Disabling Google Chrome QUIC protocol with GPO

Google Chrome has this neat protocol called QUIC (Quick UDP Internet Connections, which is another perfect acronym, right up there with MAD – Mutually Assured Destruction). The downside is that it can be very traffic intensive, especially on a busy network. This leaves you with essentially two options: disable the protocol in Chrome or block the application at your firewall. The second option is simple enough but it can have some unintended consequences. The first being that Google’s websites support this. So if you try to go to google.com, you’ll probably have a bad time. The first option, disabling it, can be a bit tricky as you’d probably have to manually update each computer to not use it. In a large network, this isn’t possible so we have the next best thing: Group Policy Objects.

QUIC is helping to drain network bandwidth – except it was pulling over 5 Mbps before I captured a screenshot!

Google Chrome GPOs

If you’re not using Chrome’s GPOs, you’re missing out on a lot. If you don’t have them, you can get the templates from here. Once you get the template imported, create a new GPO policy. You’ll want to go to User Configuration > Policies > Administrative Templates > Classic Administrative Templates > Google >Google Chrome. From here find the setting “Allows QUIC protocol” and set to Disabled.

After all or the majority of the computers receive the GPO update, you should begin to see QUIC traffic drop and speeds improve.

Windows 10 – There are currently no power options available

If you’ve run across an issue with some of your Windows 10 PCs (possibly after downloading the Creator’s Update) telling users that there are currently no power options available, you might have been pulling your hair out trying different solutions. You’ve probably come across many threads telling you that there’s either a registry option or you need to modify some user rights in a GPO.

Some users may see “There are currently no power options available” and others may not.

As with all technical fixes, your mileage may very. The cause for us was actually an easy one. For some reason the Default Domain Controllers Policy gets applied to some of these workstations. The fix is simply disabling the link on the entire domain and leaving the link in place on the OU that holds your domain controller.

Java (and 3rd party software) through WSUS for free

THIS ARTICLE IS OUT OF DATE! THERE IS AN UPDATED VERSION: WSUS PACKAGE PUBLISHER. COMMENTS ARE CLOSED.

Java-Evil-Edition-orfjackal_net

Updated: March 28, 2014

Note: This article is over a year old and may not contain relevant information. I do my best to keep things updated, especially because this is a popular post. I am working on a rewrite as I find an alternative to LUP as I am not sure how that software functions in a modern enterprise. In the meantime, please feel free to comment anything that may possibly be out of date and I’ll fix it up as I can! Thank you!

As a network administrator, I hate Java with a burning passion. First, Oracle is slow as frozen molasses to tell Java clients to update, secondly it requires administrator credentials to install, and third it tries to install crapware on our corporate computers (and in some cases, succeeds). If you’re a home user, this blog post won’t be of any use to you as it is aimed towards the corporate environment. If you are a home user, I would suggest disabling Java. Chances are, you don’t need it. In the alternate universe of corporations, we still need it so as much as I would like to not have to use it, it’s not an option.

Managing Java in the Corporate World

This post is going to be very technical. We’re going to be utilizing PKI (Public Key Infrastructure) and WSUS. If you don’t know what these two items are, forward this post onto the person in your company who does.

Things we need: (all links open in new windows/tabs)

  • Java offline installer (32-bit version, 64-bit version isn’t needed unless your users are using x64 browser… chances are, they’re not)
  • WSUS 3.0 SP2 (minimum)
  • .NET 4.0
  • Local Update Publisher (LUP) (it’s free and open source). Don’t use LUP! Use WPP instead!
  • Orca (to modify the MSI – Note: Orca is provided as part of the Windows Installer as MS doesn’t provide it separate) OR InstaEd It (I use Orca, so your mileage with InstaEd It may vary)

I’m not going to cover installing WSUS or .NET Framework. If you need help with WSUS, here is a guide. I’ll be covering WSUS at another time.

Install & Configure LUP

In order to publish Java updates, we need software that will actually let us do so. You can install LUP on your technician workstation if you have the WSUS console installed or, as I would recommend, install it on your WSUS server.

The most common issue with LUP is the certificates! If you have a PKI in place, have your PKI administrator issue you a WSUS Code Signing certificate. Otherwise, you can generate a certificate from LUP. I’m going to assume you generate a self-signed certificate from LUP. Export the Certificate to the server desktop (or another folder where you store certificates).

On the WSUS server, go to Start > and in the search box type in mmc and press enter. Go to File > Add/remove snap-in > Select “Certificates” and press OK. Select the computer account. Go to Trusted Root Certification Authorities > Certificates > Right click > All Tasks > Import. Navigate to your cert on your desktop and import it. Go to Trusted Publishers > Certificates > Right Click > All Tasks > Import. Navigate to your desktop and import the same certificate. The certificate must be imported to both locations!

Now, open up your group policy management console. Edit your existing WSUS GPO (this way, all your WSUS settings are together).

Computer  Configuration > Policies > Windows Settings >Public Key Policies/Trusted Root Certification Authorities > Import the certificate.

Computer Configuration > Policies > Windows Settings > Public Key Policies/Trusted Publishers > Import the certificate.

Alright, now all of our clients will get the certificates needed. You’ll know if any clients don’t have the certificates installed because any custom updates you push out will fail. All that is needed is to manually import the certificates or just do a gpupdate /force (which is recommended).

Creating our Java Update Package

Now we’re going to create the Java update package to push out to our clients. This part is a little tricky.

WARNING: You do not want multiple versions approved for install on multiple machines at the same time! Always supersede updates!

Modifying the MSI

We need to get the MSI file from the offline installer. Follow these steps to get the files:

  • Download and launch the Windows Offline Installation executable (.exe) file.
  • Navigate to LocalAppData folder (the user’s Application Data folder). The location of the LocalAppData folder differs for each Windows platform.
      • Windows Vista and Windows 7
        C:\Users\<user>\AppData\LocalLow\Sun\Java\jre1.6.0_05\jre1.6.0_05.msi
      • Windows XP
        C:\Documents and Settings\<user>\Local Settings\ApplicationData\Sun\Java\ jre1.6.0_05\jre1.6.0_05.msi
    • Windows 2000
      C:\Documents and Settings\<user>\ApplicationData\Sun\Java\jre1.6.0_05\ jre1.6.0_05.msi

I like to copy the entire directory to my desktop and modify the MSI there (so you should install Orca on your tech workstation). Right click the MSI and choose “Edit with Orca”

In the “Tables” column in Orca, select “Property” and edit the following values:

Table Property Original Value Proposed Value Description
Property JAVAUPDATE 1 0 All three need to be changed to completely disable Java automatic updates
Property AUTOUPDATECHECK 1 0
Property JU 1 0
Property IEXPLORER 0 1 Activates Internet Explorer plugin
Property MOZILLA 0 1 Activates Mozilla plugin
Property SYSTRAY 1 0 Disables system tray icon when Java applets are active… This is optional.
Property RebootYesNo Yes No Suppresses the need to reboot
Property EULA 0 1 I would set this to 1 otherwise your users might get a prompt to accept the EULA

Do File > Save, and then exit Orca. Copy the folder to your WSUS server (or where ever you have LUP installed).

Creating the Update Package

Alright, now head into LUP. Connect to your server and go to Tools > Create Update. In the Update File field, browse to where your modified MSI is located. Click on “Add Files” and add the Data1.cab file. Click Next.

Package Type: Application

Package Title: Java 7 Update 13 (Rename this to whatever version of Java you’re pushing out)

Package Description (same thing as the title. You can provide additional info if you’d like)

Vendor: Sun Microsystems, Inc.

Product: Java

And click next (if you’ve already approved a Java update and this one supersedes it, be sure to select the previous update by clicking on “Supersedes”). The package will now be created.

Now approve the update for installation.

Enjoy being able to push 3rd party software through Windows Update!

Errors

If you get this:

Invalid Operation Exception: The package could not be published.
Verification of file signature failed for file:
\\SERVER\UpdateServicesPackages\[PackageID]\[InstallableItem ID].cab

That means there’s an issue with your certificates. TRIPLE CHECK that your certificates are in the correct place!

Local Update Publisher Stuff

You can deploy more than just Java through LUP. See the documentation to get started.

Windows: Allow non-admin users to install printers & printer drivers

This is a post that I originally posted on my personal blog. It has some great value so I figured I’d move it over to the cave.

This is a very handy GPO that you can implement on your network to allow non-admin users to manage printers. This is great, especially if your users move around a bit or, like, in my company, users have laptops that they take home and can work from home. My users need to be able to install printers and manage them without administrator access.Here’s what you do.

Create a new GPO and call it whatever you’d like. Remember: it’s bad practice to use the “Default Domain Policy”. Apply the following settings:

 

Computer Configuration (Enabled) > Policies > Windows Settings >Security Settings >Local Policies/Security Options > Devices
POLICY SETTING
Devices: Prevent users from installing printer drivers Disabled

 

Printers
POLICY SETTING COMMENT
Point and Print Restrictions Enabled
Users can only point and print to these servers: Disabled
Enter fully qualified server names separated by semicolons
Users can only point and print to machines in their forest Disabled
Security Prompts:
When installing drivers for a new connection: Do not show warning or elevation prompt
When updating drivers for an existing connection: Do not show warning or elevation prompt
This setting only applies to:
Windows Vista and later

 

System/Driver Installation
POLICY SETTING COMMENT
Allow non-administrators to install drivers for these device setup classes Enabled
ALLOW USERS TO INSTALL DEVICE DRIVERS FOR THESE CLASSES:
{4d36e979-e325-11ce-bfc1-08002be10318}
{4658ee7e-f050-11d1-b6bd-00c04fa372a7}
To create a list of device classes, click Show. In the Show Contents dialog box, in the Value column,
type a GUID that represents a device setup class
(for example, {25DBCE51-6C8F-4A72-8A6D-B54C2B4FC835}).

 

This will allow non-admin users to install and manage printers on computers without admin access. Pay close attention to ” Allow Users to install device drivers for these classes: ” as you will need to add these two GUIDs to the GPO. If you have any questions, let me know and I’ll try to assist you the best I can.

Partial credit to Chad_Anderson over on the TechNet forums. [ SOURCE ]