Stop Mouse and Keyboard Theft with a Cable Lock and Washer

I recently had to deal with the disappearance of several keyboards and mice from computers that are set up in a semi-public hotelling area.  I received a support request from someone that noticed that some of the computers were missing either a keyboard, a mouse, or both.  We had no reason to believe they were stolen and were most likely taken by a well-meaning employee assisting a co-worker or fixing their own issue.  We keep a stockpile of extra keyboards and mice; so, replacing the missing keyboards and mice was trivial.  However, we still have to account for the inventory and really need people to contact us when their equipment breaks.

The solution?  A cable lock and a washer that cost less than $0.25.

inexpensive washer

The cable for the mouse or keyboard is looped through the washer.

mouse cord looped through the washer

If you find a washer with a large enough hole, you can loop both the keyboard and mouse through.  If the hole isn’t large enough, you may need to increase your budge by ~$0.25 for each PC.  🙂

keyboard and mouse cord looped through the washer

As you can see in this up close shot, the end of the USB cables can’t be pulled through the washer.

keyboard and mouse cord looped through washer up close

Many of our computers are already attached to desks as a theft deterrent using a cable lock. All we had to do was disconnect the lock from the back of the computer and pull it through the loop created on the cables.

security lock pulled through cable loop in keyboard and mouse

Obviously this isn’t completely foolproof, but should be enough of a deterrent to keep the casual keyboard/mouse thief from walking away with your equipment.

Prevent the “Your browser has been upgraded” tab in Internet Explorer

Microsoft’s June Cumulative Security Update for Internet Explorer (MS14-035 / KB2957689) had a change that caught many IT departments off guard. If you’re in an environment running Windows 7 with either Internet Explorer 9 or Internet Explorer 10 your users may have received an additional tab that opened after the reboot from their monthly updates applying:

Internet-Explorer-Your-browser-has-been-upgraded
Your browser has been upgraded… sort of… with a monthly security patch…

Initially, users were redirected to http://windows.microsoft.com/en-us/internet-explorer/products/ie-9/windows-internet-explorer-9-privacy-statement, a rather lengthy privacy statement for Internet Explorer 9. After customer complaints user feedback, Microsoft altered the redirect to send users to http://windows.microsoft.com/en-us/internet-explorer/ie-9-welcome-upgrade3.

Unfortunately, this still isn’t expected behavior in a corporate environment. End users tend to either ignore something like this completely or open a help desk ticket costing the IT organization money in the form of the help desk request. The problem is compounded by: (#1) Microsoft not warning corporate IT departments this change was coming, (#2) Microsoft not giving corporate IT departments a way to suppress the extra tab with the warning, and (#3) some users receiving the additional tab every time they open an IE window instead of seeing it just once.

The good news is that this extra tab can be suppressed with a Registry entry. The easiest way to do this in a managed environment is with Group Policy.  In a Group Policy Object (GPO) that applies to user accounts, go to User Configuration > Preferences > Windows Settings > Registry.  Right-click on Registry and choose New > Registry Item.

Group Policy Management Editor Add new Registry entryIn the Properties for the new Registry item, set the following:

Action:  Update
Hive:  HKEY_CURRENT_USER
Key Path: Software\Microsoft\Internet Explorer\Main
Value Name: PrivacyPolicyShown
Value Type: REG_DWORD
Value Data: 00000001

PrivacyPolicyShown PropertiesObviously this won’t help you for the hordes of end users that have already received the extra tab, but it should prevent anyone logging into a system for the first time from seeing it down the road.

Encourage Users to Submit a Ticket Instead of Emailing You Directly With a MailTip

Exchange-2013-LogoHow many times has this happened to you? You go on vacation, to a conference, you’re inundated with email, or for any of a hundred other reasons you don’t see a support request from an end user come in. Fast forward a few days or weeks and the end user is concerned that their issue hasn’t been resolved. [And we all know that “concerned” could be anything from genuine concern for your well being (“You always respond so quickly!”) to concern that your job performance should be discussed at the highest levels of your organization for not responding to them within 5 minutes.] So what’s the problem? The end user emailed you directly instead of submitting a support request through a ticketing system… a ticketing system that, most times, alerts a team of people about the problem so that their issue can be handled when you’re out of pocket.

We all know what happens… end users find a favorite “computer guy” or you’re a one man shop; but, support requests start coming directly to you that should go through the ticket system. Short of outright refusing direct support requests, it can be difficult to get some people to submit tickets.

Use an Exchange MailTip!

One creative way I’ve seen companies handle this is by setting an Exchange MailTip for certain IT Pros.  Here’s how to do it in Office 365:

Go to the Exchange Admin Center at https://outlook.office365.com/ecp and click on Mailboxes.

01-mailitp_for_it_supportHighlight your account (or any other IT Pro) and click the Edit button.

02-mailitp_for_it_supportClick on MailTips and enter the message you want to be displayed.  When you’re done, click the “save” button.

03-mailitp_for_it_support There’s a slight lag from when you set a MailTip and when it shows up for end users. When the MailTip starts showing up, end users should get your warning that they should submit a ticket instead of contacting someone directly.

04-mailitp_for_it_support

Windows 8.1 Reference Image Planning Checklist

We recently started evaluating Windows 8.1 at work and, quite frankly, I forgot how much effort went into creating a fully customized reference image.  I did the work several years ago when we migrated to Windows 7 and I can build out that infrastructure in my sleep.  But, it seems that there are even more settings that we’ll need to tweak in Windows 8.1 so that our customers don’t revolt when we start rolling it out.

Don’t get me wrong, I’m not a Windows 8.1 hater.  But, we try to strike a balance between what our end users are used to using in their current environment and the new features they’ll be getting when they move to the new OS.  A little up front planning can go a long way toward ensuring a smooth roll-out!

The List

Be warned, this is a work in progress.  I’m not making any claims that it is complete… yet.  I’ll be coming back as I progress through the process and adding links and tutorials for how we did things. 

  • Make sure you’re building from the latest ISO
  • Do you need to support both x86 and x64?
  • Pull inventory of machine models so you can start the process of pulling updated drivers.
  • Does the WSUS (or SCCM) server need to be updated to include Windows 8.1 updates?
  • Update Office 2013 files to latest ISO
  • Update .msp for Office 2013 deployment since we’re updating the install source.
    I had to find out the hard way that the .msp file that is generated by the setup.exe for Office 2013 doesn’t seem to work quite right with the setup.exe for Office 2013 SP1.  I ended up completely regenerating our .msp file just to be on the safe side.
  • Do you need/want to customize the Start Screen?
    • If yes, does it need to be in the Reference Image, OS deployment, or forced with Group Policy?
    • Plan out what will be on the customized Start Screen
  • Customize logon screen wallpaper
  • Customize default user wallpaper
    • Do you want the Start Screen wallpaper to be the same as the Desktop?
  • Add additional custom wallpapers for user to select
  • Change default color scheme to match organization logo colors.
  • Remove inbox Metro/Modern apps that we don’t want users to have
    Ben Hunter has a great script on The Deployment Guys blog that you can use to remove inbox apps.
  • Plan for end user of OneDrive and whether it needs to be blocked.
  • Update file extensions to open specified file types in desktop apps instead of Metro apps.
  • Plan for BitLocker if some or all systems are going to be encrypted.
  • Review/Test Group Policy to determine need for updates to support Windows 8.1.

See something missing?  Let me know in the comments!

IE 11 Enterprise Mode Not Working?

A few weeks back, I wrote about the Group Policy changes in the Windows 8.1 Update.  One of the big changes in the Update was the addition of Enterprise Mode for Internet Explorer 11.  Enterprise Mode allows web sites (either specified by the end user or via Group Policy) to be processed in such a way that they appear to to the site to be Internet Explorer 8.  There are also some additional ActiveX security tweaks that happen in Enterprise Mode so that [hopefully] organizations can get away from being tied to older versions of IE.

In my testing of IE 11, I came across an application that many of my customers use on a daily basis that had some compatibility issues.  Specifically, a JavaScript pop-up that was supposed to appear when clicking on certain links wouldn’t show up.  All I was getting was a spinning “Please Wait” icon.

I had that “Aha!” moment and put the site into Enterprise Mode and…. buzzer.  Nope, same problem.  What gives?  This was supposed to fix this problem, right?

The Fix!

After banging my head against the desk a few times, it occurred to me that this particular web application has about 10 different URL’s behind it.  You go to the published URL for the application that looks something like http://application.trekker.net, get kicked to https://app.auth.trekker.net, then get kicked to a central login service page (Shibboleth, ADFS, etc.).  After logging in, you’re kicked to https://prod.app.authd.trekker.net:1234.  [URL’s have been sanitized and replaced with trekker.net to protect the innocent!]

After looking at the source of the page (right click > View source), there were another two (!) URL’s in the page I’d never seen before:  https://files.app.trekker.net and https://scripts.app.trekker.net.  Another “Aha!” moment!

I added both of these sites to my XML file (here are instructions on how to set that up) and, voila!  The app works!  It appears that Enterprise Mode was taking my list literally and wasn’t including either of these URL’s since they were different than the main web application.  Lesson learned: if using Enterprise Mode, make sure any other URL’s that are being called by the app get added to the Enterprise Mode IE website list to ensure that everything is running in Enterprise Mode.

Customize Disk Partitions in MDT

For most systems, I typically recommend using the primary disk’s full capacity as one partition, C:\, instead of creating multiple partitions/drive letters for end users. As an IT Pro, it makes it easier for me to find someone’s “stuff” if they store their data in a standard location like their default profile location, C:\Users\%username%\.  If all of your documents, pictures, shortcuts, Favorites, settings, etc. all live in the same place, I don’t have to go hunting for files when it’s time to migrate someone to a new machine.  (Or, better yet, I can automate it!)  For the end user, it’s just easier:  Most people are used to just saving files to the default locations on their home computers.  Any time you can keep the corporate computing experience similar to what people experience at home, it saves you time and money.

However, there are some times when it can be advantageous to create more than one partition when deploying an operating system (OS) to a computer.  I know quite a few people who actually prefer that their end users store their data on D:\ so that it can be fully separated from OS and applications on C:\.  In the event of an OS crash or malware infection that isn’t recoverable, C:\ can be wiped out and all of the user’s data on D:\ is still there.  Personally, I’m not a huge fan of that because it tends to miss application settings, the Registry hive, and other important things a user may miss later.  But, to each his own I guess.

I am, however, a fan of separating data from OS and software on servers.  I’m also a fan of keeping my virtual machines totally separate from C:\ also. (Those things have this bad habit of filling up disks, don’t they!?!)

How MDT Partitions Disks

The disk partitioning process is a task that is part of each OS deployment Task Sequence.  By default, MDT creates a C:\ partition using the full first disk and names it OSDisk.  If this default doesn’t work for your environment, it is pretty easy to change.

Change the Default Partition

In the MDT Deployment Workbench, go to Deployment Shares > $YourDeploymentShare > Task Sequences.  Find the Task Sequence you want to edit and right-click on it.  Click on Properties.

00-custom_disk_partition_mdt

In the Task Sequence Properties, go to Preinstall > New Computer only > Format and Partition Disk.

01-custom_disk_partition_mdtIn the Volume section, you should see “OSDisk (Primary).”  Click on OSDisk (Primary) and then click the Edit button.  (The Edit button is the middle button that looks like a hand pointed at a document with a bulleted list.)

02-custom_disk_partition_mdtIn the Partition Properties, you can change the Partition name, the size, file system, etc.

03-custom_disk_partition_mdtFor our example, we’ll change the partition size to “Use specific size” and set it to 80 GB.  Once we’re done, click Ok.

03b-custom_disk_partition_mdt
I don’t want to waste the remaining disk space; so, we’ll add a second partition that uses the remaining space.  Back in the “Format and Partition Disk” task, click on the New button.  (The New button is the left-most button that looks like a yellow star.)

04-custom_disk_partition_mdtIn the Partition Properties, fill in the Partition name with “Data Disk,” and select the “Use a percentage of remaining free space.”  Set the Size (%) to 100.  Ensure the File system is set to NTFS and click Ok.

05-custom_disk_partition_mdtWhen you’re done, you should have something that looks like this:

06-custom_disk_partition_mdtIf we perform a test deployment, you should get an 80GB drive and a second with the remaining space.

07-custom_disk_partition_mdt

Asking for Help as an IT Pro… The Right Way

I have a bit of a pet peeve: IT Pros asking for help… the wrong way. Don’t get me wrong…  I love sharing my knowledge. I love writing articles, responding to comments on those articles, responding to forum posts, and just general interaction with other enthusiastic IT Pros! But, I need you to help me, help you.  My hope in writing this is to give guidance to any IT Pro’s out there that are looking to have a question answered.  Just a little extra up front work by you can help out other IT Pros that want to help you solve your problem.

Here are a few of the common wrong ways to ask questions as an IT Pro and how to avoid them:

The “Do It for Me” Question

To protect the guilty, here’s a [pretty heavily] modified example I got via email:

I received a list of a few thousand accounts that need to be disabled in Active Directory. For the accounts with short usernames, the Active Directory Users and Computers search comes back with more than one account. It is very time consuming to go through all these accounts one by one to find the right account.

Is there a way that PowerShell can read a text list of the accounts and then move them to an OU named “Disabled” so that I can manually skim through them before I run the script to disable them? I’m not good at PowerShell. Could you give me the commands or a PowerShell script to do this?

If you send me a question like this, I’m probably going to ask you what you’ve already done to solve the problem. I totally get that you may not know PowerShell, may have been handed AD support even though that isn’t your normal area, or that you’re just busy at work.  But, you need to do some additional leg work or ask your question differently:

  • Perhaps a better question would have been: “Do you know of any good resources for managing user accounts in Active Directory with PowerShell?” or “Do you know some good resources for learning PowerShell?”
  • I hate to use the, “have you tried Google,” response, but have you? A quick search found me numerous scripts that do exactly what the IT Pro wants here.
  • Give me something to start with. Don’t ask me to tell you how to fix the problem if you’re not going to dome some upfront work first.

Honestly, I don’t think this person did anything to answer the question on her own. Always try to do some upfront leg work to solve the problem yourself. If you’re wanting someone to just do the work for you, you’re really looking for a consultant.

The “No Background Information” Question

Here’s another example:

I’ve got some VM’s that are not restarting correctly in Hyper-V. Any ideas why they aren’t restarting like they’re supposed to be.

Yep… that was the question. It’s a bit… light… on details. I don’t need your organization’s full infrastructure history, but you’ve got to include pertinent information. In this case, the IT Pro should have included which OS the VM is running, what version of Hyper-V they’re running, storage back-end, etc. Most of us aren’t mind readers, so I usually need some background information:

  • Include pertinent information about the environment.
  • Definitely include anything that may be unusual or out of the ordinary about your environment.
  • Make sure to include things you’ve already tried to resolve the problem.
  • Has something changed in the environment recently?
  • Has the system been working for a long time and now isn’t? Or, is this a new deployment of some kind and it has never worked correctly?

The “I Have a Question” Question

This example came in on the contact form on my blog:

I’m having some problems with some servers and you wrote some posts that are similar to the problems I’m having. Do you have some time to talk on the phone about it to help me out?

I’m not really a consultant… I’m a blogger. I have a day job outside of writing and, honestly, don’t always have time during normal business hours to talk because I’m working. I don’t always have time to talk outside of business hours because I have a home life too. For me, communicating via email or forums (for questions) is usually the best way to go.

  • Just ask your question… Who knows? Maybe it’s a simple answer.
  • Don’t reference something I’ve written without including a link to it. I’ve written a lot of articles and I may not remember the specific one you’re referencing.
  • Quite a few of us that blog and are active online on places like Twitter and forums have day jobs and may not be able to consult due to work or time constraints.
  • If you’re looking for a consultant, just ask! You may be surprised how many of us can refer you to someone who can come take a look at your problems.

The “Help Me Fix My Unsupported Production Configuration” Question

I don’t have a specific example I’m sharing on this one, but if you’re having a problem in your production environment and you’re not in a supported configuration, getting to a supported configuration is probably your answer.

  • I’m all about experimenting and trying out new things, but not in a production environment.  If this is a lab or test environment, tell me and I’m probably going to be more likely to help you. Just don’t tell me it isn’t production if it really is.
  • Read the vendor documentation! Most vendors are very good about spelling out what is supported and what isn’t. Most vendors are either going to require you to change your configuration to something they support or, if you’re lucky, give you minimal support to get you back up… so you can fix your configuration.
  • Don’t get mad at me if I point out that you’re doing something that isn’t supported. I’m just the messenger.

The “What in the World Are You Talking About” Question

Final example:

I’m trying to use screen sharing from my Windows 8 laptop to my Windows 7 desktop and it isn’t working right. I’ve tried it with tunneling on and off and that isn’t working either way. Do you think this is a problem with ports, IPS or what?

Huh? I honestly had no idea what this person is talking initially about based on his first email. I can make some guesses; but, because he didn’t use any standard terminology it slowed the process down while we ironed out what he was trying to do.

  • Use standard industry terms and correct product names.
  • Use current industry terminology. Things change… so does the terminology over time.
  • If you don’t know the correct term, just tell me so I’m not left scratching my head.
  • If you’re a newbie, just say so! I love helping out newbies! There’s nothing wrong with not knowing all the jargon if you’re still learning!

TL;DR

  • Do some leg work up front. Don’t expect someone that is helping you for free to do all the work for you.
  • Let me know what you’ve already tried and some basic background information on the problem you’re having.
  • Ask your question, not something like, “Hey! Can you help me?” Just ask already! 🙂
  • Respect the time of the person you’re asking for help.
  • If you’ve been told something isn’t supported in your production environment, getting to a supported environment is either the fix or a prerequisite for the fix.
  • User proper product names and terminology. If you don’t know them, let me know before you try to describe what you’re doing so I can try to figure it out.

Thanks! You can ask your question now!!! 🙂

~~Kyle