I know there is no love for QuickBooks here. In case you do have to support it, it seems that KB4073701 causes it to crash with the error " A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available.

Event Viewer shows:

Faulting application name: qbw32.exe, version: 26.0.4013.2607, time stamp: 0x5a2ff09e
Faulting module name: Features.dll, version: 26.0.4013.2607, time stamp: 0x5a2ffd98
Exception code: 0xc0000005
Fault offset: 0x00363bb5
Faulting process id: 0x16b4
Faulting application start time: 0x01d3abdc3a2c3af9  

Uninstalling KB4073701 allows QuickBooks to run. This only seems to be an issue on Windows 7 64 bit machines. Windows 10 doesn't have this patch.

Big red hooks on the back of the AV cart that seem to say "hang the cord here instead of rolling the cart away before unplugging it."

I just took some computers from no AD to AD. The USMT even grabbed their wall paper. The commands were:

scanstate.exe c:\USMT /uel:30 /i:migapp.xml /i:migdocs.xml /localonly /ui:"sarah"
loadstate.exe c:\USMT /i:miguser.xml /i:migapp.xml /MU:"sarah":"ad.domain.com\ssmith"

You would be doing the reverse of that, but the /MU switch is the one that changes the account type. One that that I noticed is that it seemed to be scanning the entire hard drive looking for docs placed outside the user folders. Since it was going right back down to the same machine, I didn't need that, since it took extra time. If anyone knows what is needed to avoid that, please share.

@spiral I have one client where I set that up, but only for things that want to run out of appdata. It's still a pain.

The phone is a Polycom UC VVX410 in case anyone else is having this issue.

@bigbear yes, the Polycom has a side car and has a 50 BLF limit. It was the issue of going from 48 to 50. Changing the MTU down to 1472 seemed to fix it. Thanks for the commands so I could find out what that limit was.

So I did this test:

C:\>ping -f -l 1473 208.73.144.1

Pinging 208.73.144.1 with 1473 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.

Ping statistics for 208.73.144.1:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\>ping -f -l 1472 208.73.144.1

Pinging 208.73.144.1 with 1472 bytes of data:
Reply from 208.73.144.1: bytes=1472 time=79ms TTL=244
Reply from 208.73.144.1: bytes=1472 time=79ms TTL=244
Reply from 208.73.144.1: bytes=1472 time=79ms TTL=244
Reply from 208.73.144.1: bytes=1472 time=79ms TTL=244

Ping statistics for 208.73.144.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 79ms, Maximum = 79ms, Average = 79ms

Then I set the MTU on the SonicWall down to 1472 since that was the largest that worked. When I test now, it's 28 bits lower. Is that to be expected, or is something wrong? Should the BLF thing be resolved?

C:\>ping -f 208.73.144.1 -l 1444

Pinging 208.73.144.1 with 1444 bytes of data:
Reply from 208.73.144.1: bytes=1444 time=79ms TTL=244
Reply from 208.73.144.1: bytes=1444 time=79ms TTL=244
Reply from 208.73.144.1: bytes=1444 time=79ms TTL=244
Reply from 208.73.144.1: bytes=1444 time=79ms TTL=244

Ping statistics for 208.73.144.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 79ms, Maximum = 79ms, Average = 79ms

C:\>ping -f 208.73.144.1 -l 1445

Pinging 208.73.144.1 with 1445 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.

Ping statistics for 208.73.144.1:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

@dbeato said in MTU size > 1500:

In other words they want you to reduce the MTU to 1480 instead of 1500.

https://support.olafe.com/hc/en-us/articles/217846408-Limitations-on-Monitored-Lines

I think you hit a bingo with that one. That make sense.

@jaredbusch I'm confused about it. The one snippet from Broadcom is talking about UDP and then Nextiva sent me a link on how to change the MTU. So to be clear MTU has nothing to do with UDP payload size? Does it make sense to have to change UDP payload size?

I ended up pushing Third Wall http://www.third-wall.com/ out to the computers because it does a bunch of that stuff and is integrated in to ConnectWise. I already had to have connectwise running on those boxes to pull logs and send alerts so it made sense. The other thing that Third Wall did was give me a report for the auditors.

Sorry I was out on a job that took all day.

The issue is that the customer has a Polycom phone that has a side car. They once they go beyond 48 BLFs, all the BLFs stop working.

Broadcom says:

The recommended solution is to configure the firewalls and/or NAT routers at customer
premises to handle fragmented UDP packets correctly. These firewall and NAT routers
must be configured to support the maximum UDP payload size of 65507 bytes and to
allow at least 45 fragmented packets per packet.
As an example, the Cisco firewalls need to be configured to increase the allowed
fragments per packet to 45 from the default 24 (The maximum supported fragments is
8500 in the case of Cisco firewalls).

They then sent me a link to this article that tells how to make the change on a SonicWall:
https://www.sonicwall.com/en-us/support/knowledge-base/170504812146650

It didn't make sense to me so I didn't make the change they suggested and posted it here in case I was wrong about the whole thing.

I have a VoIP provider that wants me to set the MTU size on the outbound interface of my firewall to 65507. What are the ramifications if I go beyond 1500? I understand their VoIP system may be able to handle fragmented UDP packets, but does that create the potential to mess anything else up?

It's not DNS
There's no way it's DNS
It was DNS

Can't find the original source of that gem.

@DustinB3403 thanks, forgot to put AV on the list. I also forgot that Third Wall does a bunch of things I didn't list:

local admin account renamed, disallowed Microsoft accounts, disabled Windows 10 keylogger, disabled exe from running in %appdata%, disabled office macros from internet, randsomware monitor, and alert on excessive logon failures.

Came across this requirement in an audit:

Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
Do your workstations use a secure build? Have they been hardened to reduce their vulnerability to attacks prior to use? Provide documentation related to procedures or guidelines/checklists used as a baseline secure build configuration.

I'm thinking it's patched up to date, firewall is on, there are no extra services running, user is not admin, and UAC is on. What else has anyone done to "harden" them?

When it comes right down to it, I think those of us that know what we know have to talk to young people facing that decision and show them an alternative to what the college institution is going to show them. We have to tell the student to look at the decision like an investment and justify the decision that way.

Encourage them to read books like Rich Dad, Poor Dad and think about investments instead of just listening to the mantra that if you go to college you'll earn more money.

@tim_g I don't think one or the other is a good predictor of an outcome. It just shows there isn't a strong correlation.

I might do an EdgeSwitch too. Only because most restaurants I've been to want to give their customers free wifi. Seems to me with PCI compliance, you'd want them on their own VLAN. You could go with the ER PoE that has multiple points if it's just a couple of APs and vLAN them there and have every wired device on an unmanaged switch that plugs in to the ER, but what about juke box guy that needs a wired connection? Or the DVR? Those things tend to pop up in restaurants, and if you can VLAN them from your PoS machines, you might better off.

To add to @JaredBusch 's post, for the clients where I'm not imaging the machines, after the clean install, I have a USB key with a script that runs that installs my remote control agent and then I just fire off a script with a chocolatey script that installs Acrobat, Chrome, etc. You can automate things so it's not a huge time suck.

My go to now is the HP EliteDesk 800 Micro. You can monitor mount it or tuck it away. The HP EliteDesk 800 small form factor is some times less depending on what smart buys are running.