Wednesday, March 15, 2017

Connecting Mac computers to Symantec EndPoint Management

Our department was working with some mac computers and a program called Lansweeper which allows us to do inventory of the computer's software and hardware. We discovered that the Symantec client on mac was blocking the scan. It thought it was a port scan. Before doing the following steps we needed to adjust the Intrusion Prevention Settings on the Sep Management Console.

Open up SEP Management Console

To create an exception for IPS signatures
  1. If you go to Policies and then click on "Intrusion Prevention", you'll see the current default policy.
  2. Double Click that name
  3. On the left under "overview" you'll see an intrusion prevention text, click that.
  4. Click on Excluded Hosts
    SEPM Intrusion Prevention Screen
  5. Add the Host Name or IP of the Lansweeper Server and click ok and then ok a second time.
Export the package zip file(app)
  1. In the console, on the Home page, in the Common Tasks menu, click Install protection client to computers.
  2. In the Client Deployment Wizard, click New Package Deployment to configure a new installation package, and then click Next.
  3. Click the Install Packages menu and select the Mac package from the available options. Click on Browse and pick your mac group if you have one. Then click Next.
  4. Click Save Package for the installation method, and then click Next.
  5. Click Browse… to specify the folder where you want to save the package, and then click Next.
  6. On the final summary page, click Next to create the package.
Using the App to create a Package File
  1. After the package creation completes, browse to the location you previously specified, and then copy the .zip file to the Mac on which your Apple Remote Desktop is installed. By default, the file name is Symantec Endpoint
  2. Right-click on the .zip file and click Open With > Archive Utility to decompress the .zip file.
  3. Double-Click Symantec Endpoint Protection Installer to launch the application.
  4. Click Continue in the warning message to acknowledge that a system restart is required after install.
  5. In the menu, click Tools > Create remote deployment package. Accept the default package, and then click save.
  6. When the package creation completes successfully, click OK. The file name is SEPRemote.pkg.
Deploying the Package File
  1. Open Apple Remote Desktop
  2. Select the target Macs from the list of all available computers, and then click Install to add the package. 
  3. Click the plus (+) to locate and add SEPRemote.pkg, click Attempt restart, allow users to save documents and then click Install to begin deployment.

Friday, March 10, 2017

KB3163912 breaks Point and Print Restrictions

Users started to see prompts to set up their printers and users in our computer lab were unable to see the printers when they logged in. This started to occur shortly after the July 2016 Microsoft patch day.

KB3163912 breaks Point and Print Restrictions GPO settings

In July 2016, Microsoft released a patch that fixed a long standing issue.
  • The Server Operator setup Point and Print policies such that users can install their printers.(with no restrictions to where people can obtain drivers)
  • Unsuspecting User is given a printer link on the internet.
  • This link has "drivers" for the printer which contain malware/hacks/etc.
  • Malware is installed.
Patch Notes:

Solution: Since we were using group policy preferences to map user printer queues, I looked into fixing that. We needed to figure out what exactly was happening when the printers were getting mapped. The easiest way to troubleshoot group policy preferences is to enable debug log tracing.
  • Open up your Group Policy Management console. 
  • Edit your Policy that manages your printers(or anything else)
  • Drill down to Computer Configuration\Policies\Administrative Templates\System\Group Policy, in the list you'll see "Configure Printer Preference logging and tracking"
    You can specifically track printer preferences. The default location for this text log file is c:\program data\GroupPolicy\Preference\Trace

To actually fix this the Microsoft issues I used these steps.

1. When I used the trace utility it was telling me that permission was being denied to map the printers, so I set Permissions on the printer: EVERYONE or AUTHENTICATED USER must have at least read (print) permission. This wasn't the default on windows server 2008 r2

2. The printers that I have are configured to map based on usernames in Group Policy Preferences, so I modified that gpo to contain the following settings.
  1. In Computer Configuration->Administrative Templates->System->Driver Installation, edit "Allow Users to install device drivers for these device setup classes. This requires you to put in {0ecef634-6ef0-472a-8085-5ad023ecbccd} to allow printer drivers to be installed.
  2. In User Configuration->Administrative Templates->Control panel->Printers, edit "Package Point and print-approved servers". Enable this setting click on the "Show" box, type in your server names.
  3. In User Configuration->Administrative Templates->Control panel->Printers, edit "Point and Print Restrictions", it should end up looking like this.
    4. Turn off the tracing once you confirm your printers are working.
In the process of setting this up, I discovered that some printers were not being mapped automatically.

I was getting a warning in the application log on the User Desktop.
"The user ‘Printer1’ preference item in the ‘Printers {GUID}’ Group Policy object did not apply because it failed with error code ‘0x80070005 Access is denied.’ This error was suppressed."

So I had to go and edit my printer Group Policy Preferences (User configuration->Preferences->Printers). Pick the Printer and go over to the common tab and click "Run in logged-on user's security context (user policy option)".

Tuesday, February 14, 2017

Mac Desktop Sync to Box or Dropbox

This is a solution for enterprises that have mac laptops, and College Faculty that refuse to backup their data, even though you have a file and print server available.

Some rooms don't have great wireless connections or they go to large national conferences where wireless is slow/non-existent. I don't want them to use USB sticks because then the data ends up lost or stolen.

The University of Buffalo has a contract with Box Software for legal reasons, but this same process will work with Dropbox.

Open up terminal(search for it) and run the following commands
mv desktop desktop.bak ln -s /Users/username/Box\ Sync/ ./Desktop
  • Change username to your Mac login username
  • Change Box\ Sync(note the space) to Dropbox if you use Dropbox.
There are other folders to sync; in your Mac Home Directory, you can decide what's best for your environment.
  1. Documents
  2. Downloads (this probably isn't something that needs to be backed up as it's
    generally going to be files that you can get again)
  3. Movies
  4. Music
  5. Pictures
Reboot the computer, the icons won't appear next to the names but it will sync.

If the person is experiencing issues at home with speed opening documents they will have to temporarily turn off syncing(and then turn it back on when they are back at the office)

A Great way to install Autocad for Education

I like to use this great tool PDQ Deploy at my job at the University of Buffalo. They have a free version which makes pushing deployments to computer labs really easy. In addition, it tracks the installation success and failures, unlike Microsoft's group policy software deployment.

1. Download Autocad and run setup.exe

2. Once setup.exe begins you can create an admin installation do this. We'll use c:\admin for this.

3. Pick the Autocad features you want, it will create an install with everything pre-configured.

4. Create a simple batch file to install AutoCAD(we'll use this in PDQ deploy), save this as install.bat
(in the pro version of PDQ deploy you can type this directly into the console-without the comment line-) DO NOT USE /qn, it fails for some reason. /q or /qb both work.
 ::This batch file will run on the remote computer replace server with your servername and 
::Shared folder with your shared folder.
 \\server\sharedfolder\admin\img\Setup.exe /W /q /I \\server\sharedfolder\admin\img\autocad2017.ini /language en-us

5. In PDQ Deploy you should create a new package and duplicate the settings in this screenshot. I just named it AutoCAD. Close and Save this.

6. Right-Click on the package and select deploy once.
7. Choose the computers you want the files moved to, press the Deploy Now button. I had a list of computers already setup. The installs will take about 25 minutes.

Friday, January 27, 2017

Best Way for an Enterprise to Get Dell Drivers

I've been using a PowerShell program from Keith's Consulting Blog, which would download drivers for a variety of dell models. It includes the Windows PE and the Windows Drivers for use with an MDT deployment server. This script was easy to use but had a pretty basic interface.

When reading some twitter messages from Johan Arwidmark(@jarwidmark), he retweeted this new tool by Maurice Daly(@modaly_it) that does similar things.

The main difference between these two
Utilities is that Maurice's is more flexible as it can handle sccm and/or mdt and that it organized the folders by machine then dell version for the device. In addition it will create driver packages for sccm so that things are very organized.

Interestingly both scripts are based on the same original powershell script but Maurice didn't know about the Keith's script.

Wednesday, January 18, 2017

Best Way to Trace Group Policy Preferences

If you are having issues with your Group Policy Preferences on windows you can do the following to assist in your troubleshooting steps.

1. To enable tracing of Group Policy Preferences open and edit a group policy object. For Example, if you are mapping drives with a policy named "Department Mapped Drives", turn on the debug log tracing in this policy.
  • The settings are located under the Computer Configuration\Policies\Administrative Templates\System\Group Policy node 

2. You'll see that Tracing is "off" by default you'll need to switch that to be "on". I also like to switch "event logging" to the "Informational, Warnings and Errors" level it gives the maximum information for you to work with.

3. The default location for log files for all current windows OSes is c:\program data\GroupPolicy\Preference\Trace, It's not in the Microsoft folder that also has the same directory structure.

4. From my experience, you can do a text search for whatever text is in the preference setting. For example; if a printer name is \\server\printerqueuename, search for "printerqueuename" to find approximately where useful information is.(generally some error message that you can google search to get some answers on)

5. Once you are done Troubleshooting, don't forget to turn off the logging for Group Policy Preferences.

Friday, January 06, 2017

Symantec 12 Virus Definitions not updating

Problem: Symantec Antivirus on one of the servers I run was not updating it's antivirus definitions.

I would be able to install Symantec and then it would be updating antivirus definitions for 2 weeks and it would continue to update the Network Threat Protection definitions past those 2 weeks.

I thought something could have been corrupted or some miscommunication was occurring between the antivirus and the Symantec EndPoint Protection Server, so I did a clean wipe(removing all Symantec files). I then reinstalled thinking my issues were gone.

After about 2 weeks, it started not having the antivirus updates again, so I was then looking around to see if some certificate was messed up. I would try to run the live update but it said it was downloading but then it did not install the Latest Definition.

Solution: I ended up making a support call to Symantec and a friendly support tech helped me and it was solved in about 3 minutes. He went into the C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\VirusDefs folder confirmed that the definitions were there. Then we started Task Manager, went to details and ended the ccsvchst.exe task being run by SYSTEM. We then closed this and went back into Symantec and it was updated.
ccSvcHst.exe SYSTEM user in Task Manager

Reason: Apparently, the issue was that some update was waiting for a reboot but since this was a server and it was a non-security patch it could wait, I didn't reboot. I'm not sure why the Symantec program didn't say "cannot update due to pending reboot".