Microsoft

CIAOPS Podcast – Adam Fowler

I’ve been a bit quiet here this month. One of the reasons was having a Microsoft Premier Field Engineer (PFE) onsite for a week for an Azure Fast Track. It’s a program provided by Microsoft to give you someone that can help you start onboarding to the product of choice. I’ve done a few Fast Tracks now and they’ve always been valuable – having a great tech sent onsite and pretty much doing whatever you want to focus on around the topic.

By sheer luck, that Microsoft PFE was Marc Kean, co-host of the Need To Know Podcast. That meant I had the opportunity to go on the podcast, which went live this week. It was great having Marc over, and we also caught up with Brett Moffett who co-runs the Adelaide Microsoft IT Pro Community with me.

I’d mentioned the podcast and CIAOPS only at the start of the month here, and this was before I knew I’d be spending a week with Marc, and even be on it. Funny how these things happen sometimes. I also said I’d have these links on my site by the time the podcast went live, but I missed that by a few days :)

Hopefully I’ll have some more techy posts up soon, there’s a lot of different things I’ve got happening so I’m sure it won’t be far off.

Also, if you’re ever visiting Adelaide and either want to attend or even present at our user group, please join the Meetup group and come along!

 

How To Suppress “A website wants to open web content using this program on your computer”

As part of Windows 10 testing, I came across this prompt.

Internet Explorer Security
A website wants to open web content using this program on your computer
This program will open outside of Protected mode. Internet Explorer's 
Protected mode helps protect your computer. If you do not trust this 
website, do not open this program.
Name: XXX
Publisher XXX

Do not show me this warning for this program again

When you open a file from a site that is an internet site zone (that is, not in your intranet zone or trusted sites zone) for Internet Explorer 11, you’ll be prompted with the above Internet Explorer Security prompt.

This doesn’t happen for IE11 on Windows 7.

Because there’s a tickbox that lets a user suppress the prompt in future for when that particular program is called, it may just get in the way for users the first time they see it and cause confusion. It’s on a per app basis – once you allow Microsoft Word, it’s allowed for all sites, but that won’t allow Microsoft Excel.

To stop this prompt for commonly used applications, you can use Group Policy to roll out registry settings that would be applied if the user had ticked the box already for that app.

The registry settings live in HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\ with a unique GUID for each application.

Here’s a screenshot showing settings for Microsoft Word:

Here’s the raw registry settings:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{342263D0-430D-4325-919B-666CE94C4334}]
"Policy"=dword:00000003
"AppPath"="C:\\Program Files (x86)\\Microsoft Office\\Office16"
"AppName"="WINWORD.EXE"

This can be saved into a .reg file, imported onto your PC, then using Group Policy’s Registry Import Wizard, imported into a Group Policy and deployed. Again, this will need to be done for each application you want to automatically allow.

Chinese Characters in IE11, Edge and Windows 10

I recently worked on an issue where all Windows 10 users were seeing two strange display issues on certain websites via Internet Explorer 11 and Edge. There were two noticeable symptoms:

  • Chinese characters would show in particular locations on many websites. These were often buttons, but sometimes other symbols.
  • Buttons would be completely blank. The buttons themselves worked, which you could either use if they had a graphical representation of the button still, or you knew where to click.

This was even presenting itself in Office 365 – I couldn’t see the Notifications, Settings or Help buttons, and they would instead show as blank boxes.

This was found while piloting Windows 10 from Windows 7. The visible options in Internet Explorer seemed identical. and other browsers weren’t affected – Chrome could display these sites perfectly fine.

I worked out what the problem and fix was (jump to the end if you want that now), but here’s the story on how we got to this broken state:

As part of prepping for Windows 10, I followed Microsoft’s Security Baseline documentation which contains a handy Excel spreadsheet, with recommendations on what Group Policy settings you should use for best security practises. I followed this (I’ve linked to a newer version) and made choices based on understanding each option, and what worked for us. There were very few settings I didn’t follow exactly.

One of these settings was ‘Untrusted Font Blocking‘. The document recommended enabling this, to stop untrusted fonts being used as they’re a security risk – the loading of a font can allow elevated privileges, and has been used before. Made sense to me, so I enabled it.

This is what Group Policy says about Untrusted Font Blocking:

This security feature provides a global setting to prevent programs from loading untrusted fonts. Untrusted fonts are any font installed outside of the %windir%\Fonts directory. This feature can be configured to be in 3 modes: On, Off, and Audit. By default, it is Off and no fonts are blocked. If you aren’t quite ready to deploy this feature into your organization, you can run it in Audit mode to see if blocking untrusted fonts causes any usability or compatibility issues.

Eventually with a lot of testing and googling, I tried disabling this option – and it worked. Once you know the fix to a problem, it’s really easy to work backwards to find out more about it.

It turns out that in simple terms, websites can present their own fonts to use. It may be easier to present an arrow that’s from a font, rather than making a graphic of a font. Usually the site will load the font on the fly, but blocking that means the site fails back to a ‘best match’ on the font, which seems to be a font for Chinese characters, or a font that has a blank character for the matched result. Makes sense.

Microsoft changed their mind on this recommendation, only a month ago from time of writing. That recommendation change is worth reading, as it explained why they did it, and why they’re now changing their mind. The good news is that you’re not losing security by abandoning this setting, as the way fonts are parsed has changed from kernel to sandboxed user mode.

TL;DR version:

Turn off Untrusted Font Blocking through either of these methods:

Group Policy – Disable or change to Not Configured: Computer Configuration > Policies > Administrative Templates > System > Mitigation Options > Untrusted Font Blocking

Registry Setting – HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\ – QWORD MitigationOptions

  • To turn this feature on. Type 1000000000000.
  • To turn this feature off. Type 2000000000000.
  • To audit with this feature. Type 3000000000000.Important
    Your existing MitigationOptions values should be saved during your update. For example, if the current value is 1000, your updated value should be 1000000001000

Deploying Printers In Windows 10

Printers are pretty easy to deploy via Group Policy. It’s easy to configure a Group Policy Preference to deploy a printer, but there’s a few gotchas that may prevent the printer from actually getting installed client side.

The first thing to check is Event Viewer > Applications. If Group Policy attempts to add a printer but fails, it should be logged as a warning and give an idea on what the problem is. If you’re stuck – enable Group Policy Preferences Logging and Tracing for Printers, and see if you get more data.

For Windows 10, depending at what patch level you’re at, and what drivers the print server has, and if those drivers are packaged or not you’ll probably have to enable more policies to make printers deploy. If you don’t, you may see this error in Event Viewer: “Group Policy Object did not apply because it failed with error code ‘0x80070bcb The specified printer driver was not found on the system and needs to be downloaded.’ ”

There’s a lot of information out there on this topic – but generally, the main reason a printer won’t automatically install is because of UAC. If you try to manually install one of these printers, you’ll get the ‘Do you trust this printer’ warning, and even after continuing on that, the install may fail.

There’s two Group Policies to configure to get around this, which I found blogged at Systemcenterdudes so please read their post – but you need to enable these two policies:

Computer Configuration > Policies > Administrative Templates > Printers – Package Point and Print

Computer Configuration > Policies > Administrative Templates > Printers – Point and Print 

In both of the policy settings, you may need to specifiy your print servers. It wouldn’t work for me until I did – and it’s a better security approach to do this anyway.

Once that was done, printers were then able to be installed automatically via Group Policy. There’s some other ways I’ve read to change how the drivers work, push out registry fixes etc – but to me this seems the simplest and safest approach (assuming it works for you too!).

If you’ve had a different experience or the above doesn’t work, please share!

Stellar Exchange Tookit Review

Stellar Data Recovery reached out to me to see if I was interested in reviewing their product. I only accept these when I can see a personal interest in what the product does. The 5 key things this product does are:

1. Repair corrupt EDB files
2. Mailbox Extractor for Exchange Server
3. OST – PST conversion
4. Mailbox Extractor for Exchange Backup
5. Password Recovery for MS Exchange

Primarily I was interested in OST to PST conversion, as I’ve tried to do this before and had no luck with free solutions, and wanted to try a paid product that could solve the problem. (It’s also worth noting this isn’t cheap software. Also if you only want a more basic OST to PST converter, they sell that by itself for a lot less.)

I tested the Exchange Toolkit on an Outlook 2016 OST file I’d copied off another computer, that was 2GB in size. It does take a little while to process, but displays the results in a nice Outlookesque GUI:

There’s also a search function, which is handy if you’re just after a particular email from the OST.

If you need to export the results, there’s a bunch of useful options:

I was impressed with the options to export directly to Exchange Server and Office 365! But for me, I was happy with a PST. The resulting PST file was readable via Outlook 2016, so the product does exactly what it says on the virtual box.

Another part of the toolkit I looked at, was the Mailbox Extractor. Again, there’s several options, but I tried connecting to a live Exchange 2010 server to extract emails:

After connecting, again I was presented with an Outlook style of emails. I then realised there’s a few use cases for this tool that are handy to me personally; if I need to go into a mailbox to get something out, this is much easier than adding a second mailbox or profile. It also then lets me take out those emails in a variety of ways – for example, I can select a folder and then export all contents of that folder into several formats, such as PST, MSG, PDF, HTML and RTF. For HTML and PDF, it will create a file per email with the same subject name.

I can see the other functions of this product being useful for someone who’s often dealing with other companies’ data, old data that needs to be restored, or extracting out a mailbox from an online Exchange server. It’s an interesting array of tools, and I’ll try to report back on whether this tool does the job well or not.

Worth checking out these tools if you run into a scenario where you need them – sometimes there’s a freeware or open source solution, but often they don’t work, are old, unreliable or limited in functionality. Stellar Exchange Toolkit seems to do what it claims well, and I look forward to trying more features in the future.

Microsoft Forms Preview

Microsoft Forms has been around for a while. A year ago, it was released only to Office 365 Education customers as a nice, simple way to make surveys and quizzes. There’s a bunch of content out there about it already, for those who want to learn more.

More recently, it’s been released to the wider population with a bunch of improvements, albeit still in ‘Preview’. As I can now access it from one of my Office 365 tenants, I thought it was worth having a play with.

Forms is a lightweight, easy way of creating questionnaires and gathering the responses. Having no experience with it previously, I made up this survey within a minute (half the time was picking a theme!).

Have a look and feel free to enter data, and try to break it:

Test Quiz

Right now, there’s two options on the main Forms page: Create a form, or create a quiz. Creating a quiz looks pretty blank from the beginning, with a title and the option to add a question. It’s worth mentioning that I couldn’t tell what the difference between the form or quiz option was!

Using the ‘Add question’ button gives you the options on what sort of question it is; Choice, Text, Rating or Date. From that, you’ll see a very easy to configure form, where you can configure the question to your liking. Points are possible if it’s checking someone’s knowledge and you want an end score. You can choose if a question is mandatory with the ‘Required’ toggle, or if multiple answers are allowed.

The elypsis hides a few more options depending on the question type – maths, if you need to use an equation (you can see the education influence here). but also if your question needs a subtitle, or if you want the answers shuffled to reduce bias (there’s that type of person that always picks ‘C’ when they don’t know).

There’s also a ‘Branching’ option which lets you configure what path the quiz will take, depending on which answer is given. How long until someone creates a ‘Choose your own adventure’ with this :) ?

I posted this on Twitter not too long ago, and at the time of writing this, there was 26 responses. I haven’t done anything beyond clicking the ‘Responses’ tab to see this data:

To me, this looks incredibly useful. So little effort required to start getting feedback, and the data displayed easily. There’s also the option to open the data in Excel, which shows the raw data and lets you manipulate the views.

The survey by default requires access in your organisation to respond. With that, you can choose if names are recorded, and if only one response is allowed per person.

It’s possible and easy to change this restriction to ‘Anyone with the link can respond’, but it does mean all entries will be marked as ‘anonymous’ and you’ll have no guaranteed tracking of who entered the data.

Another note is that forms is fully supported on mobile browsers. A few people tried this quiz and reported a great experience.

As pointed out on Practical 365, Microsoft Forms is turning up and on by default on Office 365 tenants, if you don’t want this on please read that post.

This is a free component of Office 365, and worth investigating even in it’s preview state for internal surveys – maybe it will replace Survey Monkey (which I’m a fan of)?

PowerPoint 2010 and 2016 Startup Templates

With PowerPoint 2010, there was the ability to autoload templates with the .PPAM extension, by deploying the template to %ProgramFiles%\Office14\ADDINS\ and it would load with the launch of PowerPoint.

When migrating to PowerPoint 2016 however, this doesn’t work. Of course you’ll need to change the folder from Office14 to Office16, but it will still ignore the .PPAM template file.

The fix, I eventually found after trying several things, was to just rename the file from .PPAM to .POTM – no need to open and resave the file, just rename the file itself.

I can’t find anything specific about this online, but it works.

Side note – Excel and Word 2016 templates works the same way as 2010, with the XLSTART and STARTUP folders respecively for XLAM and DOTM templates.

(Updated to .POTM rather than .POTX for the file extension, as .POTM is macro enabled while .POTX is a template without macros – thanks Rhys!)