Windows 10

How To Suppress “A website wants to open web content using this program on your computer”

As part of Windows 10 testing, I came across this prompt.

Internet Explorer Security
A website wants to open web content using this program on your computer
This program will open outside of Protected mode. Internet Explorer's 
Protected mode helps protect your computer. If you do not trust this 
website, do not open this program.
Name: XXX
Publisher XXX

Do not show me this warning for this program again

When you open a file from a site that is an internet site zone (that is, not in your intranet zone or trusted sites zone) for Internet Explorer 11, you’ll be prompted with the above Internet Explorer Security prompt.

This doesn’t happen for IE11 on Windows 7.

Because there’s a tickbox that lets a user suppress the prompt in future for when that particular program is called, it may just get in the way for users the first time they see it and cause confusion. It’s on a per app basis – once you allow Microsoft Word, it’s allowed for all sites, but that won’t allow Microsoft Excel.

To stop this prompt for commonly used applications, you can use Group Policy to roll out registry settings that would be applied if the user had ticked the box already for that app.

The registry settings live in HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\ with a unique GUID for each application.

Here’s a screenshot showing settings for Microsoft Word:

Here’s the raw registry settings:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{342263D0-430D-4325-919B-666CE94C4334}]
"Policy"=dword:00000003
"AppPath"="C:\\Program Files (x86)\\Microsoft Office\\Office16"
"AppName"="WINWORD.EXE"

This can be saved into a .reg file, imported onto your PC, then using Group Policy’s Registry Import Wizard, imported into a Group Policy and deployed. Again, this will need to be done for each application you want to automatically allow.

Chinese Characters in IE11, Edge and Windows 10

I recently worked on an issue where all Windows 10 users were seeing two strange display issues on certain websites via Internet Explorer 11 and Edge. There were two noticeable symptoms:

  • Chinese characters would show in particular locations on many websites. These were often buttons, but sometimes other symbols.
  • Buttons would be completely blank. The buttons themselves worked, which you could either use if they had a graphical representation of the button still, or you knew where to click.

This was even presenting itself in Office 365 – I couldn’t see the Notifications, Settings or Help buttons, and they would instead show as blank boxes.

This was found while piloting Windows 10 from Windows 7. The visible options in Internet Explorer seemed identical. and other browsers weren’t affected – Chrome could display these sites perfectly fine.

I worked out what the problem and fix was (jump to the end if you want that now), but here’s the story on how we got to this broken state:

As part of prepping for Windows 10, I followed Microsoft’s Security Baseline documentation which contains a handy Excel spreadsheet, with recommendations on what Group Policy settings you should use for best security practises. I followed this (I’ve linked to a newer version) and made choices based on understanding each option, and what worked for us. There were very few settings I didn’t follow exactly.

One of these settings was ‘Untrusted Font Blocking‘. The document recommended enabling this, to stop untrusted fonts being used as they’re a security risk – the loading of a font can allow elevated privileges, and has been used before. Made sense to me, so I enabled it.

This is what Group Policy says about Untrusted Font Blocking:

This security feature provides a global setting to prevent programs from loading untrusted fonts. Untrusted fonts are any font installed outside of the %windir%\Fonts directory. This feature can be configured to be in 3 modes: On, Off, and Audit. By default, it is Off and no fonts are blocked. If you aren’t quite ready to deploy this feature into your organization, you can run it in Audit mode to see if blocking untrusted fonts causes any usability or compatibility issues.

Eventually with a lot of testing and googling, I tried disabling this option – and it worked. Once you know the fix to a problem, it’s really easy to work backwards to find out more about it.

It turns out that in simple terms, websites can present their own fonts to use. It may be easier to present an arrow that’s from a font, rather than making a graphic of a font. Usually the site will load the font on the fly, but blocking that means the site fails back to a ‘best match’ on the font, which seems to be a font for Chinese characters, or a font that has a blank character for the matched result. Makes sense.

Microsoft changed their mind on this recommendation, only a month ago from time of writing. That recommendation change is worth reading, as it explained why they did it, and why they’re now changing their mind. The good news is that you’re not losing security by abandoning this setting, as the way fonts are parsed has changed from kernel to sandboxed user mode.

TL;DR version:

Turn off Untrusted Font Blocking through either of these methods:

Group Policy – Disable or change to Not Configured: Computer Configuration > Policies > Administrative Templates > System > Mitigation Options > Untrusted Font Blocking

Registry Setting – HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\ – QWORD MitigationOptions

  • To turn this feature on. Type 1000000000000.
  • To turn this feature off. Type 2000000000000.
  • To audit with this feature. Type 3000000000000.Important
    Your existing MitigationOptions values should be saved during your update. For example, if the current value is 1000, your updated value should be 1000000001000

Deploying Printers In Windows 10

Printers are pretty easy to deploy via Group Policy. It’s easy to configure a Group Policy Preference to deploy a printer, but there’s a few gotchas that may prevent the printer from actually getting installed client side.

The first thing to check is Event Viewer > Applications. If Group Policy attempts to add a printer but fails, it should be logged as a warning and give an idea on what the problem is. If you’re stuck – enable Group Policy Preferences Logging and Tracing for Printers, and see if you get more data.

For Windows 10, depending at what patch level you’re at, and what drivers the print server has, and if those drivers are packaged or not you’ll probably have to enable more policies to make printers deploy. If you don’t, you may see this error in Event Viewer: “Group Policy Object did not apply because it failed with error code ‘0x80070bcb The specified printer driver was not found on the system and needs to be downloaded.’ ”

There’s a lot of information out there on this topic – but generally, the main reason a printer won’t automatically install is because of UAC. If you try to manually install one of these printers, you’ll get the ‘Do you trust this printer’ warning, and even after continuing on that, the install may fail.

There’s two Group Policies to configure to get around this, which I found blogged at Systemcenterdudes so please read their post – but you need to enable these two policies:

Computer Configuration > Policies > Administrative Templates > Printers – Package Point and Print

Computer Configuration > Policies > Administrative Templates > Printers – Point and Print 

In both of the policy settings, you may need to specifiy your print servers. It wouldn’t work for me until I did – and it’s a better security approach to do this anyway.

Once that was done, printers were then able to be installed automatically via Group Policy. There’s some other ways I’ve read to change how the drivers work, push out registry fixes etc – but to me this seems the simplest and safest approach (assuming it works for you too!).

If you’ve had a different experience or the above doesn’t work, please share!

Hide Edge Button from IE11 Tab

A feature that’s popped up in IE11, is the little Edge icon next to the new tab icon. Not something I’d want in the enterprise space:

Thankfully, it’s easy to disable. There’s a group policy policy called “Hide the button (next to the New Tab button) that opens Microsoft Edge” which can be found in User Configuration\Administrative Templates\Windows Components/Internet Explorer\Internet Settings\Advanced Settings\Browsing\ . 

If you can’t see this policy, make sure you have the latest ADMX files from Microsoft – Windows 10 1703. If you haven’t had much to do with adding ADMX files to your environment before – they should be centralised, and Microsoft have a great guide you can follow.

Bonus tip – If you have internal sites that use a single word (e.g. intranet) you can enable the policy “Go to an intranet site for a one-word entry in the Address bar” which will check for an internal site starting with that name before using the word in your default search engine. This one’s actually an old policy that I hadn’t noticed before!

 

Windows Max Path Is Now A Lot Bigger

The legacy 8.3 filename restrictions that came from the old MS-DOS days are (for the most part) long gone, but one of the other lingering legacy limitations is the 260 character limit.

Microsoft have a great article about how all this works and the reasons why. With Windows 10 anniverasry edition and Windows Server 2016, it’s possibe to get around the 260 character limit with some caveats. The new limit is 32,767 characters!

When researching this, I found quite a few articles that said how to enable the setting but didn’t really go into it any deeper, and my testing found that it’s not as simple as described. Enabling “Long Paths” doesn’t magically remove the limit, it enables longer paths in certain situations.

Firstly – enabling the policy itself. There’s a mix of information out there, and I’ve found some catches.

One of the mentioned methods of turning the feature on is to use Group Policy at Computer Configuration > Administrative Templates > System > Filesystem > Enable NTFS long paths. This doesn’t exist on my fully updated Windows 10 Pro install:

paths3No ‘Enable NTFS longs paths’ option?

I also checked on Windows 10 Enterprise fully patched, and the option was also missing. I found this similar option though, one level down:

paths4‘Enable win32 long paths’ option

The name and description are very similar. I then found this technet thread which agreed that they are the same setting.

After applying the setting and rebooting, I tested via Command Prompt to see how far I’d get:

The filename or extension is too long

I wasn’t very successful. “12characters” contains… 12 characters, so 18 folders * 12 characters = 216. Then add the slashes and you’re around 233 characters. Not quite the 260 limit, but close. Why wasn’t it working?

A few reasons; the app itself needs to support the new API calls to go beyond 260 characters, and I dare say Command Prompt hasn’t been touched yet due to the potential of breaking things.

What about Windows Explorer? This is where things got a bit strange. I couldn’t create a folder in that same path for the same reason, so I created a share on the very bottom of the tree, went to the share name and started creating more folders. I then went back to the original path to see if I could navigate all the way to the bottom, and I could:

path5Lots of subfolders!

22 folders called ’12 characters’ = 264 characters by itself, and I was then able to create a subfolder called “New Folder”. What’s strange about this is that Windows Explorer itself wouldn’t break the 260 character wall directly, but once it was passed, it was happy to read through and continue on further.

Back on the command prompt, it had let me navigate one folder further than before into the 19th, but wouldn’t delve any deeper:

path2“The full path of 12characters is too long”

What about PowerShell? That seemed to be very happy with the extra characters, so I made a complex script containing the lines “md 12characters” and “cd 12characters” many, many times. PowerShell happily went mad creating subfolder after subfolder, although the speed of subfolder creation went from ludicrous speed to very very slow as it ran.

Seeing what Windows Explorer would do, I was surprised that I’d hit a different limit:

paths6No more expand option

The ability to drill down further had gone. I could see 29 folders in the tree, and the 30th on the right hand pane, but couldn’t actually get into it. I also couldn’t create folders or files at that level or seveal levels up:

paths7Too long.

Back into PowerShell, I had to scroll to see beyond my current folder path!

paths8Lots of folders

I was also able to create files at that level. From this, if you’re going to use long paths in Windows Server 2016 or Windows 10, use PowerShell to manage your files!

This to me seems a good reason for Microsoft to not make Long Paths on by default. It should only be used for special cases, and a lot of things may break or just not support it. For example, if you’re doing a file level backup, will your backup software both read and write beyond the 260 character limit?

The best use case I can think of currently is having a location you can extract out long paths (maybe that came from a Unix box?) so you can adjust back down to the 260 limit, or get out the files you need. Microsoft always has pressure to look after legacy, and I can see the 260 character limit being around for a very long time.

Intel NUC 6th Gen

Almost two years ago, I wrote about my Media Player Quest. The end result hardware wise was an Intel NUC, which has been dutifully serving me media content and left on 24/7 for over two years.

It’s time to upgrade that now, and check out Intel’s newer lineup of NUCs that have the 6th generation Intel CPU inside.

The unit I received was the NUC6I5SYK – there’s also the NUC6I3SYK which is identical apart from having an i3 CPU rather than the i5 I received (a big step up from the Celeron in my old unit!).

12783452_455564031319639_735074021_n

There’s a bunch of different NUCs both old and new, but in the latest batch there are 5 to choose from. The cheaper ‘Pentium’ powered NUC NUC5PGYH, the NUC6i3SYH and NUC6I5SYH which are i3 and i5 powered NUCs with 2.5″ drive support, and the two I mentioned above, which are identical but don’t have 2.5″ drive support. All other specs are the same.

At this point you may be wondering which is best or which one to choose. Luckily this is pretty clear cut – if you don’t need much grunt, go for the NUC5PGYH. This still takes a 2.5″ drive, so you may be able to find a cheap small SSD to use. Otherwise, i3 and i5 are both pretty good, you’ll only need an i5 if you want to use it like a proper PC and play games or edit photos and videos, or other CPU intensive tasks. Finally, the SSD – go 2.5″ if you already have one to save money, or don’t care about the extra height. The M.2 version is a lot sleeker, but there should only be a small difference in SSD performance, which you probably won’t notice based on the common use cases for a NUC. If you’re hiding it behind a monitor, it’ll be easier to fit the M.2 version next to a wall.

My unit isn’t as tall as the 2.5″ models, because instead it takes a M.2 SSD instead. They look similar to RAM, but have the slot on the short side, rather than on the long side (see below). Don’t get these confused with mSATA – M.2 is the next generation of those and they have different connections. There’s a lot more technical information about this, if you’re interested check this guide out.

It’s worth pointing out that an Intel NUC isn’t a fully working PC out of the box. You’ll need to provide your own RAM and drive (HDD/SSD), but they are incredibly easy to install. 4 screws need unscrewing to take the bottom plate off:

20160315_173030

and you’ll need to add two types of components:

20160311_1538322

1 & 2 are DDR4 SODIMM RAM sticks. 2 x 2GB in this one but they’ll take a maximum of 2 x 16GB = 32GB – more than enough! 3 is the M.2 SSD, mine of which (as you can see from the label) has a capacity of 120GB. I’m not storing too much locally – apart from Windows 10 and a few software installs, the media I’ll be playing is streamed either from the internet (care of services like Netflix) or via local network (care of Kodi).

Once those are added (and they’re incredibly easy to obtain from any PC parts supplier) the NUC is ready to go – at least, ready to have your OS of choice installed on it.

output_G4EZYp

Port wise, the Intel NUC has more than enough for it’s small 115mm x 111mm x 32mm size.

Front: USB 3.0, USB 3.0 + charging, Audio In/Out 3.5mm jack, Power light, Infrared sensor

Right: Kensington lock, SDXC Card Slot

Back: Power, Air vents, HDMI, 1000mbit NIC, 2x USB 3.0 , DisplayPort

Also on top is power and HDD/SDD light:

20160315_173109

This new NUC is a lot short than my previous unit, so I thought I’d introduce them to each other before sending the old one away:

20160315_230106

Once I had the new NUC up and running, I did notice a smoother experience. The old one wasn’t actually slow for general Windows 10 usage, but things felt snappier and more responsive with the much updated hardware.

Overall I can’t fault this unit. I loved the last one, and this just gives a refresh with newer hardware and more connection types. What isn’t there to like about this? VESA mounts are included too, which will turn a screen into an all in one PC with ease. Other Mini PCs exist, but Intel support their own hardware well and let you decide on your own RAM and storage requirements, rather than bundling the lot.

Intel know this makes a great Media Box and have created some Intel only apps, such as the “Intel® Remote Keyboard” which lets you use your phone as a keyboard and mouse which I’ll cover seperately soon.

Any questions about the NUCs? Comment below!

The Intel NUC covered in this post was provided by Intel Australia.