CIAOPS Academy

Today I’m sharing Robert Crane‘s CIAOPS Academy service. He’s an Australian based Microsoft Office Servers and Services MVP, and seems to be rather busy with all his different projects, including the CIAOPS Need To Know podcast.

That podcast I highly recommend as an easy way to keep on on the latest Office 365 and Azure news. Even though I try to keep on top of it myself, they often raise other new features or changes that I hadn’t come across yet.

Beyond that though, the CIAOPS Academy is a service I personally pay for that Robert provides. I am on the lowest tier, but the private Facebook group that Robert runs is an invaluable source of fellow professionals who ask and help all things in the Microsoft tech space.

It’s different to other communities with it’s paywall, as everyone is invested and cares about the topics raised.

There’s also a referral program for signups – sure you can use my affiliate link to CIAOPS Academy or use one that doesn’t help me pay for my own access here. I’m not one to suggest services or products I don’t believe in myself, but I’ve had several questions raised already which has more than paid for the service in my mind.

The bronze level (which is what I use) is enough for me right now, but higher levels give you access to videos and other training materials.

The bonus news I can share here is that there is now a 7 day trial available, which is mentioned at the bottom of the patron page above. If you want to see what it’s about and check it’s worthwhile, you can now do it for free!

In summary, if you’re someone who is either new to, or currently managing Office 365 and Azure, this is a great group of people to be a part of. I’m not the only other Microsoft MVP there, which I think shows the value of this service.

Toreba Crane Game Prizes

I’d stopped playing Toreba Crane Game for a while, but had recently gotten back into it again. It’s a rather expensive thing to do, unless you’re very selective and careful about what you play and when. If you’re not sure what Toreba Crane Game is, go back and read my post ‘I won a Japanese Toy?

Anyway, I’ve now stopped playing again after winning a bunch of stuff and requesting shipping. These boxes then turned up a few weeks later:

Within them were many treasures. Here’s each win and the resulting prize:

 

Shaun The Sheep

 

Ice Shaver

 

Hot Wheels Monster Trucks

 

Solar Powered Fan Hat

Racing Track Game

 

Luigi Hat

 

Dog Tooth Game

 

Fish Sausage

 

Capybara Slippers

Some of these items are pretty wacky. I couldn’t go past the Capybara slippers, which my wife is now wearing. The Fish Sausage was ‘not food’ according to the description, but it was an easy win and I was curious. After some research, I found out that fish sausages are a common snack in Japan. However, this is a fake, stretchy rubber one that was packaged up like a real one. I have no idea what use I have for this.

The dog tooth game was something I actually wanted to get my son, but the toy broke before I got to use it properly. The Luigi hat is pretty self explanatory, except the game to win that one was to drop a ping pong ball into the white circle. That one’s a bit random and more luck based.

The racing track game I haven’t opened, that’s gone into the cupboard as a Chrismas present for my son. The solar powered fan hat looks incredibly tacky, and I haven’t taken it outside to test it, due to fear of the fashion police arresting me, sending me to fashion jail and throwing away the key. The Hot Wheels were opened and actually pretty good quality wise (I can’t tell if they’re knockoffs or not) so that was an actual decent prize.

The ice shaver hasn’t been opened yet either – it’s to make shaved ice but I have no idea why/how/what or if I’ll lose a finger trying it. We’ll see. Finally up the top was a small Shaun the Sheep toy. That one I got first shot, but I still may have been able to get it cheaper from a $2 shop :)

I wouldn’t suggest you play this due to the expense, but if you want watch or play you can do it from a PC browser as well as on Android.

How To Suppress “A website wants to open web content using this program on your computer”

As part of Windows 10 testing, I came across this prompt.

Internet Explorer Security
A website wants to open web content using this program on your computer
This program will open outside of Protected mode. Internet Explorer's 
Protected mode helps protect your computer. If you do not trust this 
website, do not open this program.
Name: XXX
Publisher XXX

Do not show me this warning for this program again

When you open a file from a site that is an internet site zone (that is, not in your intranet zone or trusted sites zone) for Internet Explorer 11, you’ll be prompted with the above Internet Explorer Security prompt.

This doesn’t happen for IE11 on Windows 7.

Because there’s a tickbox that lets a user suppress the prompt in future for when that particular program is called, it may just get in the way for users the first time they see it and cause confusion. It’s on a per app basis – once you allow Microsoft Word, it’s allowed for all sites, but that won’t allow Microsoft Excel.

To stop this prompt for commonly used applications, you can use Group Policy to roll out registry settings that would be applied if the user had ticked the box already for that app.

The registry settings live in HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\ with a unique GUID for each application.

Here’s a screenshot showing settings for Microsoft Word:

Here’s the raw registry settings:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{342263D0-430D-4325-919B-666CE94C4334}]
"Policy"=dword:00000003
"AppPath"="C:\\Program Files (x86)\\Microsoft Office\\Office16"
"AppName"="WINWORD.EXE"

This can be saved into a .reg file, imported onto your PC, then using Group Policy’s Registry Import Wizard, imported into a Group Policy and deployed. Again, this will need to be done for each application you want to automatically allow.

Half-Pink, Half Blue

A light-hearted post today!

“Half-pink, half blue” was the answer I saw to an IT question from an end user, and for some reason it amused me. I decided to ask on twitter, what people thought the question could be that lead to this response:


Jess has a reasonable guess:


Shane however may need to reconsider what interactions he has with users:


John may have been having a bad day:


Daniel however, came up with a pretty good guess. Wrong, but still good:


Tim decided to use a word that made me google it, and even then I’m not sure what’s going on, but I’m sure Tim does:


Daniel came back with another good guess, I’m sure I’ve seen a CRT similar to this:


David however, decided he’d rather a visit to the HR department:


Jim expected the worst from a user, and assumed self injury through poor choices. Maybe he’s been here before:


However, nobody actually guessed the correct answer.

Tough to guess since the colour’s actually red, not pink, but I still liked the answer.

Interview Tips for an I.T. Job (Gooroo.io)

I had written this article on Gooroo.io a little while ago and thought it was worth resharing. Here’s an extract of the beginning:

Applying for an I.T. role is often a nerve wracking experience. Here’s some tips that I’ve learnt from being on both ends of the hiring process – both going for roles, as well as interviewing and working with Human Resources on what makes a good candidate.

Some of these might sound like common sense, but getting one wrong can mean the difference between being the first pick and the second, especially frustrating when there’s no prize for second place.

You’ve gotten as far as getting an interview, so here’s some fundamental pointers to keep your foot in the door:

1. Research The Company

I.T. people will often apply for a role based on the requirements of the role itself, and not really care what the company does. It’s a fair view to have when searching for roles, but you need to know the basics about the company when talking to them face to face. Check their website, see what they do. Check the news, were they mentioned in anything recently?

It’s important to have this information ready to use, but not to show it off. Forcing your newly acquired knowledge into conversation won’t work well – but many interviewees will ask what you know about the company, and having a response that’s a short and sweet overview will go towards making good impressions….

To read the rest, please click here

Chinese Characters in IE11, Edge and Windows 10

I recently worked on an issue where all Windows 10 users were seeing two strange display issues on certain websites via Internet Explorer 11 and Edge. There were two noticeable symptoms:

  • Chinese characters would show in particular locations on many websites. These were often buttons, but sometimes other symbols.
  • Buttons would be completely blank. The buttons themselves worked, which you could either use if they had a graphical representation of the button still, or you knew where to click.

This was even presenting itself in Office 365 – I couldn’t see the Notifications, Settings or Help buttons, and they would instead show as blank boxes.

This was found while piloting Windows 10 from Windows 7. The visible options in Internet Explorer seemed identical. and other browsers weren’t affected – Chrome could display these sites perfectly fine.

I worked out what the problem and fix was (jump to the end if you want that now), but here’s the story on how we got to this broken state:

As part of prepping for Windows 10, I followed Microsoft’s Security Baseline documentation which contains a handy Excel spreadsheet, with recommendations on what Group Policy settings you should use for best security practises. I followed this (I’ve linked to a newer version) and made choices based on understanding each option, and what worked for us. There were very few settings I didn’t follow exactly.

One of these settings was ‘Untrusted Font Blocking‘. The document recommended enabling this, to stop untrusted fonts being used as they’re a security risk – the loading of a font can allow elevated privileges, and has been used before. Made sense to me, so I enabled it.

This is what Group Policy says about Untrusted Font Blocking:

This security feature provides a global setting to prevent programs from loading untrusted fonts. Untrusted fonts are any font installed outside of the %windir%\Fonts directory. This feature can be configured to be in 3 modes: On, Off, and Audit. By default, it is Off and no fonts are blocked. If you aren’t quite ready to deploy this feature into your organization, you can run it in Audit mode to see if blocking untrusted fonts causes any usability or compatibility issues.

Eventually with a lot of testing and googling, I tried disabling this option – and it worked. Once you know the fix to a problem, it’s really easy to work backwards to find out more about it.

It turns out that in simple terms, websites can present their own fonts to use. It may be easier to present an arrow that’s from a font, rather than making a graphic of a font. Usually the site will load the font on the fly, but blocking that means the site fails back to a ‘best match’ on the font, which seems to be a font for Chinese characters, or a font that has a blank character for the matched result. Makes sense.

Microsoft changed their mind on this recommendation, only a month ago from time of writing. That recommendation change is worth reading, as it explained why they did it, and why they’re now changing their mind. The good news is that you’re not losing security by abandoning this setting, as the way fonts are parsed has changed from kernel to sandboxed user mode.

TL;DR version:

Turn off Untrusted Font Blocking through either of these methods:

Group Policy – Disable or change to Not Configured: Computer Configuration > Policies > Administrative Templates > System > Mitigation Options > Untrusted Font Blocking

Registry Setting – HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\ – QWORD MitigationOptions

  • To turn this feature on. Type 1000000000000.
  • To turn this feature off. Type 2000000000000.
  • To audit with this feature. Type 3000000000000.Important
    Your existing MitigationOptions values should be saved during your update. For example, if the current value is 1000, your updated value should be 1000000001000

Deploying Printers In Windows 10

Printers are pretty easy to deploy via Group Policy. It’s easy to configure a Group Policy Preference to deploy a printer, but there’s a few gotchas that may prevent the printer from actually getting installed client side.

The first thing to check is Event Viewer > Applications. If Group Policy attempts to add a printer but fails, it should be logged as a warning and give an idea on what the problem is. If you’re stuck – enable Group Policy Preferences Logging and Tracing for Printers, and see if you get more data.

For Windows 10, depending at what patch level you’re at, and what drivers the print server has, and if those drivers are packaged or not you’ll probably have to enable more policies to make printers deploy. If you don’t, you may see this error in Event Viewer: “Group Policy Object did not apply because it failed with error code ‘0x80070bcb The specified printer driver was not found on the system and needs to be downloaded.’ ”

There’s a lot of information out there on this topic – but generally, the main reason a printer won’t automatically install is because of UAC. If you try to manually install one of these printers, you’ll get the ‘Do you trust this printer’ warning, and even after continuing on that, the install may fail.

There’s two Group Policies to configure to get around this, which I found blogged at Systemcenterdudes so please read their post – but you need to enable these two policies:

Computer Configuration > Policies > Administrative Templates > Printers – Package Point and Print

Computer Configuration > Policies > Administrative Templates > Printers – Point and Print 

In both of the policy settings, you may need to specifiy your print servers. It wouldn’t work for me until I did – and it’s a better security approach to do this anyway.

Once that was done, printers were then able to be installed automatically via Group Policy. There’s some other ways I’ve read to change how the drivers work, push out registry fixes etc – but to me this seems the simplest and safest approach (assuming it works for you too!).

If you’ve had a different experience or the above doesn’t work, please share!