It's once again PCI time here at my workplace. While implementing the whitelisting strategy for Windows Apps I described in a previous post, we discovered that while a default state of "Disallowed" blocks things like Notepad from running when you click them in the Start menu, you can still open them either from the Run dialog, or by double-clicking the .exe directly. This is obviously not acceptable from a PCI/whitelisting standpoint, so we had to find some combination of the new Software Restriction Policy (SRP) method and the old User Configuration GPO method to block everything not on the whitelist.
So, we started with our old GPO-based whitelist, and applied the SRP settings on top. To our surprise, when we logged out and back in, we found that while the SRP was blocking apps correctly, it was behaving as if the User GPO was not there at all! Why would this be, when both are turned on at the same time? Does the Computer-level GPO override the User-level GPO?
On a hunch, I tried it the other way around: I started with the SRP settings, then added the User-level GPO on top. This time, it worked! Apps are blocked by the SRP, and .exes are blocked by the User-level GPO.
Why does this happen? These are local GPOs, so the normal Local-Site-Domain-OU precedence rules do not apply as such in this situation. I have not found any documentation describing the order of evaluation/precedence for local GPOs, but it looks like local GPOs are evaluated in the order you create them.
At least in this case. I can't speak for all combinations of GPOs, but if one order doesn't work for you, it may be worth it to try it another way around to see if that makes the precedences line up to do what you want.
Thursday, November 7, 2019
Friday, November 1, 2019
Don't forget the simple stuff: HP multi-function printer automatic document feeder malfunction
This morning, a user reported that their HP LaserJet Pro MFP M277fdn would not scan from the automatic document feeder (ADF) on the top of the scanner. This is the tray that you load paper into for sequential copying or scanning. They reported that when they inserted a piece of paper, the screen displayed a message reading "Document loaded", but then when they went to scan it, the printer instructed them to load the document feeder. So, it appeared that the printer both knew and did not know that paper was inserted.
After verifying that this was true, I started down the troubleshooting ladder. I restarted the printer (no change), hard restarted it by shutting down, removing the power cable, and holding the power button (worked once, but then refused to scan the second time), and cleaned within the top door of the ADF (no change). From here, my mind jumped to software or configuration corruption, so I performed a factory reset of the printer. (This led to the discovery that we have no documentation on how this printer was set up, other than phone pictures I took, which provided us with an opportunity to rekindle our tribal knowledge on the subject.) Alas, after everything was set back up, this too was met with no success.
In the smalltalk that the user and I shared while I was working on the problem, she happened to mention that she was somewhat unhappy with the printer anyways, as the scanner platen often gets dirty. It was then that I realized there was one place I didn't clean: the AFD scanning window on the platen. This area is shown in the picture below, taken from HP's support forum.
I had glanced at this area before, and seen a small line of dirt on the window, but thought nothing of it in this instance; usually, if that area is dirty, you'll get bad print quality, but it has never before interfered with scanning. However, since I was running out of ideas, I decided to go ahead and clean that window, and to my surprise, that appears to have fixed the issue.
Why did that help? The scanner clearly knows it has paper loaded, thanks to the microswitch in the AFD that displays the "Document loaded' message, and yet when it comes time to scan, it thought it was empty. I surmise that there must be some optical sensor mechanism (maybe the scanning head itself?) that checks for the presence of paper in the AFD scanning window, regardless of the microswitch status. Thus, when it tried to check for paper, the dirt on the window prevented it from detecting it, and so the printer was confused.
Whatever the cause, this is a good reminder not to forget to check all of the simple stuff first before going to the hard stuff, even if there's not a large chance that it's causing the problem - because it might just be it.
Subscribe to:
Posts (Atom)