Microsoft

Default Printer At First Logon via Group Policy

Deploying a network printer via Group Policy is pretty easy. In Group Policy Management Editor, you go to User Configuration > Preferences > Control Panel Settings > Printers and right click to create a new Shared Printer. Configure the options which are pretty straight forward.

Something doesn’t go right though, if you use the option ‘set this printer as the default printer’. The printer won’t actually be set as default for the first login. As it’s set to Update though, this will get fixed next time Group Policy runs.

However, if you have the Action set to ‘Create’, it only gets one chance to set the default printer – at the time of creation. That fails, and it doesn’t get a chance to set the default printer again.

Why does it fail to set the default printer at first logon? You’ll see an event viewer application error like this:

The user ‘HP Printer’ preference item in the ‘Define Printers {XXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}’ Group Policy object did not apply because it failed with error code ‘0x80070709 The printer name is invalid.’ This error was suppressed.

There’s a clear Microsoft Support Article that explains why – in summary, Windows isn’t ready yet to change something on the printer between the time it creates the printer, and then tries to make it default as they’re two separate actions.

However, we can work around this by deploying a registry entry that sets the default printer. This 11 year old article is still correct in that it shows the registry value to change:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows

REG_SZ - Device
Value - \\adamfowlerit\printer,winspool,Ne04:e

Setting this via registry as an ‘Apply once and do not reapply’ with any other logic matching your printer deployment policy, should end up with the printer as a default on first logon.

This is a problem that’s been around for many years, but the first time I’ve hit it!

Removing Unwanted SMTP Records From Exchange Hybrid

I’m still new to Exchange Online and Office 365 mailbox management, but got stuck on this scenario for a bit.

After testing an E-mail Address Policy, I wanted to remove what the policy had done. I’d already discovered that taking an address off a policy itself doesn’t remove it from the accounts, and run this simple script to remove the unwanted SMTP record off each account. However, accounts that had been migrated to Office 365 didn’t change and still had the unwanted SMTP record.

I checked on Exchange Online itself, and the address I’d added hadn’t flowed through. I believe this was because it was using a domain that Office 365 didn’t know about – but that also meant that I had no records to change at that end. I could however go into the mailbox itself via the Exchange console and remove the unwanted record.

It turns out, that I had to use the ‘Get-RemoteMailbox’ and ‘Set-RemoteMailbox’ command in place of the ‘Get-Mailbox’ command. Although I was working with Exchange PowerShell on-premises, the mailbox type is “RemoteUserMailbox’. ‘Get-Mailbox’ against any migrated item will not find those objects that live in the cloud.

 

If you want to see which Exchange objects have a particular SMTP record in Exchange 2010, regardless of what mailbox type they are or where it lives, there’s an easy way.

Make sure the ‘Recipient Configuration’ tree option in the Exchange Console is selected, and filter with E-Mail Addresses > Contains > your unwanted SMTP record:

This will make sure all object types (including groups, contacts etc) don’t have the unwanted SMTP record.

Office 365 Extra Features Overview

In September 2017, I presented at the user group I co-own with Brett Moffett on the topic of Office 365 Extra Feature Overview. I wanted to show some of the key parts of Office 365 beyond Exchange, SharePoint and Skype for Business. Here’s a recording of that presentation:

 

Forms is still my favorite ‘quick win’ feature, which I previously covered along with a sample form and results.

If you’re ever in Adelaide and want to come along to our monthly catchups, here’s our Meetup page: https://www.meetup.com/preview/Adelaide-Microsoft-ITPro-Community

 

 

CIAOPS Podcast – Adam Fowler

I’ve been a bit quiet here this month. One of the reasons was having a Microsoft Premier Field Engineer (PFE) onsite for a week for an Azure Fast Track. It’s a program provided by Microsoft to give you someone that can help you start onboarding to the product of choice. I’ve done a few Fast Tracks now and they’ve always been valuable – having a great tech sent onsite and pretty much doing whatever you want to focus on around the topic.

By sheer luck, that Microsoft PFE was Marc Kean, co-host of the Need To Know Podcast. That meant I had the opportunity to go on the podcast, which went live this week. It was great having Marc over, and we also caught up with Brett Moffett who co-runs the Adelaide Microsoft IT Pro Community with me.

I’d mentioned the podcast and CIAOPS only at the start of the month here, and this was before I knew I’d be spending a week with Marc, and even be on it. Funny how these things happen sometimes. I also said I’d have these links on my site by the time the podcast went live, but I missed that by a few days :)

Hopefully I’ll have some more techy posts up soon, there’s a lot of different things I’ve got happening so I’m sure it won’t be far off.

Also, if you’re ever visiting Adelaide and either want to attend or even present at our user group, please join the Meetup group and come along!

 

How To Suppress “A website wants to open web content using this program on your computer”

As part of Windows 10 testing, I came across this prompt.

Internet Explorer Security
A website wants to open web content using this program on your computer
This program will open outside of Protected mode. Internet Explorer's 
Protected mode helps protect your computer. If you do not trust this 
website, do not open this program.
Name: XXX
Publisher XXX

Do not show me this warning for this program again

When you open a file from a site that is an internet site zone (that is, not in your intranet zone or trusted sites zone) for Internet Explorer 11, you’ll be prompted with the above Internet Explorer Security prompt.

This doesn’t happen for IE11 on Windows 7.

Because there’s a tickbox that lets a user suppress the prompt in future for when that particular program is called, it may just get in the way for users the first time they see it and cause confusion. It’s on a per app basis – once you allow Microsoft Word, it’s allowed for all sites, but that won’t allow Microsoft Excel.

To stop this prompt for commonly used applications, you can use Group Policy to roll out registry settings that would be applied if the user had ticked the box already for that app.

The registry settings live in HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\ with a unique GUID for each application.

Here’s a screenshot showing settings for Microsoft Word:

Here’s the raw registry settings:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{342263D0-430D-4325-919B-666CE94C4334}]
"Policy"=dword:00000003
"AppPath"="C:\\Program Files (x86)\\Microsoft Office\\Office16"
"AppName"="WINWORD.EXE"

This can be saved into a .reg file, imported onto your PC, then using Group Policy’s Registry Import Wizard, imported into a Group Policy and deployed. Again, this will need to be done for each application you want to automatically allow.

Chinese Characters in IE11, Edge and Windows 10

I recently worked on an issue where all Windows 10 users were seeing two strange display issues on certain websites via Internet Explorer 11 and Edge. There were two noticeable symptoms:

  • Chinese characters would show in particular locations on many websites. These were often buttons, but sometimes other symbols.
  • Buttons would be completely blank. The buttons themselves worked, which you could either use if they had a graphical representation of the button still, or you knew where to click.

This was even presenting itself in Office 365 – I couldn’t see the Notifications, Settings or Help buttons, and they would instead show as blank boxes.

This was found while piloting Windows 10 from Windows 7. The visible options in Internet Explorer seemed identical. and other browsers weren’t affected – Chrome could display these sites perfectly fine.

I worked out what the problem and fix was (jump to the end if you want that now), but here’s the story on how we got to this broken state:

As part of prepping for Windows 10, I followed Microsoft’s Security Baseline documentation which contains a handy Excel spreadsheet, with recommendations on what Group Policy settings you should use for best security practises. I followed this (I’ve linked to a newer version) and made choices based on understanding each option, and what worked for us. There were very few settings I didn’t follow exactly.

One of these settings was ‘Untrusted Font Blocking‘. The document recommended enabling this, to stop untrusted fonts being used as they’re a security risk – the loading of a font can allow elevated privileges, and has been used before. Made sense to me, so I enabled it.

This is what Group Policy says about Untrusted Font Blocking:

This security feature provides a global setting to prevent programs from loading untrusted fonts. Untrusted fonts are any font installed outside of the %windir%\Fonts directory. This feature can be configured to be in 3 modes: On, Off, and Audit. By default, it is Off and no fonts are blocked. If you aren’t quite ready to deploy this feature into your organization, you can run it in Audit mode to see if blocking untrusted fonts causes any usability or compatibility issues.

Eventually with a lot of testing and googling, I tried disabling this option – and it worked. Once you know the fix to a problem, it’s really easy to work backwards to find out more about it.

It turns out that in simple terms, websites can present their own fonts to use. It may be easier to present an arrow that’s from a font, rather than making a graphic of a font. Usually the site will load the font on the fly, but blocking that means the site fails back to a ‘best match’ on the font, which seems to be a font for Chinese characters, or a font that has a blank character for the matched result. Makes sense.

Microsoft changed their mind on this recommendation, only a month ago from time of writing. That recommendation change is worth reading, as it explained why they did it, and why they’re now changing their mind. The good news is that you’re not losing security by abandoning this setting, as the way fonts are parsed has changed from kernel to sandboxed user mode.

TL;DR version:

Turn off Untrusted Font Blocking through either of these methods:

Group Policy – Disable or change to Not Configured: Computer Configuration > Policies > Administrative Templates > System > Mitigation Options > Untrusted Font Blocking

Registry Setting – HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\ – QWORD MitigationOptions

  • To turn this feature on. Type 1000000000000.
  • To turn this feature off. Type 2000000000000.
  • To audit with this feature. Type 3000000000000.Important
    Your existing MitigationOptions values should be saved during your update. For example, if the current value is 1000, your updated value should be 1000000001000

Deploying Printers In Windows 10

Printers are pretty easy to deploy via Group Policy. It’s easy to configure a Group Policy Preference to deploy a printer, but there’s a few gotchas that may prevent the printer from actually getting installed client side.

The first thing to check is Event Viewer > Applications. If Group Policy attempts to add a printer but fails, it should be logged as a warning and give an idea on what the problem is. If you’re stuck – enable Group Policy Preferences Logging and Tracing for Printers, and see if you get more data.

For Windows 10, depending at what patch level you’re at, and what drivers the print server has, and if those drivers are packaged or not you’ll probably have to enable more policies to make printers deploy. If you don’t, you may see this error in Event Viewer: “Group Policy Object did not apply because it failed with error code ‘0x80070bcb The specified printer driver was not found on the system and needs to be downloaded.’ ”

There’s a lot of information out there on this topic – but generally, the main reason a printer won’t automatically install is because of UAC. If you try to manually install one of these printers, you’ll get the ‘Do you trust this printer’ warning, and even after continuing on that, the install may fail.

There’s two Group Policies to configure to get around this, which I found blogged at Systemcenterdudes so please read their post – but you need to enable these two policies:

Computer Configuration > Policies > Administrative Templates > Printers – Package Point and Print

Computer Configuration > Policies > Administrative Templates > Printers – Point and Print 

In both of the policy settings, you may need to specifiy your print servers. It wouldn’t work for me until I did – and it’s a better security approach to do this anyway.

Once that was done, printers were then able to be installed automatically via Group Policy. There’s some other ways I’ve read to change how the drivers work, push out registry fixes etc – but to me this seems the simplest and safest approach (assuming it works for you too!).

If you’ve had a different experience or the above doesn’t work, please share!