Configuration Manager Unavailable – 19/12/2018 AM

The RAID Controller battery in sccm-lu1-store has failed and needs replacing. This server contains all the source files for software, images, software updates etc. At present this is causing slower write speeds from the software source location to the Distribution Points.
We advise not imaging or downloading applications from the Software Centre during this time.

If the time scales change or we encounter any problems after testing then a further correspondence will be sent out.

Timescale: – 19/12/2018 11:00am 13:00pm approx.

CAN I GET MORE INFORMATION AND HELP?

Please contact our Service Desk at it.services@lboro.ac.uk for more information.

Nessus Scan Security Changes

A security scan was run against the W10 staff service and some vulnerabilities were dentified.

Timescale:

The changes are being applied via Group Policy in the following order…

1. 03/12/18 – IT-Depstaff
2. 05/12/18 – FM-Deptstaff
3. 10/12/18 – ProServ Staff
4. 12/12/18 – WS-SchoolStaff
5. Live to Windows 10 Service

Changes

The Nessus scan has identified several registry entries that need to be created or changed on the Staff Service.

1. Need to Disable Week Cyphers – https://littlehyenas.wordpress.com/2014/04/12/disable-rc4-cipher-suites-on-remote-desktop/
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client – Enable 0
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server – Enable 0
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128 – Enable 0

2. Fix CVE-2017-8529 – An information disclosure vulnerability exists when affected Microsoft scripting engines do not properly handle objects in memory. The vulnerability could allow an attacker to detect specific files on the user’s computer. In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit the vulnerability.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX\iexplorer – 1
HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX\iexplorer – 1

3. MS KB2960358: Update for Disabling RC4 in .NET TLS
HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\SchUseStrongCrypto – 1
HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727 – 1

4. MSIs can not run from the Downloads folder and need moving to another location to install if trusted.

November 2018 Task Sequence Media

The new November 2018 Task Sequence media has been created and can be found in the following location: –
\\ws2.lboro.ac.uk\DesktopResource\Windows\TaskSequenceMedia\ TS_Media_Nov18.zip

Documentation – “\\ws2.lboro.ac.uk\DesktopResource\Windows\TaskSequenceMedia\Create an SCCM WinPE disk or USB Flash Drive.docx”

Existing USB media will have to be updated. PXE imaging will work as normal.

CAN I GET MORE INFORMATION AND HELP?

Please contact our Service Desk at it.services@lboro.ac.uk for more information.

The Configuration Manager HP Server Firmware needs to be security patched

The Configuration Manager HP Server Firmware needs to be security patched in order to resolve a Critical vulnerability.

The Configuration Manager service will be unavailable during this time whilst the servers are updated. During this time you will be unable to reimage, carry out an in-place upgrade or provision. Software updates will not be deployed and you will not be able to install any software from the Software Centre.

You will be notified when service is resumed.

Time: – 20/07/2018

Updating Windows 10 Images

Windows 10 In-Place Upgrades and Re-imaging Task Sequences will be updated during the Task Sequence at risk period. It is therefore recommended that you do not image or in-place upgrade any machines at this time.

The Microsoft May 2018 Operating Software Updates will be added to the W10 images. This is to ensure that images are secure at the time of installing Windows 10 either via the IPU or reimaging process.

We will inform you when the work has been completed.

TIMESCALE – 17/05/18 – 08:00am-12:30pm

Configuration Manager Software Centre Fix

An error was identified when opening up the Configuration Manager Software Centre…

‘Software Centre can not be loaded. There is a problem loading the required components for Software Centre’

This error resulted in the user being unable to install any software or run the Windows 10 In-Place upgrade Task Sequence. The original workaround was to add the PC to a Legacy software centre collection.

We have now identified what the issue is and the fix is deployed via a group policy so there is no user impact.

The Advanced Configuration Manager Software Centre will then become available, once the fix is applied.

Timescale:

19/03/18. – The GPO containing the fix will be deployed to the Desktops and Laptops that have already exhibited the issue.

22/03/18 – The GPO will be applied to the Staff Windows 7 and Win Service in order to prevent further issues.

Cyber Essential Group Policy Blocking

Introduction

Due to the Cyber Essential certification, a group policy has been created in order to prevent file types from running from certain locations. This can cause existing installed Programs or new installations to be blocked.

Link: – http://www.lboro.ac.uk/it/staff/specialist/security/cyber/

The group policy is now only linked to Staff

Name: – IT-EUC-Win-Nessus-Staff

If software is already installed or new software is required to install, the following messages may pop-up for the end user….

When the blocked message is displayed, it will write a ‘Warning SoftwareRestrictionPolicies’ to the Event Viewer
e.g.
Access to C:\Users\username\AppData\Local\Temp\7zSD349.tmp\setup-stub.exe has been restricted by your Administrator by location with policy rule {5b564272-ae6a-4dc5-8066-cd68438edece} placed on path C:\Users\ccgjh\AppData\Local\Temp\7z*\*.exe.

You can use this message to identify what file is being blocked and by what rule

File: – C:\Users\username\AppData\Local\Temp\7zSD349.tmp\setup-stub.exe
Restriction: – C:\Users\ccgjh\AppData\Local\Temp\7z*\*.exe

Logging a case

If you experience this issue, identify from the message or event viewer which file is being blocked and add to a case and pass to EUC

Files blocked in the downloads folder

When software is downloaded in to the downloads folder, they are blocked from running. This is to ensure the end-user is confident that they have selected to install software they have downloaded from a 3rd party source.

Moving the file from the downloads folder to the desktop or OneDrive will stop that particular restriction. Please not however that if the installation files require to be run from an additional blocked location such as %localAppData% then the file will still be blocked and a case for EUC will have to be raised.

Upgrade Configuration Manager Current Branch to 1710

Reminder of Configuration Manager Upgrade to 1710 on 01/2 Februray 2018 inclusive.

Configuration Manager will be unavailable due to an upgrade to version 1710. This upgrade is to resolve current issues and add additional functionality.

During this time, you will not be able to provision, reimage or upgrade PCs. You may not be able to install software from the Software Centre or receive new software or patches.

After the upgrade the service will need to be tested and then you will have to re-create any Task Sequence media. I will send out a further correspondence once the upgrade has been successful.

Configuration Manager at risk due to new power switchover panel in Holywell Park

The Holywell Pod will be powered down to install a new power switchover panel.
Configuration Manager has built in resilience in Haslegrave so the service will be available as normal but consider the service at risk during this time.
Further correspondence will be sent out as required.
Timescale:

Time – 14/12/17 – 08:00am-16:00pm