Cyber Essential Group Policy Blocking

Introduction

Due to the Cyber Essential certification, a group policy has been created in order to prevent file types from running from certain locations. This can cause existing installed Programs or new installations to be blocked.

Link: – http://www.lboro.ac.uk/it/staff/specialist/security/cyber/

The group policy is now only linked to Staff

Name: – IT-EUC-Win-Nessus-Staff

If software is already installed or new software is required to install, the following messages may pop-up for the end user….

When the blocked message is displayed, it will write a ‘Warning SoftwareRestrictionPolicies’ to the Event Viewer
e.g.
Access to C:\Users\username\AppData\Local\Temp\7zSD349.tmp\setup-stub.exe has been restricted by your Administrator by location with policy rule {5b564272-ae6a-4dc5-8066-cd68438edece} placed on path C:\Users\ccgjh\AppData\Local\Temp\7z*\*.exe.

You can use this message to identify what file is being blocked and by what rule

File: – C:\Users\username\AppData\Local\Temp\7zSD349.tmp\setup-stub.exe
Restriction: – C:\Users\ccgjh\AppData\Local\Temp\7z*\*.exe

Logging a case

If you experience this issue, identify from the message or event viewer which file is being blocked and add to a case and pass to EUC

Files blocked in the downloads folder

When software is downloaded in to the downloads folder, they are blocked from running. This is to ensure the end-user is confident that they have selected to install software they have downloaded from a 3rd party source.

Moving the file from the downloads folder to the desktop or OneDrive will stop that particular restriction. Please not however that if the installation files require to be run from an additional blocked location such as %localAppData% then the file will still be blocked and a case for EUC will have to be raised.

Synaptic drivers on some Windows 7 Laptops

An performance issue has been found in the version of the Synaptics Touchpad driver recently deployed to HP EliteBook 820/840/850 laptops on the Windows 7 Staff Service.

Therefore it is necessary to downgrade the Synaptics Touchpad driver to an earlier version. (This version does not contain the debugging code which prompted the original upgrade.)

Unfortunately, this update requires two reboots: one after the removal of the old drivers and again after the new driver is installed. While this may be annoying to users, it is an unfortunate result of the way Synaptics have written their installer and uninstaller.

This downgrade will occur on Monday 19th February 2018.

For the record, these are our current recommended versions for laptops found at Loughborough University.

Windows 7 Windows 10
HP EliteBook 2170p 17.0.18.25 19.0.19.65
HP EliteBook 2560p 17.0.18.25 19.0.19.65
HP EliteBook 820 G1 17.0.18.25 19.0.19.65
HP EliteBook 820 G2 17.0.18.25 19.0.19.65
HP EliteBook 840 G1 17.0.18.25 19.0.19.65
HP EliteBook 840 G2 17.0.18.25 19.0.19.65
HP EliteBook 8470p 17.0.18.25 19.0.19.65
HP EliteBook 8470w 17.0.18.25 19.0.19.65
HP EliteBook 850 G1 17.0.18.25 19.0.19.65
HP EliteBook 850 G2 17.0.18.25 19.0.19.65
HP EliteBook 8560p 17.0.18.25 19.0.19.63
HP EliteBook 8570p 17.0.18.25 19.0.19.63
HP EliteBook 8570w 17.0.18.25 19.0.19.63
HP EliteBook 8760w 17.0.18.25 19.0.19.63
HP EliteBook Folio 9470m 17.0.18.25 19.0.19.65
HP Folio 13 17.0.18.25 17.0.18.25
HP ProBook 430 G2 19.0.19.65 19.0.19.65
HP ProBook 6460b 17.0.18.25 19.0.19.65
HP ProBook 6470b 17.0.18.25 19.0.19.65
HP SpectreXT Pro 19.3.31.31 19.3.31.31
HP ZBook 15 19.0.19.65 19.0.19.65
HP ZBook 15 G2 19.0.19.65 19.0.19.65
HP ZBook 15 G3 19.0.19.65 19.0.19.65
HP ZBook 17 19.0.19.65 19.0.19.65
HP ZBook 17 G4 19.3.8.22 19.3.8.22
Toshiba Satellite Pro A50-C 19.0.24.9 19.4.3.38
Toshiba Satellite Pro C850 15.3.38.2 15.3.38.2
Toshiba Tecra A50-C 19.0.24.9 19.4.3.38

 

CAN I GET MORE INFORMATION AND HELP?

Please contact our Service Desk at it.services@lboro.ac.uk for more information.

Changes to Windows 10 Task Sequences Friday 16th February

Windows 10 In-Place Upgrades and Re-imaging Task Sequences will be updated during the Task Sequence at risk period. It is therefore recommended that you do not image or in-place upgrade any machines at this time.

We will inform you when the work has been completed.

The changes are as follows:-

  • Include support for Toshiba Portege X20W-D
  • Adding HP Hotkey Support for HP Laptops where it is supported on Windows 10
  • Update Synaptics TouchPad Driver Versions
  • Update Sassafras Client

Timescale:

16/02/18 – 08:00am-09:30am

Removal of default browser and application enforcement on Windows 10 Service

Default Application Changes will no longer Rest

As the majority of PCs on the Windows 10 Service are now running version 1703, we are in a position to remove the Group Policy setting that resets user’s default web browser and other common applications back to the University specified settings on their next login.

This change will allow users to alter the default application for any file type without it being automatically reset. This includes setting the default web browser. This change will not change any of these defaults; if a user wishes to change a default application they will need to do this themselves.

Windows 10 1703 has provided an alternative method of setting application defaults which allows users to make and retain their own preferences.

Please remember that Internet Explorer remains the primary supported browser for Windows services, with Google Chrome provided for websites that do not support or function correctly in IE. Other browsers are installed and used at the user’s own risk.

PCs which are currently running Windows 10 1607 will be upgraded to Windows 10 1703 in the near future.

Timescale: Wednesday 7th February 17:00

CAN I GET MORE INFORMATION AND HELP?

Please contact our Service Desk at it.services@lboro.ac.uk for more information.

Changes to Windows 10 Imaging Task Sequence Friday – 2nd February – Complete

Hi Everyone

This work is now complete. The Window 10 Imaging Task Sequence is now available again. The new Task Sequence is version 1.6.

Regards

Mike

 ——————————————————————————————————————

The Windows 10 Task Sequence will be updated on Friday 2rd February during the Task Sequence at risk period. It is therefore recommended that you do not attempt to carry out any Windows 10 installations or upgrades at this time. (It is likely that SCCM will be unavailable or at risk at this time owing to the upgrade to version 1710)

We will inform you when the work has been completed.

The changes add additional computer models to the task sequence:

  • Intel NUC NUC7i5BNK
  • HP EliteOne 800 G1 All-in-One desktop

Timescale:

02/02/19 – 08:00am-09:30am

CAN I GET MORE INFORMATION AND HELP?

Please contact our Service Desk at mailto:it.services@lboro.ac.uk for more information.