VM-Setup: post-install Linux tooling that actually sticks around
A look at Narehood/VM-Setup, the menu-driven Bash utility for XCP-ng guests and generic Linux hosts, plus the newer update, pin-sync, and installer-hardening work.
Author
Founder, Qutzl LLCB.S. Information Sciences and Technology, Penn State
Michael is a hands-on technology operator with more than a decade in the field — the kind of person who would rather fix the root cause than dress up a workaround. He founded Qutzl to help small and medium businesses with remote support, hosting, and practical consulting, and he writes Qutzl Insights the same way he works: clear steps, honest tradeoffs, and advice you can use on a Tuesday afternoon.
Michael earned a Bachelor of Science in Information Sciences and Technology from The Pennsylvania State University. As a freshman work-study help desk technician, he spent 20–40 hours a week supporting Penn State systems — account resets, deployments, and the unglamorous tickets that teach you how people actually use technology.
From sophomore through senior year he interned with the lead technology instructor at Penn State DuBois. That role opened the door to real lab and production tooling: project work, help desk support for students and staff, classroom and lab maintenance, and deep exposure to Linux, macOS, Windows, VMware, Citrix, SANs, networking, and backup platforms. The hours stacked up quickly — thousands before graduation — and the habit of learning by building never really stopped.
Today that mix shows up in client work and in these articles: running and tuning XCP-ng environments, using agentic coding tools to move faster without cutting corners, staying current on security practices, and keeping up with what actually matters in the latest tech — then documenting the parts that usually get left out of vendor blogs.
A partial list of platforms Michael works with regularly — useful context for readers, not a resume dump.
A look at Narehood/VM-Setup, the menu-driven Bash utility for XCP-ng guests and generic Linux hosts, plus the newer update, pin-sync, and installer-hardening work.
What’s in Narehood/dotfiles (bash/zsh, tmux, vim, screen) and the newer prompt.conf settings for emoji, colors, layouts, and safer install/uninstall.
How to give visitors internet access without putting file shares, cameras, and printers on the same network as your coffee-shop guests.
How to run a safe Arch system update with pacman -Syu: read the news, update cleanly, handle pacnew files, and reboot when the kernel changes.
Keep RHEL (and close cousins like AlmaLinux or Rocky) patched with dnf: check subscription/repos, update safely, reboot for new kernels, and verify services.
A straightforward checklist for keeping Ubuntu Server or Desktop patched: apt update, upgrade, reboots, and what to verify before you walk away.
Early iOS 27 developer and public betas are unusually polished, often snappier and steadier than iOS 26, but a beta is still a beta for work phones.
By Michael NarehoodMicrosoft 365
A practical path to require multifactor authentication in Microsoft 365 for a small business, without locking everyone out on Friday afternoon.
Hugging Face disclosed an AI-driven intrusion through its dataset pipeline. Lessons on hosted model guardrails, local forensics, and treating data processing as attack surface.
A realistic endpoint baseline for small businesses: patching, MFA, EDR, backups, and least privilege, without pretending you need a Fortune 500 stack.
Critical unauthenticated RCE (wp2shell) hits WordPress 7.0.0–7.0.1 and 6.9.0–6.9.4. What the CVEs mean, which versions are fixed, and what SMBs should do today.
OpenAI's internal GPT-Red red-teaming model shows how automated prompt injection testing scales. Practical steps for businesses deploying Copilot, agents, and AI connectors.
A straight take on leaving on-prem or cPanel mail for Microsoft 365 / Google Workspace, and the few cases where self-hosting still makes sense.
Microsoft's record July 2026 release reflects AI-assisted vulnerability discovery. What MSPs and SMBs should change in triage without freezing from volume anxiety.
Hybrid schedules mean more unknown devices on site. Design for that.
Diving from “never patch” to “patch everything Friday” creates avoidable outages.
Fewer models mean faster imaging, patching, and spare strategy.
Why phishing-resistant MFA belongs on privileged accounts first, and how to start small.
You cannot patch what you forgot existed. A quick method to find shadow WordPress and forgotten subdomains.
A look at Qutzl’s patch priority process when a core product vulnerability hits the news.
Out-of-office season is when delayed patching and standing admin rights get expensive. A pre-travel checklist.
Bot leads waste sales time and can hide phishing callbacks.
BYOD mail and Teams are convenient. Containerization and remote wipe need to be real.
Any-any rules and forgotten NAT entries accumulate. Schedule the cleanup.
Separate admin identities and turn off unused seats before attackers find them.
What to do in the first sixty minutes of a suspected breach.
By Michael NarehoodMicrosoft 365
Citizen automation is great until a forgotten flow holds privileged consent.
By Michael NarehoodBackups & Continuity
A one-hour script to practice ransomware or BEC response without breaking production.
Auto-renew usually works until it does not. A lightweight checklist so HTTPS does not expire on a holiday.
By Michael NarehoodMicrosoft 365
Impossible travel, new countries, and legacy protocol spikes: signals worth a human look.
By Michael NarehoodBackups & Continuity
What “immutable” means, why ransomware crews target backups, and how SMBs get close without enterprise budgets.
By Michael NarehoodMicrosoft 365
Toll fraud and voicemail hacks still happen. A short hardening list for modern phone systems.
How small business sites get owned, and a maintenance rhythm that prevents most of it.
Temporary staff need tools on day one, not permanent Global Admin on day ninety.
Powering off is not decommissioning. Data remnants and DNS ghosts linger.
By Michael NarehoodMicrosoft 365
Broken inheritance solves one share and creates ten mysteries.
By Michael NarehoodMicrosoft 365
Federation and guest access are powerful, and easy to leave too open.
Block-all vs allow-with-logging: picking a control that matches your risk.
Registrar default DNS is fine until you need fast changes, DNSSEC, or failover. What to evaluate.
By Michael NarehoodMicrosoft 365
Secure Score is a guide, not a grade. Which recommendations move risk for small tenants.
How to schedule Windows updates so reboots happen when people are gone and still finish.
By Michael NarehoodMicrosoft 365
Open calendars leak meetings, clients, and travel plans. Tighten defaults without killing scheduling.
Cable + LTE/5G failover patterns that keep payments and cloud apps online when the primary circuit dies.
Default passwords, ancient firmware, and flat VLANs turn MFPs into quiet pivot points.
How remote assistance should work when you care about consent, audit trails, and least privilege.
Signature AV alone is not enough. How EDR changes outcomes without requiring a SOC theater budget.
By Michael NarehoodBackups & Continuity
Retention myths, Recycle Bin limits, and the vendor questions that separate marketing from recoverability.
Captive portals are not only marketing: they set expectations and basic accountability.
Service accounts with never-expiring passwords become permanent backdoors.
Helpful toolbars are supply-chain risk. How to set a sane policy.
Anthropic's April 2026 Project Glasswing put Claude Mythos Preview to work finding critical flaws with major vendors. What that means for downstream patching at ordinary SMBs.
Rotating the PSK every week is not a strategy. Segmentation and enterprise auth are.
Default passwords and UPnP still ship with many “security” cameras. Segment them before they segment you.
Payment devices and office laptops should not share a flat network. A practical segmentation sketch.
By Michael NarehoodBackups & Continuity
A short tutorial for confirming that business backups actually restore, not just that a green checkmark appeared overnight.
By Michael NarehoodBackups & Continuity
MFA, EDR, and backup proof: what underwriters ask and how to answer without scrambling.
Contractors and MSPs change. Make sure their VPN, admin, and SaaS access changes with them.
By Michael NarehoodBackups & Continuity
OneDrive and Google Drive mirror mistakes as efficiently as they mirror files. What real backup adds.
Separate guests from production without making the lobby password a company secret.
By Michael NarehoodBackups & Continuity
A focused working session to improve your odds before an incident, not a multi-month maturity model.
By Michael NarehoodMicrosoft 365
Disable stale accounts, reclaim licenses, and shrink attack surface before summer projects start.
Full tunnel vs split tunnel is a security and performance comparison. Make it on purpose.
NAS firmware holes are quiet until ransomware finds the share.
Block macros from the internet. Your 2014 workflow may need a redesign.
Why delayed disablement is a predictable incident.
By Michael NarehoodMicrosoft 365
Litigation holds, archives, and “we keep mail forever”: clarify before you need eDiscovery.
By Michael NarehoodBackups & Continuity
Three copies, two media, one offsite, updated for cloud and ransomware realities.
A two-hour quarterly ritual that catches privilege creep before an audit or an attacker does.
Move past email attachments for sensitive files without making clients jump through hoops.
End-of-support appliances quietly become unpatchable internet doors. How to plan a refresh without drama.
A plain-language tour of the three records that decide whether your mail looks legitimate.
By Michael NarehoodMicrosoft 365
SharePoint and OneDrive sharing settings that balance client collaboration with least privilege.
The phrases and patterns that should trigger a pause before anyone moves money.
CPAs and bookkeepers become high-value targets each spring. Harden the paths to returns and source docs.
Old TLS versions linger in niche payment and LOB software. Plan the break.
Disk full and certificate expiry beat vanity dashboards.
Day-one access without day-one admin rights.
A one-page network truth file beats a heroic tribal-knowledge culture.
Credit-card SaaS purchases create data and identity debt. How to see it without becoming the department of no.
When one ancient app pins you to an old OS, and exit ramps that are less painful than denial.
SIM swaps and SS7 abuse make text-message codes weaker than app-based or FIDO MFA.
BitLocker and FileVault basics so a stolen laptop is an inconvenience, not a breach notification.
When a classic VPN is enough, when it becomes a liability, and what “zero trust” means without the buzzwords.
How to run awareness tests that improve reporting rates instead of breeding resentment.
A lightweight cadence so Windows and Microsoft 365 updates do not become quarterly fire drills.
Ransomware and commodity malware love over-privileged users. How to shrink admin without breaking work.
By Michael NarehoodMicrosoft 365
A practical way to kill shared spreadsheets without enterprise IAM theater.
Cold-weather power events take down offices that thought “the cloud” made on-site power irrelevant.
By Michael NarehoodMicrosoft 365
Why “just use the info@ mailbox” creates audit and access problems, and cleaner patterns that scale.
Attackers spam approve prompts until someone taps Yes. How number matching and better MFA choices help.
Skip the resolutions theater. Five security habits SMBs can keep through February and beyond.
By Michael NarehoodAnnouncements
What this publication is for, how we write, and what small-business IT topics you can expect next.
iOS 26 arrived on September 15, 2025 with Liquid Glass design, Phone and Messages upgrades, Apple Intelligence improvements, and a new Games app.
Emergency browser updates do not wait for Patch Tuesday. How SMBs should force Chrome updates, control extensions, and close the relaunch gap before attackers do.
Cursor and similar tools can speed up PowerShell and bash work for MSPs, but only if you review output, protect secrets, and treat suggestions as starting points.
Ubuntu 25.04 shipped in April 2025 with GNOME 48, Linux 6.14, and refreshed toolchains. Here's when it fits your lab versus staying on 24.04 LTS.
By Michael NarehoodMicrosoft 365
What Copilot actually costs, how it uses your tenant data, and when it helps small teams versus generating expensive drafts nobody trusts.
By Michael NarehoodCloud & DevOps
Workers can replace a surprising amount of API and edge logic, but it is not a default for every app. A practical guide to when serverless at the edge beats traditional hosting.
DeepSeek's R1 models got ops and dev teams paying attention. Here is why, plus sober notes on local vs API use and why client data does not belong in random endpoints.
Nintendo's January 2025 first look at Switch 2: release timing, backward compatibility, and what the reveal video actually showed.
After a year with Valve's OLED revision: battery life, the screen, Dock and Desktop Mode for light work, and whether it earns a spot in a family PC lineup.
Sony's PS5 Pro arrived in November 2024 with a faster GPU and AI upscaling. A plain-language guide for households deciding between Pro, Slim, and keeping what they have.
Microsoft’s Windows Server 2025 LTSC release brings hotpatching, stronger Active Directory and SMB security, hybrid cloud options, and a 180-day evaluation download.
Apple Intelligence landed in late 2024 with on-device models and Private Cloud Compute. What MDM admins should decide before enabling it on managed devices.
Highlights from Ubuntu 24.10 (Oracular Oriole), including Linux 6.11, GNOME 47, Wayland by default, and security improvements.
An overview of XCP-ng 8.3: updated Xen and kernel stack, security and performance improvements, LTS direction, install/upgrade notes, and what to check before you move.
Microsoft's 2024 feature update is not a click-and-forget release. Pilot rings, app friction, and how to avoid surprise broad enablement on busy fleets.
iOS 18.0.1 fixes iPhone 16 touchscreen and camera issues, Messages crashes, performance problems, and important security bugs in Messages and Passwords.
What Xen Orchestra is, why Xen Tools matter, the VM sizing to use, and a straightforward path to install XO for managing your XCP-ng hosts.
macOS 15 is GA with iPhone Mirroring, a Passwords app, and continuity changes IT should pilot before a broad upgrade.
OpenAI's o1 preview changed how some tasks get done. Here is what is different from ChatGPT, where the cost makes sense, and where it is overkill for everyday MSP work.
A practical shortlist of WordPress plugins for security, Google insights, SEO, legal pages, and caching: what each one does and when Premium is worth it.
Steam's biggest launch of 2024 hammered gaming PCs. Here is what to expect on performance, drivers, and the breakroom machine your staff keeps rebooting.
A bad Falcon content update crashed millions of Windows systems. Here is what small IT teams should change without turning it into blame theater.
By Michael NarehoodSoftware & Releases
Mozilla's new ESR base landed in July 2024. Here is the cadence, extension policy work, and when ESR still beats rapid release for line-of-business apps.
By Michael NarehoodConsumer Tech
Microsoft delayed Recall for Copilot+ PCs after privacy pushback. Here is what the feature does, why it spooked security folks, and how to evaluate new hardware.
By Michael NarehoodSoftware & Releases
Google finished the MV3 transition. Here is what broke, what still works, and a practical checklist for extension policy at work.
By Michael NarehoodCloud & DevOps
After Redis Inc. changed licensing, the Linux Foundation fork Valkey offers a BSD path forward. Here is when new builds should pick Valkey and when staying on Redis still makes sense.
CVE-2024-3094 hit rolling Linux distros hard. Here is what happened, who was exposed, and the checks SMB teams should run.
By Michael NarehoodSoftware & Releases
Redis moved new releases to RSALv2 and SSPLv1 in March 2024. Valkey forked the BSD line. Here is how to pick a path without panic.