I’ve got a myself s Surface Pro X, based on Windows 10 ARM-edition, and thought I’d share the solution to a problem that I suppose more will encounter. After configuring my Surface Pro X for Azure AD join and Intune I soon hit two major problems.
OneDrive not starting at all, leaving a crash reference in Event Viewer with reference to PayloadRestrictions.dll.
The Office 365 ProPlus applications works until the device is restarted, then they refuse to start. To get them going again I had to do a repair and then they started working again. At least until the next restart.
finding root cause
The Event Viewer
Application log show that OneDrive crashed with reference to
PayloadRestrictions.dll whenever trying to start it.
PayloadRestrictions.dll has been around for quite some time as a component of EMET (Enhanced Mitigation Experience Toolkit) which is nowadays integrated as the security feature Exploit Guard in Windows 10. With that as a first clue and some interaction with Robin Engström the troubleshooting process continued!
Knowing that Exploit
Guard is in play and mitigations seemed to be in play, looking at the Event
Viewer log Security-Mitigation > Operational log showed that OneDrive was
blocked due to ROP exploit indications:
Process 'C:\Users\<username>\AppData\Local\Microsoft\OneDrive\OneDrive.exe' (PID 12020) was blocked from calling the API 'LdrLoadDll' due to return-oriented programming (ROP) exploit indications.
So then the hunt for
where the configuration was coming from started and as the device is of course
Intune enrolled that’s were I started looking!
It rather quickly turned out to be caused by a Microsoft Defender ATP security baseline in Intune that was applied to my user account.
To be more explicit the Exploit Guard settings clearly state that OneDrive.exe is protected for a number of exploits, including ROP!
The solution to both
problems described in the Problems section is to adjust the Exploit Guard XML
file to exclude OneDrive.exe and also the other Office applications to make the
Office applications work as expected.
I'm Andreas Stenhall and my work passion is Windows 10 in combination with Enterprise Mobility. I do consulting, I produce and teach my own courses, I lecture and I present and my formal work title is senior workplace architect at Coligo in Stockholm, Sweden. I'm also proud to be an Microsoft MVP since 2009. I have presented at TechEd in the US and Europe and regional TechyDays. Follow me on twitter @AndreasStenhall. Phone +46707894758.