Tag: IT Department

More Group IT Tales

Rogue PC

I was looking at my asset form and I saw that I had 3 devices assigned to me, 1 laptop and 2 PCs. I only own 1 laptop and 1 PC, so what is this rogue PC? Has it been assigned to me incorrectly? Is it a security risk? Could it be on the network in my name and used by a hacker.

I logged an urgent ticket with our IT department, telling them I do not recognise the device. The device name didn’t seem correct since I could not remote onto it with the usual domain name.

The response I got back from them was:

as per above details this seems to be in working.

 if this is not your systme , pelase let us know for decomissioning?

What sort of question is that? If it isn’t my computer and is someone else’s, why am I in charge of deciding whether to disable it or not? Shouldn’t we work out if one of our employees own this? Could it be that a malicious person has managed to get a PC on the network and assign it to an employee? This could be a major security threat.

Turns out it was my PC, just that the same PC had been entered twice under completely different “Computer Names”. The Head of IT saw my ticket and the response I got and intervened. Surely it should have been easy to see who was signed in. The original technician should have seen I was logged in, and told me more info about the device like the IP address, Make/Model etc so I could confirm.

Can’t Update

Recently, they made a change to remove admin access which is a problem when it comes to installing some software; but that’s their main intention. However, we often get told to update software when there are security updates, but we cannot because we aren’t admin users anymore. It’s a frustrating situation having Group IT on your back telling you to update your software but you cannot because they took admin access away. They should have made sure they can do it remotely before taking your access.

I had switched projects and needed to install some extra software as well as update the couple of Visual Studio versions I have so I logged a ticket.

Sometimes I find that you can install software and then later on realise you needed to install optional components so it was frustrating logging the ticket to do the initial install, knowing I probably need to log another ticket next week.

After speaking to other colleagues, they said they had some kind of admin access override and I needed to request that. All overrides are audited so they can see what you are doing.

I don’t understand how they can say we “can’t have admin access” then it turns out most people in the department do, but it’s inconsistently implemented.

Out of Tune with InTune

As you may have seen in my recent Post, Group IT are now beginning the rollout of InTune Hybrid-Join across our computer estate. This is to ensure we have a consistent view of the security compliance status of our computers. Connecting them all to InTune allows us to benchmark our compliance to determine what work (if any) is needed to improve it.

A week later…

Following on from the below I can confirm that your device has already been successfully Hybrid-Joined into InTune.
This is likely due to your presence at a site where the policy has pulled through from the corporate network or regular use of the VPN in your day-today.
No further action is required on your part.

Couple of days later..

Hello!
Further to the below I can confirm that your device has been successfully imported into InTune.
Apologies in advance if this is repeat information but no further action is required on your part.
Many thanks!

Couple of days later..

Hello!
Following on from the below it looks like your device still hasn’t been imported into InTune.
If you have already followed the below instruction and had it fail, please sit tight – further instructions will follow. You do not need to reply.
If you are still to action the below, please do so ASAP.
Many thanks!

It really sounds like they have no idea if you have been added to the system or not. I think I was added straight away, but I never visited an office like they claimed.

Group IT Windows Update Script

Last year, there was a major Windows Update and Group IT stated it was a big project to update all the employees in the company (around 1500), but they had a script that can run automatically if we left our laptops on out-of-hours and would run at 7pm.

So I left it on, and so no update. Next day, same thing. Next day, same thing.

They posted an update to say what a success the rollout had been so far; 200 computers have been updated. That seems really low to me (13.3% in a month). They then declared there were some known failures but they haven’t bothered looking at why they are happening but they will continue to run the script and won’t contact affected people either. Everyone has to keep leaving their laptops on at 7pm each night.

A few people said they noticed it had failed due to low disk space and I thought that is a great point. If it’s a 5GB update, then they should state people need to ensure there is free space. As it turned out, it seemed like it downloaded 5GB or so, then was copied into a different file format, then installed. So you ended up needing around 15GB, and had to clear the 10GB of files after.

CE+ certification

Quick heads up: we’re making some important changes to boost the security of our systems and get us closer to achieving CE+ certification. Starting tomorrow at 10:00am BST, we’re going to be removing some old .NET software from your computer. 

These are versions that have reached end-of-life and are either critical or high vulnerabilities as reported by Nessus. If you’re using Visual Studio and encounter any issues after the removal, please follow this guide in order to repair your VS installations:  https://learn.microsoft.com/en-us/visualstudio/install/repair-visual-studio?view=vs-2022

 If you notice any other software reliant on .NET has stopped working, please log a ticket with the Group IT Service Desk. Thanks for your understanding and cooperation on this matter.

We have a few products that we make that rely on the older .Net Frameworks. I love how they assume our products are supported and give us 1 day notice. Surely they know exactly what they are removing, they’re so unspecific too; “some old .NET software”. Is it to do with: .NET Framework, Visual Studio, SQL Server?

On the same day, I got added to a chat where they were discussing how upgrading Docker Desktop has broken a tool used by our products. It’s the classic case of just assuming we can update/change things without asking the experts involved.

Anyway, later that day:

Our apologies for the promptness of the previous email, we have made a decision to postpone the scheduled removal of .NET. The decision comes after careful consideration and listening to your valuable feedback and concerns regarding the removal. We understand the importance of providing you with appropriate time to consider the impact this would have on the software you use. The postponement will also afford you the opportunity to inform us of any software currently utilising end-of-life .NET versions, allowing us to address and raise these concerns with Security where applicable. We will be sending out another email next week with comprehensive details on the specific .NET versions that are set to be removed. For now, I can tell you these will be SDK, ASP.NET and CORE versions of .NET and not Framework. Thank you for your understanding and cooperation on this. Should you have any immediate questions or concerns, please do not hesitate to reach out.

Wallpaper

Years ago, we were allowed to change our desktop backgrounds. Some people chose cool artwork and others left it as the default Windows. One day, Group IT decided to change it to our company logo. Many people were outraged by it but I wasn’t bothered. I suppose Matt made a good point here though:

Please can you explain the best practice behind the wallpaper? Unless you do not work all day, you have programs over the top of the wallpaper, so on the rare moment you have to look at your wallpaper: why would we need the company logo? All this is doing is reducing company morale. I would have understood if you had locked down the lock screen image.

I think a sensible rationale is when we worked in the office and could have visitors from other companies. It is more professional. Now we are at home, it is less important.

MFA Policy change – effective today

Good afternoon, as per the Group IT update at the beginning of the month, today we have implemented a planned change which sets all accounts to prompt for MFA each day when accessing Microsoft 365 services. This is in line with many other products and helps improve our overall security.
Some people will have noticed (or may notice as the day progresses) they have been forced to sign out of Outlook or Teams - and may need to restart those (or other) applications to continue.
Existing meetings do not appear to be affected - users will be asked to sign in again once their current meeting ends.

Next week:

Good morning everyone,
As you will know on Thursday we implemented a change to improve our security. Please read the following information carefully to understand what happened as a result, what has happened since, and what to do if you are adversely affected.
The change had the unforeseen side-effect of requiring people to re-authenticate at the point of implementation - between 10 and 10.30 on Thursday. This also meant there would be a requirement to repeat that processes each day at the same time.
Users of Apple Mac laptops may have found themselves signed out of Teams when this happened, even if a meeting was in progress - For Windows Teams users this should not have been the case.
Over the weekend, the policy has been reset, it was re-implemented at 6pm yesterday. We updated the policy setting, to prompt every 23 hours rather than every day.
This means that the following should now be the case:
This morning you should have been asked to re-enter your MFA token
You should not be asked to do this again for another 23 hours
Which should therefore mean - for most - the next time you should be asked to enter your M365 MFA token is when you next sign in for work.
There is an added annoyance on the company phones as it requires your 16 character MS password prior to reauthenticating using the MFA code
I'm having to  password and MFA  on Outlook and Teams on my company mobile  separately.
Is this the way now

Signing into Teams each day appears to take a lot longer than signing into other apps. The ‘One moment…’ dialog is on my screen for around half a minute and it takes another minute or two for Teams to fully load all new messages into it.

Wondering if it’s the same for others, is it expected to take this long?

Annoyed colleague, stating how these apps aren’t even designed for repeated sign-ins

Then a week later, it was fully reverted: 

A further update to the MFA policy

On Saturday, the MFA policy was updated again. The frequency with which you should be prompted has been extended to 30 days.
This means, that anyone who authenticated prior to Saturday at 6pm, should not be prompted for 30 days from that date and time.
Anyone who authenticated this morning should not be prompted for 30 days from that time.
We hope this provides an effective balance of security and functionality.

I think AzureDevops always asked us to sign in daily, but after this new change to make things more secure, it was changed to 30 days. So was actually less secure and was probably unintentionally changed as a blanket policy.

Conclusion

I think these stories illustrate a point that you need to consult with the experts and understand the impact of your changes before declaring them. Having to revert policies that obviously would have a negative impact just makes the team look foolish. You also need a good balance between people being able to do their work effectively, and keeping systems safe and secure.

Spam Emails

Many years ago there was a period of a few months where we used to get a certain style of spam email daily.

Although it seemed to get to our email inbox (so got past any spam filter we had), they often didn’t seem to have any suspicious link or obvious element of scam.

After a few months, Group IT managed to successfully filter them out. 

Here are a couple of examples I still had in my Inbox.

Title: Benjamin Cory Elementary School billboard.
 
Segesta became a marked enemy of Sicilian Greeks, and Selinus attacked and defeated Segesta in 411 BC. This source mentioned of Majapahit expansions has marked the greatest extent of Majapahit empire.
Although the weather was good, the jet was operating under simulated blackout conditions. Listen to local ABC Radio for emergency updates.
Tallinn and 6 km near Mao. Routes 20A and 246.
UFOs had an objective physical reality, let alone to confirm their origins or motives. HeM as HoM and HeW. The town has a population of 1,193.

Title: Caulker playing for Swansea.
 
Helen Carter on bass guitar and Stephen Philip on guitar. He went on to set records for distance swimming into the 1920s.
Destiny Mission to Mars. He was later reprimanded by the Secretary of the Navy for verbally abusing a fellow officer who testified in the matter.
Connecticut, although they were on the rebound by that point, in part due to state regulations to protect them. Barry Reder, The Obligation of a Director of a Delaware Corporation to Act as an Auctioneer, 44 Bus.
Aviation, both are now stored. Windsor was an important British stronghold. His books have been translated into a number of languages.

We did occasionally get ones with links but targeting a group mailbox didn’t make much sense in context: 

hello controlledrollout!
I remember you asked me how I lost weight so quickly?
answer is here

New Laptop

I was quite excited to receive my new work laptop given that my current laptop is old, has a low resolution display, and has been running really slow recently (mainly due to the increasing amount of “security software” mandated by IT).

After being told I was in the next group to receive mine, I was asked if I would be in to be able to take the delivery. So I responded that I would be in all week since I was working Mon-Fri

I received an email mid-Friday saying it had been dispatched next day delivery, but I planned to be out Saturday. Despite staying in to receive it, it never arrived. On Monday, I checked the tracking number and had a status update of “Partially Dispatched” then “Complete“; whatever that means. On a different page, it said it was “Out For Delivery”, but showed the expected delivery date as “tomorrow”. Soon there was a knock on the door, and there it was. So the status pages weren’t helpful at all.

So I turned it on and tried to add my account to it. However I saw a message saying the feature wasn’t supported.

A member of IT contacted me and said I should receive my laptop today. A bit late. He was on call to help me set it up which was nice. I asked if there was anything special to do because it wouldn’t let me log in. He sends me a PDF of instructions. Why wasn’t this sent to me before the laptop arrived? Why did I have to request it after attempting to set it up myself?

Regardless, I had selected the correct options so told him the step it was failing on. He suggested maybe I didn’t have an internet connection. So I enabled aeroplane mode and got an error about not having a connection, so it wasn’t that.

I messaged someone that I knew had the same new laptop. He said a team member had just received theirs too and it was supposed to have some kind of initial setup on it where it would have a Device Name. The first thing it asks when I turn it on is to set a device name so it hasn’t been set up. It was also supposed to have an Asset Sticker on it, but mine was a brand new, sealed laptop with no sticker on it.

It sounds like that IT put an order in via a third-party who are supposed to order the laptops. configure them, put a sticker on them, then ship them out. So they had 1 job, and didn’t do it.

So I told IT and they said they could configure something on their end which they did. As usual though, despite their process installing some default apps like Office, nothing else was configured so I had to install SQL Server and Visual Studio, and configure loads of options to set everything up. It’s such a time-consuming and error-prone process. Why can’t we just have a standard “Image” that gives us the majority of what we need?

A few days later, my Asset Number sticker arrived in the post. A large padded envelope inside another larger padded envelope. For 2 stickers. There was also 2 A4 paper which was the invoice; it didn’t need to go to 2 pages but it was badly formatted. Then they put in a couple of adverts for their services. What an absolute waste.

Recently, we promote “green” ideas, talking about reducing carbon emissions and being energy efficient etc. We also seem to want to reduce costs where possible. Then they do stuff like this. Even though it’s a third party that has caused the problem, it is still part of their business process isn’t it?

IT Tales

Here is a collection of a few fails by our IT Department.

PC shutdown & Usage Monitoring

Even though we work from home, we still have some PC’s in our office that we remote onto. There’s certain systems that only seem to work when on the physical network so people often call this a “jump box”. Our IT was planning on temporarily moving our PCs whilst some electric work was being done in the office. I was invited into a Teams chat which was supposed to be for everyone affected. After skimming the list, I spotted 3 people that were missing, and other colleagues spotted others. 9 people were missing in total! How do they not know who owns the PCs? They have been citing “increased security” in recent times. Surely a security risk if they don’t know who uses PCs on the network.

More recently, I was contacted again via email asking “if you use this PC”. Again, why do they need to ask if we use them? Isn’t that a security concern if not? Surely they know, especially when they have installed extra network security tools recently. I thought they had said software monitors network traffic and alerts for anything suspicious.

Upgrading Software

I was contacted by IT saying my SQL Server version was no longer supported by Microsoft, so I need to urgently upgrade it by the end of the week due to being considered insecure. They said if I want an installer, please reply. I thought it would be easy enough locating the installer, but it seems Microsoft’s SQL Server pages are very confusing. So I replied asking for the installer. They ignore me. I reply again, they ignore me. Months have gone by. So not that urgent then.

IT then announced that they are taking increased security measures and are removing all admin rights from our PC’s. Now we can only install software with their permission. They also said it makes sure we can’t install unlicensed software, since it is easy for someone to install software that is free for personal use, but is paid software for commercial use, and then the business can be liable.

A week later, they then email us saying there is a known security vulnerability with our Visual Studio version so we need to update it. We can’t though, we need admin rights to keep our software updated and secure! So now we have to log tickets, then they remote on and type in the admin password to proceed. I bet they love that.

In a similar fashion, they are more fussy with USB devices. They sent one of my colleagues a new laptop but it rejects his smart-card reader which he needs for testing. Can’t be plugging in USB devices these days.

Saving Money

They also said they wanted to be more stringent when it comes to licence keys, as we seem notorious for purchasing more licence keys than we need, then we might stop using software then still pay. I was contacted in early July 2022, saying that I have had a Jira licence for the last year but have not being using it:

We currently purchase a licence for you to access Jira. We understand a lot of the users will have now migrated to Azure DevOps and as such, your access may no longer be required.

May I kindly ask you to respond to this email by 12pm Friday 8th July confirming whether or not you continue to require access?

IT Email

So I reply saying I wasn’t using it and I don’t think I have used it for 2 years. I then got contacted again in February 2023 saying the same thing. I confirm that I don’t need it. I then got contacted earlier this month asking me again. So I’ve had a licence for 3 years now for a product I don’t use at all.

Windows 11 Upgrade

At the end of May, our IT department began upgrading everyone to Windows 11. Around a month and a half later, in mid-July, they announced that the upgrade had been a success, and managers were congratulating them on a good job.

40% of clients have had a Windows 11 attempt.

IT Manager

40% seems very low. The thing is, if you actually think about their phrasing, they say “attempt” so it wasn’t necessarily successful. I’d like to know why 60% of computers didn’t even attempt to upgrade.

For me, it failed twice. After the first failure, I asked how much space was required because I was sure I had at least 10GB, and I was notified of the failure when Windows popped up an alert saying I was completely out of disk space.

“About 10GB should do it (this has been confirmed in the testing phase).”

IT Manager

So it is confirmed but they aren’t sure on the exact amount of space we need.

I cleared out 20GB for it, and it still wasn’t enough. Unless it failed for some other reason. I started browsing through my hard drive and found a secret folder. There was an ISO file for the upgrade which was 5.2GB but then there was also an extracted version of another 5.2GB. So the temporary files they are using is 10.4GB but yet they claim you only need “around 10GB”. No, you need 10.4GB for the installer, and another X amount to actually install it, but maybe 20GB wasn’t even enough. 🤷‍♂️

There was also a file with an interesting name “RunOnce_Do_NOT_Run.bat”. I wonder what that means. Was the file created with the contradictory name? Or did someone run it once, then rename it? 🤔

Over 2 months later, they instructed people to trigger the upgrade again. This time I had 40GB free and it upgraded fine. If it did fail again, only then would IT investigate what the problem was. Surely loads of failures are just down to low disc space, but their script never checked before attempting, nor did they publicly confirm how much space we even needed.

Absolute shambles.

Laptop Heat

We recently had a heatwave in the UK, and I think this was even experienced throughout the world. Even before that, one of my team member’s laptop battery bulged up due to excessive heat, which he noticed due to the raised keyboard. He ended up getting a brand new company laptop.

During the heatwave, another team member went into the office where it would be nice and cool, but I guess there’s a good chance it happened in transit (in his hot car) – he also noticed the raised keyboard, and so quickly disconnected the battery before it had a chance to explode.

“My new laptop is flipping awesome. I’m so happy we had this heatwave”

Colleague

I assume our IT department must have got many requests for new laptops, and then they sent out this very debatable advice.

"Your laptop may be struggling because it has to work harder to keep itself cool. Here are some tips to help get the best performance from the laptop until things cool down.
  1. Move to the coolest part of your home, or work in one of our air-conditioned offices. 
  2. Run updates and give your computer a reboot 
  3. Limit the apps running to those you need 
  4. In Microsoft Teams, turn off incoming video (this allows you to share your camera but reduce the impact on your laptop’s display)”

So for point number 1, my first team member works in his conservatory. I normally associate conservatories with being cold but we often compare temperatures and his room is usually 6-8 degrees celsius warmer than my living room where I work. We are in those rooms because it’s the only space we have available for a desk and monitors. It’s not exactly easy to just “Move to the coolest part of your home”. I suppose you could try working on your laptop with no external monitors, but the advice should be just “to take the day off”. They also say to come into the office, but then the second colleague’s laptop battery presumably broke on the way there.

Point number 2: other than the rare circumstance that software is causing extra work for the processor (and they have fixed the issue in a new software update), running software updates probably isn’t going to make a difference. Maybe the update process will cause your laptop to run hotter whilst download/installing. Or what if the new update has a bug that causes extra processor issues?

Point number 3: That’s just good advice in general isn’t it? Don’t load up loads of programs when you don’t want them.

Point number 4: I found this a bit weird. If everyone turned off incoming feeds, then no one is watching the video feeds. Why not just say “do not use your webcams”?

Even Valve and Nintendo were putting out advice for their Steam Deck, and Switch. Those small devices just aren’t good in the heat.