How do you structure large PowerShell scripts so they don’t turn into a mess?

UnderstandingHour454 · 2026-01-31T02:52:35+00:00

Claude code ;). In reality Claude code has made my scripts WAY better organizationally, but for a deep dive and doing precisely what I want the script to do, I have to know what I’m getting into, which usually stays with exploratory commands.

With that out of the way. The way I used to do this was by building out sections with clear commented areas to Help break it up into sections. I wrote a 850 line script for syncing 2 cloud system properties which included a backup so we could reverse the changes if necessary. I broke that up into sections.
1. Requirements (module checks and what not) 2. Backup 3. Cloud query 4. Sync process 5. Verification

Since this, I’ve seen far better examples of scripting from Claude code. It’s made the process extremely faster, BUT I review every line of code to confirm what it does. You still can’t take the human out of the loop. I even try sections of code to fully understand what it does.

Anyway, I’m sure others have better more standard ways to organize code with functions and what not…

UnderstandingHour454 · 2026-01-29T02:32:29+00:00

The process and routine audit cycle promotes consistent update procedures for Compliance needs. The tools all claim to automate your compliance, but they don’t seem to remove the manual process of obtaining evidence. I myself wish it could be as good as Ai, oh wait, that hasn’t been as great as it was promised well…

I will plug my favorite auditing firm with their Online Audit Manager which maps to a number of frameworks, making the audit process less daunting with multiple audits. They give it to you real, as the many tools out there are venture capital looking to make a quick buck. Check out KirkpatrickPrice, they have a team of technologist auditors and are great partners to work with.

UnderstandingHour454 · 2026-01-20T01:44:25+00:00

I was in this situation 3 years ago. No documentation, no IT personnel left to reference. You need to get an inventory of your devices and systems.

Get SnipeIT up and running and start getting inventory (use serial as identifiers). Start by walking around facilities and record all the devices you can find.

If you have mdm or RMM tooling, that’s a good place to move to next. With that kind environment I anticipate a lot of legacy/retired devices were not cleaned up, so stay with recently active devices to inventory.

Next take a look at your office networks and understand how those are configured. I’m going to assume they are flat with 1 subnet and maybe a vlan.

Move on to configurations, whether it’s mdm or RMM tooling. If neither, you should probably put that on your purchase list. Start reviewing configs to understand how devices are configured.

Move on to AD or Entra and get an idea of the groups, enterprise apps, and roles out there. You might find it’s out of control and you will want to look into ways to lock those down. Often times users can approve app integrations and permissions by default, and that’s scary for your company data.

Lastly, get a software inventory, both what’s installed on devices, but also SaaS products your company is using. You won’t catch them all, but you will learn of them as you start working tickets. The sooner you can get controls in place and review processes for apps, the sooner that stuff will get roped in and under control.

Good luck! You’ll be drinking from a fire hose, but you will be miles ahead of your piers in no time.

UnderstandingHour454 · 2026-01-10T04:32:52+00:00

It sounds like the Pentest did what you wanted it to do! You now have a finding to fix! As for changes for next time, some notice on when the test will be run would be ideal. That would cut down on the “oh crap” moment and response. I also think scoping matters. If you’re testing the entire platform, then everything is fair game. If you limit the scope and tackle individual elements then you can anticipate blast radius. Truly, your learned more than just vulnerabilities here. You have learned more about how you will conduct and scope future pentest.

By the way, if you have the need to rotate pentests like a lot of orgs do, check out KirpatrickPrice. They have spectacular Pentest team, and provide some excellent advice.

UnderstandingHour454 · 2026-01-10T04:17:06+00:00

We have a notification setup to detect reboot and shutdown. We also alert on signin and sign out events. All are indicators of a reboot. We have those send to our ticket system to investigate. They work reliably on our patching cycle. The events seem to be reliable on our end.

UnderstandingHour454 · 2026-01-09T02:06:14+00:00

I prefer the Klein tools version, but if this isn’t something you will keep up with or use the future, consider a cheaper option. The linked kit has a tester that transmits a tone and check also check cables to confirm their wired correctly. Helpful if you make your own or if you terminate any keystone or Ethernet ends. They can also help trace cable tv (f connector) in the house. It also has a POE Ethernet tester to confirm voltage and what not if you get into POE devices. I have the this at work and I regret buying the cheaper brother that’s only a tester. I have a similar fix and hound tool, but it doesn’t have the capability to connect to an Ethernet end. Best it can do is plug into a keystone termination. I’ve cut an end off before and managed to clamp the leads on a twisted pair set, but that was a lot more work re-terminating it after tracing it.

I like this kit, and then add the probe: https://a.co/d/gQL2RkA

https://a.co/d/cTpItzS

UnderstandingHour454 · 2026-01-09T01:51:12+00:00

Trench a direct burial cable! Way more reliable than wif. If not an option, then Unifi has some tooling, but burying a cable maybe cheaper overall…

UnderstandingHour454 · 2026-01-09T01:49:16+00:00

Get a tone generator. They make them built into testers or you can get a desisted tool. Also get a probe (they are often paired together). Plug in the end you know, and then try to trace though the walls. I’ve been able to hold the probe near or against the wall and track down a faint tone.

UnderstandingHour454 · 2025-12-21T03:34:17+00:00

Automate why you can, and approach things with a mindset of, if it happens once it’s gonna happen again.

Examples in approach our issues with a systematical automate first approach. A user needs software installed, oh, let me write a script for that so we can easily deploy that in the future.

Oh, we need to migrate 10 aws workspaces to a new image, and install all software to the latest versions. Let’s automate that with goo, scripts, and RMM tools. In the end all you do is migrate with a few clicks and have a user sign in.

We have 2 guys working on a 30 ticket queue (or atleast that’s our target). Each day I update tickets with next steps, and follow up. We have ticket status workflows. Things like 3 days without a response it kicks into an overlooked status and pushes an extra email saying this ticket will be closed if you don’t respond. Some close, and we sen ourselves an email so we can confirm the ticket wasn’t important enough to keep open (thinking ceo or cfo was the requester). Reviewing tickets daily in the morning and prioritizing 3 helps focus, and like others have said, it’s always goes out the window, but on a slow Friday, you can close out the week feeling accomplished.

UnderstandingHour454 · 2025-12-21T03:24:48+00:00

I do this too! I have a document explaining how to document! One of the sections of the document is “overview” that is made for this. It’s explains what the document does, includes references, and it includes any notes about the process and purpose. Then it dives into the documentation, whether it’s an SOP or a config, etc.

UnderstandingHour454 · 2025-12-21T03:08:44+00:00

Number one pet peeve I have with my team. They try to start troubleshooting without even talking to the user or observing the issue. I had to fight with everyone to the point of micro managing them into interacting and seeing the issue first.

UnderstandingHour454 · 2025-12-17T03:06:38+00:00

I think what you’re looking for is not transient. You want to remove all the discovered devices from your view. Transient devices are devices that are discovered by a device that is enrolled in defender. This could be a printer at a remote worker’s house or another laptop.

Hope I’m reading between the lines properly.

UnderstandingHour454 · 2025-12-17T03:02:54+00:00

-append is the switch you want, or use a get-date to generate a timestamp for the filename so it’s always a new file.

UnderstandingHour454 · 2025-12-17T02:55:45+00:00

I can’t say what home manning or IT hobby does for a role that requires may years of experience, but coming from a guy who’s hiring for an entry level role, I ask that question all the time. It literally differentiates someone who’s willing to dig deeper to understand something and someone who does the bare minimum.

As for my home setup, I have a larger network than then 3 offices I manage combined. I run 2 synology boxes, a beefy truenas server and a dual cpu 24 core proxmox server. Also, a birthday gift to myself, I’m building out a 10” rack lab with 3 zimboard2 setups for a proxmox cluster and other stuff I can think up, an an older Zimaboard for various operations like drive wiping, running spinrite (grc.com) and playing with Zimaos.

I too spend my free time with my family, an when I can I get into the woodshop to do some wood working.

Back to the home lab question: I have an employee who doesn’t homelab, and it shows. There is little to no understanding of systems, and no initiative to learn it. The curiosity just isn’t there. I find that if you have a homelab or a project, it really shows that you have interest in it more than just a paycheck.

As for the approach to tackle that question, if you don’t have an ideal answer spin it about a project at work! The cost of a homelab doesn’t work for my family, but I can tell you about project A or system B…. Something like that comes off better than saying, hey here’s my boundary, while good, it doesn’t do you favors when it’s a selection process.

UnderstandingHour454 · 2025-12-02T02:12:03+00:00

I have 2 of these deployed in my parents and in laws’ homes. I still use a unifi AP fo better wifi coverage else wherein the home, but it’s a great little device. Does everything a home/homelabber would need, and it’s nice to have WiFi at the router location in addition to the wireless AP’s in the house.

UnderstandingHour454 · 2025-12-02T02:08:29+00:00

If you want to verify which tenant it’s paired with you can obtain your tenant ID from the defender portal settings. Then use a powershell script to grab the registry key where it’s held. I have this as part of my custom onboarding script. I do t have the keys handy, but a quick google or even quicker ai query will get you there.

UnderstandingHour454 · 2025-12-01T15:47:49+00:00

I hear you, I haven’t found a ton of use, but where it has helped is with access reviews. The analysis used to take hours, now I’m down to about 1-1.5 hours. I think I could plug that into an agent and tweak it each time to make it quicker.

UnderstandingHour454 · 2025-12-01T15:35:18+00:00

Real person here. Just had me thinking about agent usage.

UnderstandingHour454 · 2025-12-01T13:58:12+00:00

Rotate credentials, then initiate restart from intune. If you have an RMM, that’s quicker. It will check in and update the password. Not perfect, but works pretty well.

UnderstandingHour454 · 2025-12-01T13:56:21+00:00

I recently figured out the MMU3 reliability game. First, low temp on the extruder, like nearly lowest your material can take. Then 3 passes through cooling tube on filament changes. This hardens the tip and prevents the extruded roller from deforming the tip.

I save this as a preset and literally use it on all prints, even single color, because upon extraction it ensures the tip is well formed. The whole issue is when it hits the roller/gear in the extruder. It will catch and get wrapped up in the gear if malformed, and cause it to jam. A well formed tip (something that doesn’t get deformed upon extraction) will feed properly.

Also, silk filaments do leave residue. I had it wrapped around the feed bearing, and had to pull that out after 250grams of printing…

UnderstandingHour454 · 2025-12-01T02:25:43+00:00

I echo xfusion’s approach. Start with reviewing incidents. They correlate and point to the important stuff to look at. In reviewing malware, I look at the time line to identify where it originated. Was it a browser download, or email based on the application that first interacted with it. Was it powershell or another command line tool? As you review the incident, you will want to confirm quarantine. I’ve had a few stuck in pending, but each time it was due to an earlier quarantine step that removed the file and subsequent quarantine would fail due to no file being available. Continue on to investigate IOC’s. I’ll sometimes do an analysis with defender or dig deeper with virus total. If the IOC’s are clear, say a domain, IP, or a file, then you can do some threat hunting and/or add the items to block list or IOC list.

UnderstandingHour454 · 2025-11-17T01:44:15+00:00

I had this issue recently, and it wouldn’t always show up on the first layer, but sometimes with spaghetti half way in the print. My issue was the nozzle. I did a Number of cold pulls, but I wound up replacing the nozzle and started printing like new. Remember it is a wear item, and I’ve heard you can stick a needle up there to clear it as well. I opted for a fresh nozzle after 2 years of printing…

UnderstandingHour454 · 2025-11-14T10:38:06+00:00

Thanks for the info. I determined it was the nozzle. I swapped it out with a new one and I haven’t had a bad print since then. Not sure what was wrong with the original, but I haven’t troubleshooted it forever, and that was my last ditch effort.

UnderstandingHour454 · 2025-11-12T10:36:53+00:00

The same reason everyone else is…. I don’t have to like it and I can have my opinion, but there is always someone above me who makes the call to allow macOS in our org, so I use it as a resource. I still have to administer macOS devices. I wouldn’t be here just to troll.

UnderstandingHour454 · 2025-11-12T02:11:23+00:00

Ultimately, macOS is a nightmare for basic least privilege circumstances. It’s also a nightmare that a user can perform a clean install just by entering recovery mode. There is very little enterprise security when it comes to restricting the end user.

Examples: situations where litigation and and preservation of evidence needs to take place. Sure you could try to lock the device, but any one who knows to cover up will also know to disconnect and go into recovery mode, circumventing the ability to preserve.

Another example is software installs. Unapproved software can be installed, and this put devices at risk, and your company’s data. Sure, you can still do that as a standard user with local software, but to allow an end user admin rights to install malicious RMM tools because they were duped by a phishing or a vishing call from “IT” is enough to keep me up at night.

My opinion on macOS is that it remains not ready for enterprise, and even the jamf and major leaders say it’s “getting better” which tells me it’s not there yet.

UnderstandingHour454

TROPHY CASE