs before using it, and make sure it can only see data the person asking is allowed to see. It is the AI equivalent of "do not blindly follow instructions a stranger slipped into your inbox.
What to do
Mitigations are defense-in-depth; no single control is sufficient.
- Contain first if active: treat as an incident — disable the agent and revoke tokens (t4-aigov-002).
- Input handling: separate and clearly delimit untrusted content from instructions; do not let retrieved/external text be treated as commands. Sanitize/strip active content where feasible.
- Least privilege & least agency: give the agent only the tools and data scopes it truly needs (t4-aigov-005). Remove powerful tools from agents that read untrusted content.
- Human-in-the-loop for high-impact tool actions (send, transfer, delete, deploy) so an injected instruction cannot act unattended.
- Output handling: validate, encode, and constrain model output before any downstream use; never execute or render it raw.
- Isolation/sandboxing: run tool execution in constrained environments with egress controls so exfiltration paths are limited.
- RAG hygiene: enforce per-user authorization on retrieval (the model must not surface data the user cannot access); keep secrets out of prompts/context; vet ingested documents.
- Monitoring: alert on anomalous tool calls, unexpected outbound data, and signs of instruction-override in inputs.
- Test continuously: red-team with injection payloads (reference OWASP LLM Top 10 and MITRE ATLAS techniques) before and after deploy.
Confirm it's fixed
- Injected instructions in retrieved/external content no longer change the agent's behavior in a test.
- The agent's tool/data scope is minimized; high-impact actions require human confirmation.
- Model output passing to a downstream system is validated/encoded (a test injection does not execute).
- RAG retrieval respects per-user permissions (a user cannot retrieve data they are not entitled to).
- Monitoring fires on a simulated exfil/injection attempt.
Still stuck? An LLM-connected agent with tool or data access shows signs of following injected instructions or exfiltrating data.
Robotics / Cobots / OT + Edge-Node Triage
Factory robots, collaborative robots ("cobots"), and the small computers ("edge nodes") that connect them to the network are increasingly part of IT's world — but they can move and could hurt someone. The golden rule is humans-first: IT never sends a command that could make a robot move, and never restarts a robot itself. IT sticks to the network and the edge computer, and anything touching the robot or its safety systems is done with the operational-technology engineers. We fix the computer and network side; safety experts handle the moving parts.
What to do
- Restore the edge node within IT's scope: fix power/boot/disk/network, restart the gateway/collector service, restore from a known-good image/config — never modify control or safety logic.
- Fix network/segmentation so authorized OT↔IT flows work while keeping OT segmented from general IT (Purdue-model layering as a reference design).
- Coordinate OT actions: any change to the robot/cobot/PLC or safety system is performed or approved by OT/controls engineering, with IT supporting the network/edge side.
- Validate before re-enabling motion: the device is only returned to operation by qualified OT staff after safety checks — IT does not "turn the robot back on."
- Security hardening (advisory): segment OT, restrict remote access, patch within OT change windows (with OT approval), and monitor — handle suspected incidents via t4-aigov-002.
- Document the fault, the IT-scope actions taken, and the OT-owned actions, in a shared record.
Confirm it's fixed
- The device was kept safe throughout; no IT action caused or risked motion/actuation.
- The edge node is healthy (boot/disk/service/uplink/time) and data flows resume.
- Required OT↔IT network flows work while OT remains properly segmented.
- Any robot/PLC/safety change was performed/approved by OT, and the device was returned to service only by qualified staff after safety checks.
- A joint record captures IT-scope vs. OT-scope actions.
Still stuck? Any IT action could affect a robot/cobot's motion, a safety system, or live OT control — stop and involve OT/safety engineering before proceeding.
Windows 7 still running in 2026 — security risk, isolation, and safe operation
This computer is running Windows 7. Microsoft stopped fixing security holes in it back in 2020, which means hackers can break into it more easily than newer computers. If it's the only machine running a specific program you need, we can either upgrade you to Windows 11 with the same program, or isolate this PC from the internet so it stays safe. We'll explain both options and the cost so you can decide.
What to do
Path A — Migrate off Windows 7 (preferred):
- Buy a Windows 11 license + capable hardware (TPM 2.0, Secure Boot, 8 GB RAM minimum, 256 GB SSD).
- Re-install / upgrade the LOB app if a newer version exists. Pay vendor for upgrade if needed.
- Test on the new machine for 5 business days before retiring the Win 7 box.
Path B — Isolate Windows 7 (when migration is genuinely blocked):
- Disconnect from the internet. Pull the Ethernet cable. Disable the Wi-Fi adapter in Device Manager.
- Move to an isolated VLAN. On the router/switch, assign this PC's MAC to a VLAN with no internet route and no access to other internal devices except the specific server/printer it needs.
- Disable unused services: RDP, SMB v1, remote registry, Windows Remote Management. Open
services.mscand set each to Disabled. - Local user only. Don't domain-join. Don't use the same password as any modern account.
- USB lockdown. Block USB mass storage in Group Policy (
gpedit.msc→ Computer Configuration → Administrative Templates → System → Removable Storage Access → Removable Disks: Deny all access). - Block outbound traffic. Windows Firewall → Outbound rules → Block all programs except the specific LOB app's required endpoints.
- Image the disk monthly so a hardware failure doesn't kill the LOB app for good. Use Macrium Reflect Free (still supports Win 7) or a simple
ddimage to an external drive.
Path C — Virtualize Windows 7 on a modern host:
- P2V (physical-to-virtual) using Disk2VHD (Microsoft Sysinternals) or VMware Converter.
- Move the VHDX/VMDK file to a Windows 11 host running Hyper-V or VMware Workstation Player.
- Boot the VM. Set its virtual network to "Internal only" (no external NAT).
- Connect the legacy peripheral via USB passthrough on the host.
Confirm it's fixed
- For Path A: LOB app runs correctly on Win 11 for 5 consecutive business days.
- For Path B: PC has no internet (
ping 8.8.8.8fails), no access to other internal subnets, and no external login attempts on local accounts. - For Path C: VM boots, app runs, snapshot saved, host machine has Windows 11 security baseline.
Still stuck? Network-connected Win 7 box handling regulated data (PII/PHI/PCI), or refusing to migrate, or showing signs of compromise.
Zero-day / actively-exploited vulnerability emergency fleet response
A "zero-day" is a security hole that attackers are using right now, sometimes before the vendor even has a fix. The danger isn't just having the affected software — it's whether attackers can reach it (like internet-facing systems). Our job is to find every place we run it, decide what's most at risk, and either patch immediately or put up a temporary barrier (block access or turn off the risky feature) until a patch exists. We also check whether anyone already broke in — because patching a system that's already compromised doesn't remove the intruder. Some steps mean brief downtime; leadership weighs that against the risk of waiting.
What to do
> Section 5 is senior-engineer execution under an approved emergency change. Decision authority and vendor engagement points are mandatory where noted.
- Apply interim mitigations immediately on exposed assets where no patch exists or patching will take time: restrict access (ACL/firewall/geo), disable the vulnerable feature, deploy WAF/IPS virtual-patch signatures, or isolate. Document each compensating control.
- Invoke the emergency change process (not the normal cycle) with security leadership/CISO approval. Capture risk acceptance, rollback plan, and comms.
- Deploy the patch in rings (ring-0 → broad): pilot on a small, representative ring to catch breakage, then accelerate to the full fleet. For critical internet-facing assets, prioritize speed over broad pilot soak — leadership owns that trade-off.
- Engage the vendor for guidance/fixed builds, especially appliances and anything where the mitigation or upgrade path is non-obvious; follow vendor severity-1 channels.
- If compromise is confirmed, stop treating this as patching and follow the incident-response runbook (l3-security-001) and forensic preservation (l3-forensics-001) — contain, preserve evidence, then eradicate and recover. Do not wipe assets you may need as evidence.
- Track unpatched/EOL stragglers with continued compensating controls and a remediation/replacement plan; nothing exposed should be left both unpatched and unmitigated.
Confirm it's fixed
- Every affected, in-scope asset is patched to the fixed version or covered by a documented compensating control — with no exposed gaps.
- Authenticated vulnerability scans / vendor checks confirm the fix on a representative sample (and re-scan after reboots).
- IOC hunt completed across the relevant estate with results recorded; no signs of active exploitation remain (or IR is running if there were).
- Mitigations that were temporary are removed only after the real patch is verified.
- Asset inventory reconciled so no affected instance was missed (including shadow/unmanaged assets).
- Emergency change documented with approvals, timeline, and lessons-learned captured.
Still stuck? Engage security leadership/CISO, the affected vendor, and (if exploitation is confirmed internally) the incident-response process the moment an actively-exploited zero-day is suspected to affect exposed assets.
Wi-Fi & Network
DNS: internal name resolution failing / split-brain issues
What to do
- On client:
ipconfig /all— confirm DNS servers point to internal DCs. nslookup <internal-host>— check authoritative response.nslookup _ldap._tcp.dc._msdcs.<domain>— should list DCs.- On DC:
dcdiag /test:dns /v— comprehensive DNS health. Get-DnsServer | fland check zones.repadmin /replsummary— replication health.
Still stuck? Replication failure, root hint corruption, or DNS poisoning suspected
Network troubleshooting: latency, packet loss, MTU, switching
What to do
ping -t <host>— quick loss/latency check.mtr -i 1 -c 100 <host>(or pathping/tracert) — per-hop loss.iperf3— throughput between two endpoints.Test-NetConnection -InformationLevel Detailed— RTT + port + diagnostic.- Packet capture: Wireshark, Microsoft Message Analyzer.
Still stuck? Pattern points to ISP, infrastructure replacement needed, or capacity exhausted
Private 5G / Private Cellular for Enterprise
Private 5G/cellular is like having your own private cell network for a site — useful for big warehouses, factories, or outdoor areas where Wi-Fi coverage or reliability isn't enough, especially with lots of moving devices. It needs permission to use radio spectrum, special SIM cards (or eSIMs) so devices can join, and good radio placement so there are no dead zones. We design the coverage, get the spectrum sorted, enroll the devices, and connect it securely to your existing network.
What to do
- Validate the use case vs. Wi-Fi: confirm private cellular is justified (coverage/mobility/determinism/density) rather than a Wi-Fi tuning problem.
- Confirm spectrum authorization for the region/site (e.g., CBRS-style shared access in the US — reference only; rules vary by country).
- Diagnose attach failures: check SIM/eSIM provisioning in the mobile core, the device's subscription profile, and that the radio is broadcasting the correct network identity.
- Assess coverage/capacity: RF survey for radio count/placement; account for obstructions and device density; verify core capacity.
- Check integration: routing, IP assignment, DNS, security/segmentation, and internet egress from the private network.
Confirm it's fixed
- Target devices attach reliably and maintain data sessions across the coverage area, including while mobile.
- Coverage and capacity meet the agreed targets under realistic device load (post-install survey confirms).
- Spectrum authorization is in place and the deployment operates within its rules.
- The private network is correctly integrated, segmented, and secured into the enterprise.
- Failover/resilience for internet egress is defined where required.
Still stuck? A private cellular deployment cannot achieve required coverage, capacity, or spectrum authorization within site constraints.
Satellite / LEO Connectivity Failover
Low-earth-orbit (LEO) satellite internet can keep a site online when the main connection fails, or serve remote places with no good wired option. It's much faster than old satellite but can wobble in latency, drop in heavy weather, or struggle if trees/buildings block the dish's view of the sky. We set it up so the network automatically switches to satellite when the main line dies, make sure the dish has a clear view, and confirm your important apps keep working on the backup.
What to do
- Fix line-of-sight: relocate/raise the antenna to clear obstructions; secure the mount against movement/wind.
- Engineer failover: configure SD-WAN or dual-WAN with reliable health checks so cutover is automatic and fast; prioritize critical traffic on the backup path's limited capacity.
- Handle CGNAT: where inbound/VPN is required, use an outbound-initiated/overlay approach (e.g., VPN that tolerates CGNAT) or a public-IP option from the provider if available.
- Protect real-time apps: apply QoS, accept that voice/video may degrade on the variable path, and set user expectations for failover periods.
- Mitigate weather fade: ensure adequate antenna siting; treat brief weather drops as expected and design apps to reconnect gracefully.
- Document the design including which traffic is protected, expected backup performance, and failback behavior.
Confirm it's fixed
- A simulated primary-WAN outage triggers automatic failover within the required time, and critical apps continue.
- The satellite link's latency/jitter/loss baseline is acceptable for the intended traffic.
- The antenna has a clear, stable sky view with no obstruction warnings.
- CGNAT-sensitive apps/VPNs work via the chosen approach on the satellite path.
- Failback to primary WAN works cleanly when it recovers.
Still stuck? Primary WAN fails and satellite failover does not carry critical traffic, or persistent obstruction/latency makes the link unusable.
Wi-Fi: can't connect / shows 'no internet, secured' / yellow triangle
Your Wi-Fi sees the network but the connection isn't fully working. Most often it's the router needing a restart, or your computer's network settings got tangled. We'll restart what needs restarting, refresh the connection, and confirm you can actually load websites. If your Wi-Fi card itself is acting up, we'll update its driver.
What to do
If APIPA (169.254.x.x):
- Router restart fixes ~70%. If persists, check router DHCP scope (admin) or pool exhaustion (more devices than scope).
If DNS-only failure (you can ping IPs but not load sites):
- Settings → Network → Wi-Fi → adapter properties → Edit DNS → Manual → IPv4:
1.1.1.1and8.8.8.8. ipconfig /flushdns.- Re-test web.
If wrong password saved:
- Forget + reconnect with correct password.
If captive portal (hotel/airport):
- Open browser → navigate to any HTTP site (try
neverssl.com) → portal page should auto-redirect → log in.
If driver:
- Device Manager → Network adapters → Wi-Fi adapter → right-click Update driver → Search automatically.
- For Intel/Realtek, get latest from OEM support page.
If adapter disabled:
- Device Manager → adapter → Enable.
- Or: Settings → Network → adapter properties → Enable.
- Hardware Wi-Fi switch / Fn-key combo: re-enable.
Confirm it's fixed
ipconfigshows valid IP (not 169.254.x.x), valid gateway.ping 1.1.1.1succeeds (network).ping google.comsucceeds (DNS).- Web pages load in browser.
- Speedtest.net within 70% of expected plan speed.
Still stuck? Issue affects multiple users on same SSID, or network adapter shows error code 10/12/43, or DHCP exhaustion suspected
Wi-Fi: connection keeps dropping or disconnecting intermittently
Your laptop is connecting fine but then briefly letting go of the Wi-Fi — usually because Windows is powering the wireless chip down to save battery, or because it's hopping between two signals and stumbling on the hand-off. We'll stop it from powering down, point it at the stronger signal, and freshen the driver. That fixes the great majority of these. If your phone drops on the same network too, then it's the router or office Wi-Fi and we'll get the network team on it.
What to do
Windows — stop the adapter from powering down (most common fix):
- Device Manager → Network adapters → right-click your Wi-Fi adapter → Properties → Power Management tab → uncheck "Allow the computer to turn off this device to save power" → OK.
- Settings → System → Power & battery → set Power mode to Balanced (not Best power efficiency) while troubleshooting.
Windows — lock to the stronger band / stop roaming churn:
- Device Manager → Wi-Fi adapter → Properties → Advanced tab.
- Set Roaming Aggressiveness / Roaming Sensitivity to Low / 1.
- If 2.4 GHz is congested and 5 GHz reaches the desk, set Preferred Band to 5 GHz (Prefer 5 GHz).
Windows — refresh the driver:
- Device Manager → Wi-Fi adapter → right-click → Update driver → Search automatically.
- If still flaky, download the latest driver from the laptop maker's support site (Dell/HP/Lenovo ship newer Wi-Fi firmware than Windows Update).
Windows — clear a bad network stack (if drops persist):
- Open Command Prompt / PowerShell as admin and run, in order:
netsh winsock resetnetsh int ip resetipconfig /flushdns
- Reboot.
macOS — rebuild Wi-Fi settings:
- System Settings → Wi-Fi → Details → Forget the network → re-join.
- If it keeps dropping: remove and re-add Wi-Fi in System Settings → Network, then reboot. (On older macOS, deleting the
SystemConfigurationnetwork preference files achieves the same — L2 task.)
Confirm it's fixed
- Stay connected for a continuous 15-minute period (e.g., a Teams call) with no drop.
ping -t 8.8.8.8(Windows) orping 8.8.8.8(macOS) for 5 minutes shows no sustained timeouts.- Signal stays steady when the laptop is at its normal desk location, on battery.
Still stuck? Many users on the same AP/SSID drop together, drops correlate with DHCP lease renewals, or RF survey shows AP overload — that is an L2 wireless/network problem, not a single endpoint.
Wireless site survey and Wi-Fi coverage/performance remediation
Wi-Fi problems usually aren't 'the internet is slow' — they're about radio coverage and crowding. We walk the space with survey tools to measure how strong and how clean the signal is in each area, find dead zones and channels that are stepping on each other, then adjust where the access points are, how loud they broadcast, and which channels they use. Sometimes the fix is tuning what's there; sometimes we genuinely need another access point in a weak spot.
What to do
- Band strategy: treat 2.4 GHz as coverage-only (use channels 1/6/11 at low density, often reduced power or disabled radios), put capacity on 5 GHz, and use 6 GHz (Wi-Fi 6E/7) for clean, high-capacity zones where clients support it.
- Channel width: prefer 20 or 40 MHz on 5 GHz in dense deployments — wider 80/160 MHz channels boost peak speed but cause overlap and co-channel contention. Reserve wide channels for low-density/6 GHz.
- AP placement & density: place APs for cell overlap (~15–20%) without excessive co-channel reuse; favor more APs at lower power over fewer at high power. Avoid mounting above hard ceilings/metal; keep away from large RF blockers.
- Tune power: lower 2.4 GHz and trim 5 GHz TX power so cells are appropriately sized and clients roam instead of sticking.
- Reduce interference: re-channelize to break co/adjacent-channel overlap; eliminate or relocate non-Wi-Fi sources; handle DFS flapping by selecting stable channels where radar is frequent.
- Fix roaming: ensure consistent SSID/security across APs, enable roaming-assist features (e.g. 802.11k/v/r where clients support them), and right-size cells so handoff happens.
- Fix backhaul: correct uplink speed/duplex, PoE budget, and switch errors before blaming RF.
- Validate with a fresh active survey along the same path.
Confirm it's fixed
- Post-change passive/active survey shows target RSSI/SNR met across the problem zones with no remaining dead spots.
- Channel utilization is within target during a busy period.
- Roaming test (walk the path on a call) shows clean handoffs without drops.
- Real throughput/latency measured on the active survey meets the use-case requirement.
- User confirms the issue is resolved during normal load.
Still stuck? Coverage/capacity gaps require additional access points, cabling, or AP hardware/firmware changes beyond on-site adjustment, or RF interference comes from an uncontrollable external source.
Display & Hardware
AR / Smart-Glasses for Field & Enterprise Work
Smart glasses let workers keep their hands free while seeing instructions or sharing their view with a remote expert. To use them safely at scale, IT enrolls them like any other managed device, loads the right app and sign-in, and makes sure the Wi-Fi or cellular is strong enough. Because the glasses have a camera and microphone, we set clear rules about what can be recorded and where, to protect people's privacy.
What to do
- Enroll under management: bring devices into MDM in an appropriate mode (often kiosk/single-app for field use); apply security baselines, app allow-lists, and managed updates.
- Provision apps + identity: deploy the AR/remote-assist app, configure SSO/identity, and lock down to intended use.
- Ensure connectivity: verify Wi-Fi/cellular coverage and quality where used; add failover where field reliability matters (t4-frontier-004).
- Optimize the environment: improve lighting/markers where tracking struggles; plan battery swaps/charging for long shifts.
- Govern privacy: define and enforce camera/mic policy — recording rules, consent, sensitive-area restrictions, and data handling/retention; disable capture where not permitted.
- Support workflow: document setup, common fixes, and a clean return-to-service/wipe process for shared devices.
Confirm it's fixed
- Devices are enrolled and managed under policy, with apps and updates applying correctly.
- The AR workflow performs acceptably in the real environment (tracking, latency, battery hold up).
- Connectivity (and failover, if required) meets the workflow's needs.
- Camera/mic use complies with the defined privacy policy; capture is restricted where required.
- Shared-device handoff/wipe works cleanly between users.
Still stuck? AR devices cannot be enrolled/managed under policy, or camera/recording use conflicts with privacy requirements.
Blue screen of death (BSOD) on Windows 10/11
That blue screen means Windows hit something it couldn't recover from and had to restart to keep your data safe. Most of the time it's a driver or a recent update — we'll roll back what changed first, run a couple of checks to make sure your memory and disk are healthy, and you'll be back in business. If it keeps happening, we'll bring in a technician to look closer at the hardware.
What to do
If a recent update is suspected:
- Settings → Windows Update → Update history → Uninstall updates → remove the most recent quality update.
- Reboot and use the PC normally for 30 min to confirm stability.
If a recent driver is suspected:
- Open Device Manager (
devmgmt.msc). - Locate the suspect device (yellow warning icon, or recently updated by date).
- Right-click → Properties → Driver tab → Roll Back Driver.
- Reboot.
If random / no clear cause:
- Run
sfc /scannowfrom elevated Command Prompt (System file checker). - Run
DISM /Online /Cleanup-Image /RestoreHealth. - Run Windows Memory Diagnostic (
mdsched.exe) — schedules a reboot test. - Run
chkdsk C: /f /r— schedules at next reboot. - Check Event Viewer → Windows Logs → System for "BugCheck" entries; record full stop code and parameters.
Confirm it's fixed
- 24 hours of normal use without recurrence.
- Event Viewer shows no new
BugCheckevents after the fix. - The originally reported workflow (e.g., launching the app that triggered it) completes successfully 3 consecutive times.
Still stuck? BSOD repeats more than 3 times in 24h, occurs during boot before login, or shows DISK or NTFS-related stop codes
Bluetooth: device won't pair, keeps disconnecting, or audio cuts out
Bluetooth is finicky — most issues come down to one of three things: low battery on the accessory, signal interference from other USB devices or Wi-Fi, or the accessory still being connected to your phone. We'll forget the device, re-pair fresh, and switch you to the right audio mode. Should take about three minutes. If pairing works but you can't be heard on calls, that's almost always the wrong audio profile and we'll fix that in two clicks.
What to do
If pairing keeps failing on Windows:
- Settings → Bluetooth & devices → Devices → click the device → Remove.
- Put the accessory in pairing mode (usually hold the action button for 5–7 seconds until the LED blinks fast).
- Add device → Bluetooth → wait for it to appear.
- If it still won't appear: Device Manager → Bluetooth → right-click your radio → Disable, wait 10s, Enable.
If headset connects but Teams/Zoom can't hear:
- Sound settings → Input → pick the Hands-Free profile of the headset (different from the Stereo / A2DP entry).
- In Teams: Settings → Devices → Speaker AND Microphone → set both to the Hands-Free entry.
- Audio quality drops to mono on calls — that's expected; Bluetooth can't run hi-fi music and a mic at the same time.
If audio cuts out periodically:
- Move USB 3 / USB-C dongles 2 feet away from the Bluetooth dongle (USB 3 emits 2.4 GHz noise).
- Switch your Wi-Fi to 5 GHz if you're on 2.4 GHz.
- Update the Bluetooth driver from the OEM site (not Windows Update — OEMs often ship newer firmware).
On macOS:
- Bluetooth menu → ⌥+click for advanced reset → Reset the Bluetooth module.
- If that fails: System Settings → Bluetooth → forget the device → re-pair.
Confirm it's fixed
- Pair holds for a 10-minute call without dropping.
- Music sounds clean (no robot artifacts).
- LED on accessory shows the steady "connected" state.
- Stays connected when you move 10 feet away with line of sight.
Still stuck? Bluetooth radio not detected in Device Manager / System Information at all, or hardware antenna damaged
USB device not recognized / unknown device / 'malfunctioned'
USB issues come down to four things — port, cable, power, or driver. We'll rule them out in order. Try a different port first, then a different cable. If both check out, we'll reset the driver in about ten seconds. If a powered USB device drops out under load, that's almost always a port that can't push enough power, and a $15 powered hub fixes it permanently.
What to do
If "USB device not recognized" toast keeps appearing:
- Device Manager → Universal Serial Bus controllers → look for entries with yellow ⚠.
- Right-click each → Uninstall device. Don't tick "delete driver software" — just uninstall.
- Action menu → Scan for hardware changes. Windows reinstalls them.
If the device shows as "Unknown device" with code 43:
- Device Manager → right-click the unknown device → Properties → Driver tab → Uninstall device.
- Unplug the device, wait 10s, replug.
- If still code 43 → device or cable is failing on the host side; try another machine to confirm.
If an external drive disappears under load:
- Powered USB hub fixes most underpowered-port issues. Cheap solution.
- Self-powered (wall-plug) external drives don't have this problem — switch if available.
Power-saving fix (Windows):
- Device Manager → Universal Serial Bus controllers → for each USB Root Hub: Properties → Power Management → uncheck "Allow the computer to turn off this device to save power".
- Reboot.
On macOS:
- System Information → USB → confirm the device shows up at all. If it doesn't, it's a hardware/cable issue.
- Reset NVRAM (Intel Macs): shutdown → power on while holding ⌥+⌘+P+R until you hear the second startup chime.
- Try a different USB-C-to-USB adapter — Apple's official ones are most reliable.
Confirm it's fixed
- Device appears in Device Manager / System Information without warnings.
- File Explorer / Finder shows the drive letter / mount point.
- Read/write a small test file successfully.
- Device stays connected through 10 minutes of normal use.
Still stuck? Same device + same port fails after fresh OS install, or all USB ports fail simultaneously, or BIOS doesn't see USB devices at boot
Windows won't boot — stuck on spinning dots or black screen
Your computer is having trouble starting up. Often it's a small file Windows uses to know where to load itself from — we can usually rebuild that in a few minutes. If your work device is encrypted, we may need a recovery key from your IT records to unlock it. We'll get you running and figure out what triggered it so it doesn't happen again.
What to do
If above completes successfully:
- Exit and reboot. Most boot-config issues resolve here.
If BitLocker prompt appears:
- Retrieve the recovery key from one of:
- User's Microsoft account → https://account.microsoft.com/devices/recoverykey
- Azure AD / Entra ID portal (admin) → Devices → Device → BitLocker keys
- Active Directory (admin) → Computer object → BitLocker tab
- Enter the 48-digit key.
- Once booted, run
manage-bde -protectors -get C:to confirm protector state, and re-enable TPM protector if needed.
If still stuck:
- Boot from a Windows 10/11 USB installer.
- Choose "Repair your computer" → Troubleshoot → System Restore. Pick a restore point from before the failure.
- Or: Reset this PC → Keep my files (last resort before reimaging).
Confirm it's fixed
- Windows boots to the lock screen and accepts credentials.
- Event Viewer (after login) shows no
bugcheckordiskerrors in the last hour. - All apps the user relies on launch successfully.
- BitLocker reports "Protection On" via
manage-bde -status.
Still stuck? BitLocker recovery key prompt appears, or boot fails after 2 startup-repair cycles, or storage SMART warnings present
Windows: no sound at all from the computer
Windows is sending sound somewhere it shouldn't, or the audio bit is asleep. We'll point sound at the right speaker, restart the audio piece, and re-detect your headphones if you're using them. Most no-sound issues fix in two minutes.
What to do
Wrong default:
- Settings → Sound → Output → set correct device.
Service not running:
- Win+R →
services.msc. - Find "Windows Audio" and "Windows Audio Endpoint Builder" → both should be Running, Automatic.
- Right-click → Restart.
Driver glitch:
- Device Manager → Sound, video and game controllers.
- Right-click your audio device → Uninstall device → check "Delete the driver software" → OK.
- Reboot. Windows reinstalls automatically.
- If issue persists, install OEM driver from manufacturer's support page.
Headphone jack stuck "plugged in":
- Sometimes after physical unplug, OS still believes headphones are present. Plug + unplug 2–3 times, or restart.
Bluetooth audio:
- Settings → Bluetooth & devices → device → make sure "Connected voice/audio" is on.
- Re-pair if needed.
After Windows Update broke audio:
- Settings → Windows Update → Update history → uninstall most recent update.
- Or roll back driver: Device Manager → device → Properties → Driver → Roll Back Driver.
Confirm it's fixed
- "Test" button plays the chime.
- Music in browser plays clearly.
- Headphone test (plug + unplug) routes correctly.
- 30 minutes of mixed use without dropout.
Still stuck? Audio device not detected after driver reinstall, or hardware failure suspected
Windows (update, boot, performance)
AI Model Drift & On-Device-AI Auto-Update Breakage
AI features get updated automatically, and sometimes an update makes the AI behave differently than before — even worse for a specific task you rely on. Separately, AI can slowly "drift" as the kinds of documents or requests it sees change over time. The fix is to identify what changed, hold the AI at a version that worked while we test the new one, and adjust the steps around it if needed. It's like a software update that changed a button you depended on — we either revert it or teach the workflow the new way.
What to do
- Pin or defer the update where the platform supports it: hold the AI feature/model at the last known-good version while you validate the new one (use managed-update controls; do not disable security updates to do this).
- Roll back to the prior model/app version if a supported rollback path exists and the regression is business-critical.
- Adapt the workflow when rollback isn't possible: update prompts/templates and any downstream parser to the new output contract.
- Re-anchor expectations for data/concept drift: refresh examples, adjust the prompt, or request a re-tuned/updated model from the vendor.
- Stage and validate future AI updates in a test ring before broad rollout (treat AI updates like any other change).
- Document the known-good versions (app + model + runtime) so the configuration is reproducible.
Confirm it's fixed
- The golden test set produces acceptable output again (rollback/pin) or the workflow + parser handle the new output (adapt).
- The pinned/known-good versions are recorded and enforced via your update-management tooling.
- Downstream integrations parse current AI output without error.
- A staging ring is in place so the next AI update is validated before production.
Still stuck? A model/AI feature update degrades a business-critical workflow and no supported pin or rollback restores it.
Browser issues: pages won't load, certificate errors, or constant crashes
Your browser is having trouble — usually it's a stash of old data tripping it up, or an extension misbehaving. We'll try Incognito first to confirm, clear out the cache if that fixes it, and turn off extensions one at a time. For certificate errors, we make sure your clock is right and check whether it's a real warning we should trust.
What to do
Cache / cookies:
- Ctrl+Shift+Delete → choose "All time" → check Cached images, Cookies, Site data → Clear.
- Restart browser.
Extension conflict:
- Disable all → restart browser → re-enable one at a time.
- Identify culprit; remove or update it.
Reset browser settings:
- Chrome: Settings → Reset settings → Restore settings to original defaults.
- Edge: Settings → Reset settings → Restore.
- Firefox: about:support → Refresh Firefox.
Cert error specifically:
- Verify clock first.
- If error says "issuer unknown" and it's an internal corporate site, the corp root CA may not be on this device — escalate to L2 to deploy.
- Don't override cert warnings unless explicitly directed by IT for known internal site.
Browser crashes on launch:
- Disable hardware acceleration:
- Chrome: chrome://settings/system → Use hardware acceleration → off.
- Edge: similar.
- Reinstall: Settings → Apps → uninstall → reinstall fresh from official site.
For Windows: reset HOSTS file if a single site fails:
- Open Notepad as admin → File → Open →
C:\Windows\System32\drivers\etc\hosts. - Look for entries with the failing site domain → comment with
#or remove. - Save → flush DNS:
ipconfig /flushdns.
Confirm it's fixed
- Site loads in regular browser window without errors.
- Cert padlock present, no warnings.
- Refresh works.
- Same in 2 other sites you use daily.
- 24h of normal use without recurrence.
Still stuck? Same site fails for many users, or genuine cert issue on internal service, or DNS poisoning suspected
Computer running slow / performance lag
Your PC is doing too many things at once, or it's running low on space. We'll clean up the apps that start automatically, free up some disk room, and check that nothing unwanted is using your CPU. After a quick restart you should feel a real difference. If it stays slow, that's a sign of something deeper and we'll get a tech to look.
What to do
If startup is the issue:
- Disable: OneDrive (if not work-required at startup), Spotify, Teams (if not corporate-required), any chat clients, Adobe updaters.
- Keep: Antivirus, security agents, OEM device manager, Microsoft 365 apps.
If disk space is the issue:
- Storage Sense → On.
- Empty Recycle Bin and Downloads folder.
- Move large files (Videos, ISOs) to OneDrive / external.
- Run Disk Cleanup as administrator → "Clean up system files" → Windows Update Cleanup, Previous Windows installations, Delivery Optimization Files.
If a process is pegging CPU/disk:
- In Task Manager, right-click the process → Properties → check Publisher.
- If unknown publisher and high resource use → suspect malware. Run Windows Defender full scan (Virus & threat protection → Scan options → Full scan).
- If "Antimalware Service Executable" /
MsMpEng.exe— wait, it's an active scan; will subside. - If "System" or
Ntoskrnl.exeis high — likely driver issue, escalate.
Confirm it's fixed
- After full restart, idle CPU <10%, idle memory <60% used.
- Boot to login screen <60 seconds.
- Office apps launch in <10 seconds.
- File Explorer opens folders instantly.
- 24 hours of use without slowdown report.
Still stuck? Performance issue persists after L1 cleanup, or task manager shows 100% disk usage with no identifiable process
Disk full / out of space on C: drive
Your hard drive is full and Windows needs a bit of room to operate. We'll free up the easy stuff first — old Windows installer files, browser cache, downloads you don't need. If your OneDrive is taking up your whole drive, we'll switch on Files On-Demand so files only download when you actually open them. You'll have plenty of room in a few minutes.
What to do
Standard cleanup:
- Storage → Cleanup recommendations → run all suggested.
- Disk Cleanup utility (
cleanmgr.exe) → C: → click "Clean up system files":
- Windows Update Cleanup
- Previous Windows installations (Windows.old) — frees 10–30 GB
- Delivery Optimization Files
- Recycle Bin
- Temporary files
OneDrive bloat:
- Right-click OneDrive cloud icon → Settings → Sync and backup → Free up space (Files On-Demand).
- Files become cloud-only icons; opens download on click.
Outlook OST too large:
- File → Account Settings → Account Settings → Data Files tab → see OST size.
- Reduce: File → Account Settings → Account Settings → Email → Change → Mail to keep offline → reduce slider (e.g., to 6 months).
Browser caches:
- Clear Chrome/Edge/Firefox cache (Ctrl+Shift+Del).
Disable hibernate (saves up to 16 GB on big-RAM laptops):
- Run as admin:
powercfg -h off. Note: disables Fast Startup; usually fine on SSDs.
Move large folders:
- Documents/Pictures/Videos: right-click → Properties → Location → move to D: or external.
- For OneDrive users, store in OneDrive instead.
Confirm it's fixed
- C: free space ≥ 20% of total.
- Settings → Storage shows green/no warning.
- Office apps open and save without complaint.
- Windows Update completes.
Still stuck? Cleanup recovers <5% on a 256 GB+ drive, or hidden files / WinSxS bloat needs admin tools
Patch management program design and update troubleshooting
Patching keeps software protected against newly discovered security holes — but pushing every update to everyone at once is risky, because a bad patch can break things. So we update in waves: a small test group first, then wider groups once it's proven safe, all on a predictable schedule with set reboot times. Urgent security fixes get a fast lane. We also patch the everyday apps, not just the operating system, and we track which machines are up to date so nothing falls behind.
What to do
A. Build the cadence (program):
- Rings: Pilot/Test → Early adopters → Broad → (Critical/sensitive last). Each ring validates before the next.
- Cadence: ship monthly quality updates on a fixed schedule after a short soak in the pilot ring; schedule feature updates less often with broader validation.
- Maintenance windows: define per device class (workstations vs servers) with reboot windows; use deadlines + grace periods to force compliance while respecting user disruption.
- Emergency / out-of-band: define an expedited path for actively exploited criticals — shorten/skip soak, push to all rings within the SLA, with a documented approver.
B. Tooling (use what's in place, generically):
- WSUS for on-prem approval/distribution; Intune / Windows Update for Business for cloud ring policies and deadlines; Windows Autopatch for managed ring orchestration; third-party patching tools for browsers, runtimes, and apps the OS updater ignores. Pick one authority per scope to avoid conflicting policies.
C. Compliance & measurement:
- Track % of devices at the latest approved patch level by ring, age of oldest missing critical, and failure counts. Surface non-compliant and unreachable devices for remediation.
D. Failed updates:
- Remediate per Troubleshooting (cache reset, servicing repair, reachability). For widespread failures, suspect a bad approval/policy or a source outage and pause the rollout.
E. Third-party app patching:
- Enroll the common high-risk apps (browsers, Java/.NET runtimes, PDF/Office add-ins, conferencing) into the patcher with their own cadence; these are frequent exploit targets.
F. Server cadence:
- Patch servers in a separate, more conservative ring with explicit change windows, HA/failover order, pre-patch snapshots/backups, and a tested rollback.
G. Exceptions & risk acceptance:
- When a patch can't be applied (app incompatibility, legacy system), document the exception: asset, missing patch, business reason, compensating controls, owner, and a review/expiry date. Track it; don't let it become permanent silently.
Confirm it's fixed
- The previously failing device installs the update and reports compliant after reboot.
- Compliance dashboard shows the ring reaching target % within the expected window.
- A rolled-back patch is confirmed removed and the app/driver is functional; a re-test plan exists before re-deploying.
- Third-party apps report current versions in the patch tool.
- Documented exceptions have an owner and a review date.
Still stuck? A patch causes production-impacting breakage requiring rollback/vendor engagement, or a critical vulnerability cannot be patched within SLA and needs a documented risk-acceptance decision.
More common fixes
AI / Agent Spend Guardrails
AI agents cost money every time they "think" or call a paid service. Without limits, a small bug can make an agent spend in a loop and run up a surprising bill. Spend guardrails are like giving each agent a prepaid card with a daily and monthly limit, a speed limit on how fast it can spend, and a text alert if it starts spending too quickly — plus an automatic stop when it hits its cap. You get the benefits of agents without bill shock.
What to do
- Give each agent its own key/identity so cost is attributable (ties to t4-aigov-005).
- Set per-agent budgets and quotas: a daily and monthly cap per agent, sized to its job. Tier 3 agents get tighter scrutiny.
- Enforce rate caps: maximum calls per minute/hour to blunt runaway loops.
- Add hard kill behavior: when an agent hits its budget cap, it pauses/disables rather than continuing — a spend kill switch (coordinate with t4-aigov-002).
- Instrument cost in the audit trail: record tokens/cost per action (t4-aigov-003) so spend is queryable per agent.
- Alert on velocity, not just totals: notify when spend rate or call rate is anomalous, well before the budget is exhausted.
- Apply FinOps practice for AI: regular cost reviews, right-size models (smaller/cheaper where adequate), cache where safe, and trim oversized context to cut tokens.
Confirm it's fixed
- Each agent's spend is attributable to its own key/identity.
- Per-agent daily and monthly caps and rate caps are configured and tested (a test agent hitting its cap pauses).
- Spend/token cost appears per action in the audit trail.
- A velocity alert fires in a test before the budget is exhausted.
- A cost report can break spend down by agent/team.
Still stuck? Agent/API spend is climbing with no cap or kill switch, or a single agent has already exceeded its budget by a large multiple.
AI Agent Audit Trail & Observability
An audit trail is the agent's "flight recorder." For every action it takes, you want a record of what it was asked, what it decided, what tools it used, and what happened — stored somewhere it cannot quietly erase. When something goes wrong, this record lets you see exactly what occurred and how far it spread. A dashboard then turns those records into a live view so you can watch your agents the way you watch any other critical system.
What to do
- Define what to capture per agent action (minimum set):
- Timestamp, agent ID/version, and triggering identity/event.
- Input/context the agent received (sanitized of secrets/PII where required).
- The decision/plan and, where feasible, the reasoning or chosen path.
- Each tool/API call: name, parameters (redacted as needed), and result.
- Final action taken and its outcome (success/failure).
- Cost/tokens consumed (ties to t4-aigov-004).
- Centralize logs into an append-only store the agent cannot retroactively edit.
- Make it tamper-evident: use write-once/append-only storage or hash-chaining/signing so any alteration is detectable. Separate the log-writer identity from the agent's action identity.
- Set retention per a written policy aligned to business/compliance needs (e.g., a defined number of months/years); document the basis.
- Build observability: a dashboard (the Aperture concept fits here) showing live agent activity, per-agent action timelines, error/anomaly indicators, and spend.
- Wire to IR: ensure the audit trail is the first source consulted during incident response (t4-aigov-002) for blast-radius assessment.
Confirm it's fixed
- For a sample action, you can retrieve the full chain: trigger → input → decision → tool calls → outcome.
- Attempting to alter a past log entry is detectable (hash/signature/append-only confirms tamper evidence).
- The agent's own identity cannot silently delete or rewrite its logs.
- Retention matches the documented policy.
- The dashboard shows current agent activity and supports drilling into a single action.
Still stuck? A Tier 2/3 agent is taking actions with no retrievable, tamper-evident record of what it did or why.
AI Agent Governance Framework for the Enterprise
Think of AI agents like new employees who can act on the company's behalf. You would not let a new hire send payments or email customers on day one without knowing who they are, what they are allowed to do, and who supervises them. AI agent governance is simply giving every agent a job description, a manager, a permission level, and — for the risky ones — a "check with a human first" rule. It is not about slowing things down; it is about knowing what your agents can do before something goes wrong.
What to do
- Publish an AI Agent Register (the inventory) as the single source of truth; require new agents to be registered before production use.
- Adopt a tiered control matrix:
- Tier 1: registration, basic logging, owner named.
- Tier 2: above + scoped service identity, audit trail (see t4-aigov-003), rollback plan.
- Tier 3: above + mandatory human-in-the-loop approval, spend guardrails (see t4-aigov-004), incident runbook (see t4-aigov-002), and sign-off by the business owner before launch.
- Implement an approval gate: a lightweight intake/review where a new or changed Tier 2/3 agent is assessed against the matrix before it can act.
- Require human-in-the-loop for irreversible or high-impact actions — the agent proposes, a human confirms.
- Document the policy (1–3 pages): scope, definitions, tiers, required controls per tier, owner responsibilities, and the review cadence (e.g., quarterly).
- Schedule a recurring review of the register and tiers; retire or re-scope agents that no longer have a clear owner or purpose.
Confirm it's fixed
- Every known agent appears in the register with owner, purpose, tier, and identity.
- Each Tier 3 agent has a documented human-in-the-loop gate that you can demonstrate.
- A spot check of one agent confirms its real permissions match its registered scope (no over-provisioning).
- The policy document exists, is approved, and names a review cadence.
- A new test agent cannot reach production without passing the approval gate.
Still stuck? An autonomous agent is operating in production with write/financial/customer-facing scope and no documented owner, risk tier, or approval gate.
AI Agent Incident Response Runbook
If an AI agent starts doing the wrong thing, treat it like a tool that has gone haywire: first pull the plug, then take away its keys so it cannot restart and do more. After it is safely stopped, you figure out everything it touched, undo what you can, warn anyone affected by what you can't undo, and find out *why* it went wrong so it does not happen again. The order matters — stop first, investigate second.
What to do
Follow the IR phases in order. Speed of containment beats perfect diagnosis.
- Contain (immediately):
- Disable the agent (stop the process / flip its kill switch / disable the schedule).
- Revoke its credentials and tokens so it cannot act even if it restarts.
- Cut tool/API access (disable the service account, rotate the key).
- Assess blast radius:
- Enumerate every action taken in the incident window using the audit trail.
- List affected systems, records, customers, and any money moved.
- Flag irreversible actions for manual remediation/notification.
- Roll back / remediate:
- Restore changed/deleted data from history or backup.
- Recall or correct erroneous communications where possible; notify affected parties for what cannot be recalled.
- Reverse or dispute financial actions through the appropriate channel.
- Root cause:
- Determine *why* the agent acted wrongly (instruction flaw, injection, permission gap, missing human gate, dependency change).
- Capture a timeline and the triggering input.
- Recover safely:
- Fix the root cause, tighten permissions, add/restore guardrails, and add a human-in-the-loop gate if the action was irreversible.
- Re-enable the agent only after the owner signs off.
- Document & learn:
- Write the incident up; feed lessons back into the governance framework (t4-aigov-001) and update the runbook.
Confirm it's fixed
- The agent is provably stopped and its credentials/tokens are revoked (test that it cannot act).
- The full list of actions in the incident window is reconstructed and accounted for.
- Reversible actions are rolled back; irreversible ones have owners and remediation/notification plans.
- A documented root cause exists with a corrective action.
- The agent only resumes after fix + owner sign-off; new guardrails are confirmed active.
Still stuck? An agent has taken or is taking irreversible, financial, or customer-impacting actions, or its containment is uncertain.
An app won't open / closes immediately / shows error on launch
The app's having trouble starting. Often it's a missing piece it needs (a runtime), or its install got corrupted, or something is blocking it. We'll repair it first, then check Event Viewer for clues, and reinstall fresh if needed. Most apps come back with a 5-minute fix.
What to do
Repair the app:
- Settings → Apps → Installed apps → app → ⋮ → Modify / Repair (where supported, e.g., M365, most enterprise apps).
Reinstall:
- Uninstall via Settings → Apps → Installed apps.
- Restart.
- Reinstall from official source.
Missing runtime:
- For "0xc000007b" or "MSVCP*.dll missing" → install latest Visual C++ Redistributables (x86 + x64) from Microsoft.
- For ".NET Framework x.x is required" → install via Settings → Optional features.
Compatibility:
- Right-click .exe → Properties → Compatibility tab → Run this program in compatibility mode for Windows 7/8 → try.
Antivirus:
- Check Windows Security → Virus & threat protection → Protection history. If app blocked, restore + add exclusion (only if from known-good vendor).
User profile corrupt:
- Test with a different user account. If app launches for them and not for current user → profile rebuild required (escalate to L2).
Confirm it's fixed
- App launches and reaches its main window in <30 sec.
- App's primary function works (open file / save / log in).
- 3 consecutive launches succeed without issue.
Still stuck? Multiple apps fail to launch (system-wide), or specific app crashes after reinstall
Certificate Authority / critical certificate expiry
Digital certificates are like ID cards that let your systems trust each other and encrypt traffic. Each has an expiry date, and they're arranged in a chain — if the "master" card (the Certificate Authority) or the public "revocation list" expires, every ID card under it stops being trusted all at once, which is why so many things broke together. The fix is to renew the right card in the chain and make sure every device gets the updated trust information. For the top-level master certificate, we plan carefully and often run old and new in parallel so nothing drops while we transition, and for purchased certificates we go through the vendor.
What to do
> Section 5 is for a senior engineer / PKI lead. Public-trust and HSM-backed CA operations require vendor/CA engagement — called out inline.
- Expired/expiring leaf certificate: Renew or re-key it through the existing CA (internal AD CS per l3-certificates-001, or the public CA), deploy to all dependents, and restart/reload the consuming services.
- Expired CRL (fastest, highest-impact fix): Re-publish a fresh CRL from the issuing CA to all CDP locations and confirm clients pick it up. This often restores mass functionality immediately without touching any leaf cert.
- Issuing (subordinate) CA expiry: Renew the subordinate CA certificate from the root (renew with existing or new key per policy), publish the new CA cert into trust stores, then renew/re-issue leaf certs as needed. PKI lead drives this; engage vendor if HSM-backed.
- Root CA expiry (highest blast radius): This is a planned, human-led operation — generate/renew the root, distribute the new root to all trust stores (GPO/MDM/manual), and cross-sign old↔new where possible so existing chains keep validating during transition. Mandatory: PKI lead + management approval; vendor engagement for public roots and HSM.
- Public/third-party certificate or CA: Perform emergency reissue through the public CA/vendor account; you cannot self-sign these. Engage the vendor's emergency/expedited process.
- Restore the renewal automation (ACME/autoenroll) so this does not recur, and document the new expiry dates.
Confirm it's fixed
- Failing endpoints now present a complete, valid, in-date chain (leaf → issuing CA → root all trusted and unexpired).
- CRL shows a fresh nextUpdate and is reachable at every CDP; OCSP responder healthy; revocation checks pass.
- Affected services (TLS, VPN, 802.1x/RADIUS, code-signing, SAML/federation) all reconnect and operate.
- New root/issuing CA cert present in all required trust stores across the fleet (spot-check multiple OS/device types).
- No clients still pinned to or caching the old expired artifact; clocks/NTP in sync.
- Renewal automation re-enabled and a monitoring alert exists for upcoming expiries.
Still stuck? Engage PKI lead, the certificate vendor/public CA, and management when a root or issuing CA is expiring/expired, a CRL has lapsed causing mass failures, or a re-key/cross-sign is required across the fleet.
Disaster Recovery & Business Continuity program (planning + invocation)
Business continuity is your plan for keeping the business running when something major breaks — a fire, a flood, a cyberattack, a cloud outage. We start by figuring out which activities matter most and how long they can pause and how much recent data you can afford to lose. From there we decide how each system should be protected and recovered, write clear step-by-step recovery guides, and — crucially — actually test that backups restore and that we can switch to a backup site and back again. We also agree in advance who has the authority to "declare a disaster" and how we'll communicate. A plan that's never tested tends to fail when you need it, so practice is the whole point.
What to do
> Section 5 covers building the program and the invocation sequence for a senior engineer / DR owner. Declaring a disaster and any failover/failback are management-authorized; vendor engagement is noted.
- Author tiered DR runbooks with explicit recovery order (dependencies first), step-by-step actions, owners, and verification points (align technical runbooks with l3-disaster-recovery-001).
- Validate backups and prove restores: schedule regular restore tests to verified-clean, immutable/offline copies (l3-backup-dr-002). An untested backup is not a recovery capability.
- Document and rehearse failover AND failback: failback is frequently neglected and is where unrehearsed plans fail — plan the return to primary, not just the jump to DR.
- Define the disaster-declaration process: criteria, the authorized decision-maker(s), invocation trigger, and the communications plan. Declaration and invocation are leadership decisions, not technician calls.
- Run tabletop exercises (and, where feasible, live failover tests) at least periodically; capture findings and remediate the plan.
- Invocation (during a real event): confirm the declaration from the authorized decision-maker → activate the comms plan and roles → execute runbooks in recovery order → engage vendors (cloud, storage, hypervisor) where required → meet RTO/RPO and validate before returning to service → plan failback once primary is healthy.
- Maintain the program: review after every change/incident and on a fixed cadence; keep contacts, dependencies, and objectives current.
Confirm it's fixed
- A current BIA exists with agreed RTO/RPO per critical system, signed off by business owners.
- Tiered runbooks exist with recovery order, owners, and verification steps; stored accessibly (and out-of-band).
- Backups validated by recent successful restore tests to clean/immutable copies; results recorded.
- Failover and failback procedures documented and exercised; last tabletop/live-test date current.
- Disaster-declaration authority, roles, and communications matrix defined and known to participants.
- During invocation: declared by the authorized party, runbooks executed in order, RTO/RPO met and verified, and a failback plan in place.
Still stuck? Declaring a disaster and invoking failover is a management decision; engage executive leadership, the BC/DR owner, and affected vendors before invoking, and whenever recovery objectives (RTO/RPO) are at risk of being missed.
Hypervisor cluster down (vSphere / Hyper-V failover cluster)
Your servers run as virtual machines on a cluster of physical hosts that share common storage and are designed to cover for each other if one fails. Right now something broke the cluster's foundation — usually the shared storage or the network the hosts use to coordinate — so the safety automation either couldn't act or couldn't act safely. We recover deliberately and in order: fix the storage, then the host coordination, then the management tools, and only then start the virtual machines — each on exactly one host. Rushing risks "split-brain," where two hosts fight over the same data and corrupt it. If the foundation can't be trusted, we fail over to the disaster-recovery copy instead.
What to do
> Staged recovery order: storage → network/quorum → cluster/management → VMs. Section 5 is for a senior engineer; vendor engagement points are mandatory where noted.
- Restore shared storage first. Resolve the SAN/iSCSI/NFS/vSAN outage (see l3-storage-001). For PDL, follow the vendor's device-removal/re-add procedure. Do not bring VMs up until storage is confirmed stable — restarting on flaky storage causes corruption.
- Restore cluster network and quorum. Heal the management-network partition; bring the witness back. Recompute quorum only after connectivity is genuinely restored. Force quorum only as a last resort and ideally with vendor guidance, having first confirmed no other partition is also alive (split-brain prevention).
- Recover the management plane. Bring vCenter (and its DB/PSC) or the cluster service back; validate it sees true, consistent state before issuing power operations.
- Bring hosts back into the cluster cleanly (exit maintenance/isolation), confirming each sees storage and the network correctly and is firmware/patch-compatible.
- Power on VMs in priority order, on one owner each. Let HA/the cluster place them, or place manually — but ensure each VM starts on exactly one host. Verify guest health before moving to the next tier.
- If storage data integrity is in doubt or recovery is unsafe, this becomes a DR decision: fail over to the DR site or restore from backup (see l3-disaster-recovery-001 / l3-backup-dr-002) — a management call weighing RTO/RPO.
Confirm it's fixed
- All hosts/nodes Connected/Up, out of isolation/maintenance, and quorum healthy with the witness online.
- Datastores/CSVs online and read/write from all expected hosts; multipath fully restored.
- vCenter / Failover Cluster Manager healthy and showing consistent state; no orphaned or duplicated VM registrations.
- HA / admission control re-enabled and reporting sufficient failover capacity.
- All priority VMs running on a single owner each, guests healthy, applications validated; no split-brain artifacts.
- Backups/replication resumed and a fresh backup succeeds post-recovery.
Still stuck? Engage the hypervisor and storage vendors (severity-1) if shared storage is in APD/PDL, cluster quorum/witness is lost, the management plane is down, or there is any risk of split-brain — do not force VMs online on multiple hosts.
Intune device compliance: device shows non-compliant or fails to enroll
What to do
Compliance reason: BitLocker:
- Verify on device:
manage-bde -status C:shows "Protection On". - If missing, push BitLocker policy via Intune; ensure TPM present (
tpm.msc).
Compliance reason: AV signatures:
- Update Defender: Win+R →
cmd→"C:\Program Files\Windows Defender\MpCmdRun.exe" -SignatureUpdate.
Autopilot device not registered:
- Run on the device (admin PowerShell):
Install-Script Get-WindowsAutopilotInfo -Force; Get-WindowsAutopilotInfo.ps1 -Online. - Provide creds with Intune permission. This uploads hardware hash to Autopilot service.
- Wait 5–10 min, then run user OOBE.
Autopilot profile assignment:
- Endpoint Manager → Devices → Enroll → Deployment Profiles → assigned to group containing this device.
- Confirm group includes by device ID, not just user.
Hybrid AAD join (more complex):
- Confirm on-prem AD Connect SCP set:
Get-ADObject -Identity "CN=62a0ff2e-97b9-4513-bf6b-4a0aabe4ba9c,CN=Device Registration Configuration,CN=Services,CN=Configuration,$(Get-ADRootDSE).configurationNamingContext)" -Properties keywords. - Confirm device successfully creates
dsregcmd /statusshows AzureAdJoined: YES, DomainJoined: YES.
Wipe and reset:
- Endpoint Manager → device → Wipe (Autopilot reset) — re-runs OOBE clean.
Confirm it's fixed
- Device shows "Compliant" in Intune.
dsregcmd /statusshows AzureAdJoined: YES, EnterpriseJoined / DomainJoined: YES (if hybrid).- Conditional Access sign-in shows "Compliant: Yes".
- User can access targeted resources.
Still stuck? Mass enrollment failure, or compliance regression after policy change, or Autopilot ESP timeout
IT asset lifecycle: procurement, deployment, refresh, retirement
Asset management is just keeping the list of company devices honest. We tag everything when it arrives, update the list when it gets used or returned, and confirm it's wiped before it's stored or thrown out. That keeps audits clean, keeps purchasing on schedule, and stops a stolen laptop from becoming a data breach.
What to do
- Reconcile — pull a CSV from Intune (or your MDM), pull purchase orders for the period, compare. Anything in MDM not in PO = grey-market or BYOD. Anything in PO not in MDM = unenrolled.
- Tag every active device with both a physical sticker AND a digital tag stored in MDM custom attribute.
- Define states: Procured · In stock · Deployed · Returned · In repair · Retired · Lost.
- Set a refresh cadence — typical: laptops 3 yrs (knowledge workers) / 4 yrs (light users) / 5 yrs (servers); phones 2 yrs.
- Wipe on return — auto-trigger MDM wipe on offboarding. Don't shelve a device until wipe-success is logged.
Still stuck? Lost/stolen device, missing serial in audit, or device returned with sensitive data not wiped
Local-LLM / On-Prem GPU Build-Out
Running an AI model on your own hardware keeps your data in-house instead of sending it to a cloud service. To do it well, the GPU needs enough memory to hold the model plus room for the conversation, the drivers and serving software must match, and we sometimes "compress" (quantize) the model to fit — while checking it still answers well. We size the machine to how many people will use it and how fast it must respond, and we make sure none of the data leaves the building.
What to do
- Establish the privacy/residency requirement first — it's usually the reason for on-prem and dictates that nothing egresses.
- Estimate VRAM need: model parameter count × bytes-per-parameter (precision) + KV-cache for the context length × concurrency, plus headroom. Bigger context and more concurrent users cost VRAM fast.
- Pick precision/quantization to fit VRAM while preserving acceptable quality — validate quality, don't assume.
- Match the stack: GPU + driver + compute toolkit (CUDA-or-equivalent) + inference server must be a supported, version-aligned set.
- Diagnose OOM/slowness: check VRAM headroom, batch/concurrency settings, context length, and whether the model fell back to CPU.
Confirm it's fixed
- The chosen model loads within VRAM with headroom (no OOM) at the target context length and concurrency.
- Latency and throughput meet the agreed target under a realistic concurrent load test.
- Quantized output quality passes the golden test set.
- Driver + toolkit + server versions are aligned, pinned, and documented.
- Data-flow verification confirms no egress; access to the inference endpoint is controlled.
Still stuck? A planned local-LLM deployment cannot meet performance, VRAM, or data-residency requirements within the available hardware budget.
macOS 16 Apple Intelligence — features, privacy, and Private Cloud Compute
Your Mac has Apple's own AI built in. Most of it runs right on your Mac without sending anything to Apple. For more complex requests, Apple uses servers that are designed so even Apple can't see your data — they call it Private Cloud Compute. You'll find Writing Tools by right-clicking any text, Genmoji in the emoji menu, and the new Siri responds smarter than before. None of it requires signing up for anything extra.
What to do
Writing Tools (rewrite, proofread, summarize, change tone):
- Select any text in any app.
- Right-click → Writing Tools (or Edit menu → Writing Tools).
- Choose: Proofread, Rewrite, Friendly, Professional, Concise, Summary, Key Points, Table, List.
- Works on-device for shorter passages; longer / complex requests go through Private Cloud Compute (PCC) — Apple's encrypted server enclave.
Genmoji (custom emoji from a description):
- In Messages, Mail, Notes, or any text field that supports emoji.
- Click emoji picker → Genmoji tab → describe what you want: "a cat wearing a tiny hat at a cafe."
- Generates 3-4 variations. Tap to insert; pinned to recent emoji thereafter.
- Genmoji are images, not Unicode — recipients on older OS see a fallback sticker.
Image Playground:
- Launch via Spotlight or Image Playground app.
- Pick a person from Photos, or text prompt, or both.
- Choose style: Animation, Illustration, Sketch.
- Generates images on-device. Hard refusal on photorealistic / political / sensitive prompts — Apple bans by design.
Notification Summaries:
- System Settings → Notifications → Summarize Notifications → ON.
- Pick apps to summarize (Mail, Messages, news apps).
- Group of notifications gets a 1-line AI summary at the top.
Siri (new ChatGPT integration + product knowledge):
- Trigger Siri (hotword "Hey Siri" or pinned icon).
- Ask product-specific questions: "How do I change my login items?"
- Complex / open-ended questions: Siri can hand off to ChatGPT (free GPT tier or your paid ChatGPT account if signed in via System Settings → Apple Intelligence & Siri → ChatGPT).
- Always asks permission before sharing content with ChatGPT.
Confirm it's fixed
- Writing Tools menu appears on text selection.
- Genmoji tab exists in emoji picker.
- Image Playground app launches.
- Siri shows the new larger UI (glowing border around screen edges).
- System Settings → Apple Intelligence & Siri shows "Apple Intelligence is on."
Still stuck? Enterprise customer needs to disable Apple Intelligence org-wide for data sovereignty / compliance → MDM configuration profile required, escalate to L2.
macOS: kernel panic, spinning beach ball, or unexpected restart
Macs are usually stable, so when one panics or freezes, it's pointing at a specific cause. We'll force-quit anything stuck, restart cleanly, and read the message macOS leaves behind — that message names the file responsible 90% of the time. From there it's usually one of three things: an old app driver, a finicky USB-C dock, or a drive that's almost full. Each one has a quick fix.
What to do
If panic log mentions a third-party kext (e.g., com.vendor.driver.something):
- Identify the vendor from the kext name.
- Update or uninstall that vendor's app.
- macOS Big Sur+ uses System Extensions — System Settings → General → Login Items & Extensions → review.
If a specific app freezes (beach ball):
- Activity Monitor → CPU tab → sort by CPU. Force-quit the top offender.
- If the same app always freezes: reinstall it via the Mac App Store or vendor's site.
If random panics with no obvious cause:
- Apple Diagnostics — shutdown, hold D while powering on. Apple Silicon: hold the power button until startup options, then ⌘+D. Run the test; note any error codes.
- Safe Mode — Apple Silicon: hold power until startup options, hold Shift, click Continue in Safe Mode. Intel: hold Shift while powering on. Use the Mac for an hour. If it's stable in Safe Mode, the issue is a login item or kext.
If macOS update is half-installed:
- App Store → Updates → re-run the macOS update.
- If it fails: Apple menu → System Settings → General → Software Update → Reinstall.
For storage cleanup:
- Apple menu → About This Mac → Storage → Manage.
- Empty the Trash. Move large files to iCloud or external storage.
Confirm it's fixed
- 24 hours of normal use without a panic, freeze, or unexpected restart.
- Activity Monitor shows idle CPU <15% and memory pressure in the green.
- All accessories work without triggering a freeze.
- No new panic logs in System Report → Software → Logs.
Still stuck? Kernel panic recurs >2x in 24h, panic log identifies a kext (3rd-party kernel extension) or hardware fault, or RAM/SSD diagnostics fail
MDM enrollment: enroll a Windows / iOS / Android device into Intune (and fix failed enrollment)
Enrolling your device means it gets registered with the company so it can safely receive email, apps, and security settings — and so we can wipe just the work data if it's ever lost. On a phone you'll install the Company Portal app and follow a couple of prompts; on a new laptop it often happens automatically the first time you sign in. Once it's enrolled and shows as 'compliant,' your work apps will open without being blocked.
What to do
Windows — standard user enrollment (Entra join):
- Settings → Accounts → Access work or school → Connect → Join this device to Azure AD (full join = MDM enroll), sign in with the work account, complete MFA.
- *Or* if already Entra-joined: Settings → Access work or school → click the account → Info → confirm MDM is connected; if not, "Connect" enrolls into MDM.
- Force a policy sync: Settings → Access work or school → Info → Sync, or
dsregcmd /statusto confirmAzureAdJoined: YESand MDM URLs present.
Windows — Autopilot (new corporate device):
- Ensure the hardware hash is uploaded and an Autopilot deployment profile is assigned to the device group.
- OOBE → connect network → sign in with work account → Autopilot applies the profile and enrolls automatically.
- If it falls back to a normal OOBE, the profile wasn't assigned in time (→ check group membership / escalate).
iOS/iPadOS (BYOD or corporate):
- Install Intune Company Portal from the App Store.
- Open it → sign in → Begin → install the management profile (Settings prompts to allow) → trust it.
- Confirm the device appears in Intune and the management profile is installed under Settings → General → VPN & Device Management.
Android (work profile / fully managed):
- Install Intune Company Portal from Google Play → sign in → follow the work profile setup.
- Approve the managed Google Play account; corporate apps land in the work-profile section.
Fix common failures:
- 0x80180014 / "blocked": almost always an enrollment restriction or MDM scope excluding the user, or a missing license — fix in §4 then retry.
- "Already enrolled" / orphaned record: delete the stale device object in Intune, then on the device run
dsregcmd /leave(Windows) or remove the management profile (mobile), reboot, re-enroll. - Device cap reached: raise the per-user device limit in enrollment restrictions or remove old devices.
Confirm it's fixed
- Device appears in Intune → Devices with the correct user and Managed by: Intune (MDM).
dsregcmd /status(Windows) showsAzureAdJoined: YESand an MDM enrollment URL.- Compliance state flips to Compliant after first policy evaluation.
- A Conditional-Access-gated app (e.g., Outlook) opens, proving the managed/compliant state is honored.
- Company Portal lists the device as managed; assigned apps begin installing.
Still stuck? Enrollment restrictions, Autopilot profile assignment, or APNs/managed-Google-Play tenant config — tenant-level MDM platform work for L3.
NTFS / file share permissions: access denied, broken inheritance, audit
What to do
Effective Access:
- File Properties → Security → Advanced → Effective Access tab → pick user/group → View effective access.
ACL inspection:
icacls "C:\Path\To\Folder"— current ACEs.icacls "C:\Path\To\Folder" /verify— list inconsistencies.
Share permissions:
- Most restrictive of share + NTFS applies.
Get-SmbShareAccess -Name <share>shows share ACL.
Token bloat:
- User in 50+ groups can hit Kerberos token size cap; symptoms: random access denied, sign-in delays.
Still stuck? Cross-forest, broken ACL on critical share, or active investigation/audit
On-Device NPU (Copilot+/AI PC) Issues
Newer "AI PCs" have a special chip called an NPU that runs AI features quickly and efficiently. If its driver is missing or outdated, or the app isn't told to use it, the work falls back to the regular processor — making things slow, hot, and battery-hungry. We update the NPU's driver and the AI runtime, point the app at the NPU, and make sure the device isn't overheating or in a power-saving mode that holds it back.
What to do
- Update the NPU driver from the OEM/silicon vendor channel (not just generic GPU drivers); on Windows pull via the managed update channel, on macOS via OS update.
- Install/repair the AI runtime and its NPU execution provider; re-register if the app reports it missing.
- Point the app at the NPU in its settings if it defaulted to CPU/GPU; ensure the model is in an NPU-supported format/precision.
- Address thermal/power: set the device to a balanced/performance power mode for sustained AI work, ensure ventilation, and update firmware/BIOS if a thermal fix is published.
- Roll back a bad driver/runtime if the fault began right after an update, then pin to the known-good version.
- Reboot after driver/runtime changes so the accelerator re-initializes.
Confirm it's fixed
- The NPU shows healthy in Device Manager / system report with a current driver.
- The target AI feature runs and the app reports it is using the NPU/accelerator (not CPU fallback).
- CPU usage and fan noise drop during the AI task vs. the failing state.
- Performance holds on battery and AC (no thermal cliff), or the throttling cause is documented.
Still stuck? An NPU fault persists after driver/runtime reinstall and the device cannot run required on-device AI features.
RAID array / SAN disk failure and rebuild
Your storage system spreads data across several disks with built-in redundancy, so it can survive a disk failing. Right now a disk has failed (or is at risk), and the system is running without its safety margin. Replacing a disk and letting it rebuild is usually routine — but on large disks the rebuild is a stressful read of everything left, and a second problem during that window is the dangerous part. To protect your data, we are being deliberate: we will not "reset" or recreate the storage, because that can erase everything. If recovery looks risky, we bring in the storage vendor and may restore from backup instead. The priority is your data, not speed.
What to do
> Sections 5 steps are for a senior engineer, typically in a live session with the vendor. Mandatory human/vendor engagement is called out inline.
- Single failed disk, array still degraded-but-redundant (the safe path):
- Confirm the replacement disk meets vendor spec (size/type/firmware). Identify the correct physical slot using the management tool's locate/blink function — never by guessing.
- Replace the failed disk; allow the controller to rebuild onto the new disk (or onto the hot-spare, then copyback). Monitor rebuild progress and watch for additional errors.
- Keep the array on backup power and avoid heavy I/O during rebuild to reduce the chance of a URE-triggered second failure.
- Second failure or URE during rebuild, or array reported FAILED/OFFLINE: STOP. Engage the storage/array vendor's severity-1 support immediately. Do not attempt to force-online, re-initialize, or recreate the array — these typically destroy any chance of vendor-led recovery and the data.
- Suspected controller / backplane / cabling fault: Replace the suspect component under vendor guidance. After a controller swap, import the existing/foreign configuration only as directed by the vendor — never clear it blindly.
- Cache/BBU fault: Replace the battery/flash-backup module per vendor procedure; the vendor confirms whether any cached writes were lost and whether a filesystem/database consistency check is required.
- SAN path/LUN issue: Correct zoning/masking/multipath; bring paths back; have the vendor confirm SP/controller health before returning the LUN to production.
- If recovery is not safe or not possible — restore from backup: This is a management decision (data loss/RPO vs downtime). Restore to healthy hardware/array from the most recent verified backup, then validate integrity before returning to production.
Confirm it's fixed
- Array/disk group reports Optimal/Healthy; all member disks Online; no hot-spare consumed without copyback completing.
- Rebuild/copyback completed at 100% with no media/URE errors logged.
- Controller cache/BBU healthy and write-back re-enabled (if appropriate).
- SAN: all expected multipaths present and active/optimal from every host; LUN(s) online and read/write.
- Host/filesystem/database consistency check clean (chkdsk/fsck, DB DBCC/integrity check) where a bad shutdown or cache loss occurred.
- Applications, VMs, and file shares back online; latency/throughput normal; recent backup succeeds post-recovery.
Still stuck? Engage the storage/array vendor immediately if a second disk fails during rebuild, the array is reported failed/offline, the controller or cache is suspect, or any procedure would re-initialize, recreate, or reformat the array.
Self-Healing Endpoint → Human Escalation
Some endpoint problems are fixed automatically by an AI agent. When the agent isn't sure, hits a safety rule, or can't fix something, it stops and hands the job to a human — on purpose. The technician gets the full story of what the agent tried and how to undo it, makes sure the computer is in a safe state, finishes the fix, and writes down everything so there's one clean record. The handoff is a safety feature, not a failure.
What to do
- Stabilize first: if the device is in an unsafe/half-remediated state, restore to the captured known-good point before continuing.
- Take a clean handoff: the human assumes the action with the agent's full context (what was tried, why it stopped, the restore path).
- Complete or reverse the remediation manually, recording each step back into the same audit trail so the record stays continuous.
- Resolve the root cause the agent couldn't reach (out-of-scope dependency, ambiguous fault) using standard L3 procedures.
- Close the loop with the agent: mark the incident resolved, and if the case is now a known pattern, feed it back so the playbook can safely handle it next time (governance review, not silent auto-expansion of scope).
- Re-enable autonomy only after confirming the device is healthy and the guardrail logic behaved correctly.
Confirm it's fixed
- The device is in a known-good, stable state (verified independently, not just per the agent).
- Every human action is recorded in the continuous audit trail alongside the agent's actions.
- Any partial/erroneous change is confirmed kept-or-reversed deliberately.
- The handoff context (what/why/restore path) was complete enough to act on — gaps noted for improvement.
- Autonomy is safely re-enabled or deliberately left paused with a reason.
Still stuck? An autonomous remediation agent exhausts its safe actions or hits a guardrail and a human must take over with full context.
Shadow-AI Discovery
Shadow AI" is any AI tool your team uses that IT did not approve — a chatbot, a writing helper, a browser add-on. The danger is that company or customer information can quietly end up on an outside service. Discovery is simply finding out what is actually in use, deciding which tools are safe to keep, blocking the risky ones, and giving people an approved option so they do not feel they have to go around IT. The goal is enabling AI safely, not banning it.
What to do
- Triage each discovered tool: sanction, restrict, or block, based on risk and data handling.
- Run the sanctioning workflow for tools worth keeping:
- Assess vendor data handling/retention and where data goes.
- Define allowed use and what data may/may not be entered.
- Bring it under governance: owner, register entry (t4-aigov-001), and identity/permissions if it acts (t4-aigov-005).
- Approve and add to the published approved-AI list.
- Block or restrict high-risk or non-compliant tools (extension allow/deny lists, egress controls, DLP rules on sensitive data).
- Provide a sanctioned alternative so the underlying need is met — shadow AI thrives where official tools are missing.
- Publish the approved-AI list and a simple request path so future adoption flows through IT instead of around it.
- For confirmed data exposure, treat it as a data incident (notify, assess scope; coordinate with t4-aithreat-001 if injection/exfil is involved).
Confirm it's fixed
- A consolidated inventory of discovered AI tools exists with users, purpose, and data flows.
- Each tool has a disposition: sanctioned / restricted / blocked.
- Sanctioned tools appear on a published approved-AI list and in the governance register.
- High-risk tools are demonstrably blocked or restricted (test the control).
- A working request-and-approve path for new AI tools is documented and communicated.
Still stuck? An unsanctioned AI tool is found to have received sensitive, regulated, or customer data.
VIP / executive / white-glove support workflow
We treat VIP support like an emergency room — known patient, known stakes, no waiting. We pick up the phone, we drive the fix, and we make sure there's a backup path so the meeting still happens. After it's fixed, we write up what went wrong and add it to a profile so the next time it never gets that close.
What to do
- The technical problem is usually L1, but the time pressure is L3.
- VIP is using a non-standard device or app for the first time.
- Stakes (earnings call, customer demo, regulator) raise the cost of any miss.
- VIPs rarely run troubleshooting steps themselves — they expect the tech to drive.
- Outage may be on the network/SaaS side, not their device.
Still stuck? VIP issue impacting board meeting, earnings call, customer demo, or live event in next 4 hours
Windows 11 25H1 Copilot+ PC features — Recall, Click to Do, Cocreator, Live Captions
Your new PC has a special AI chip that lets it do things older computers can't. Recall remembers what you've been doing so you can find it again by describing it. Click to Do lets you right-click on anything on screen and have AI explain or rewrite it. Cocreator makes art from a sentence. Live Captions transcribes any audio in real time and even translates. All of it works without sending anything to the cloud — it stays on your PC.
What to do
Recall (timeline of snapshots):
- Settings → Privacy & security → Recall & snapshots.
- Toggle "Save snapshots" ON.
- Configure: storage limit (25 GB default), excluded apps (browsers in private tabs auto-excluded), filter sensitive content (passwords, ID numbers auto-redacted by AI).
- Open Recall: Win+J or pinned Taskbar icon. Search natural language: "the spreadsheet I had open yesterday morning."
- Privacy guidance for business users: Recall data is encrypted with BitLocker + VBS Enclaves. Snapshots never leave the device. But: anyone with the device's Windows Hello can access. Treat as you would a screen recording.
Click to Do (right-click intelligence on anything on screen):
- Win+Click on any image, text, or area of the screen.
- Options appear: summarize text, rewrite, copy text from image, blur background, erase object, search the web for similar image.
- Works without internet for text + image features (NPU local). Web-search options call the network.
Paint Cocreator (text-to-image inside Paint):
- Open Paint → click Cocreator button (top right).
- Type a prompt like "watercolor painting of a coffee shop at sunrise."
- Use credits (50 free per Microsoft account, then $0.10 each via Microsoft Designer credits).
- Pick a style: pencil sketch, ink sketch, watercolor, oil painting, digital art, photographic.
Live Captions (with translation):
- Win+Ctrl+L to toggle.
- First use prompts to download the on-device speech model (~1.5 GB).
- Settings (gear icon in caption bar) → Caption language: select from 44 languages. Pick "Translate to" for live translation.
- Works on any audio — meetings, YouTube, in-person via mic input.
Studio Effects (camera & mic AI):
- Settings → Bluetooth & devices → Cameras → Default camera → Studio effects.
- Toggle: Automatic framing, Background blur (standard / portrait), Eye contact (standard / teleprompter), Creative filters.
- Mic Studio Effects: Voice focus, Background noise suppression — same Settings page under Sound.
- Applies system-wide (Zoom, Teams, Discord all benefit).
Confirm it's fixed
- Task Manager shows NPU activity > 0% when Recall/Click to Do runs.
- Live Captions display within 1-2 seconds of speech.
- Recall search returns relevant snapshot in under 3 seconds.
- Studio Effects visible in camera preview without app-specific setting.
Still stuck? Customer is enrolling 10+ Copilot+ PCs at once — design rollout (Recall policies, data governance, group policy) before mass deployment.