Tag: OneDrive

Fixing OneDrive and Office 365 ProPlus problems on Surface Pro X when MDATP security baselines are applied

I’ve got a myself s Surface Pro X, based on Windows 10 ARM-edition, and thought I’d share the solution to a problem that I suppose more will encounter. After configuring my Surface Pro X for Azure AD join and Intune I soon hit two major problems.

Problem description

  1. OneDrive not starting at all, leaving a crash reference in Event Viewer with reference to PayloadRestrictions.dll.
  2. The Office 365 ProPlus applications works until the device is restarted, then they refuse to start. To get them going again I had to do a repair and then they started working again. At least until the next restart.

Troubleshooting and finding root cause

The Event Viewer Application log show that OneDrive crashed with reference to PayloadRestrictions.dll whenever trying to start it.

Faulting application name: OneDrive.exe, version: 19.232.1124.5, time stamp: 0xc2fada7d
Faulting module name: PayloadRestrictions.dll, version: 10.0.18362.1, time stamp: 0x77901827
Exception code: 0xc0000409
Fault offset: 0x0006e6bd
Faulting process id: 0x2ef4
Faulting application start time: 0x01d5e8bd4968fce4
Faulting application path: C:\Users\<username>\AppData\Local\Microsoft\OneDrive\OneDrive.exe
Faulting module path: C:\WINDOWS\SYSTEM32\PayloadRestrictions.dll

PayloadRestrictions.dll has been around for quite some time as a component of EMET (Enhanced Mitigation Experience Toolkit) which is nowadays integrated as the security feature Exploit Guard in Windows 10. With that as a first clue and some interaction with Robin Engström the troubleshooting process continued!

Knowing that Exploit Guard is in play and mitigations seemed to be in play, looking at the Event Viewer log Security-Mitigation > Operational log showed that OneDrive was blocked due to ROP exploit indications:

Process 'C:\Users\<username>\AppData\Local\Microsoft\OneDrive\OneDrive.exe' (PID 12020) was blocked from calling the API 'LdrLoadDll' due to return-oriented programming (ROP) exploit indications.

So then the hunt for where the configuration was coming from started and as the device is of course Intune enrolled that’s were I started looking!

It rather quickly turned out to be caused by a Microsoft Defender ATP security baseline in Intune that was applied to my user account.

To be more explicit the Exploit Guard settings clearly state that OneDrive.exe is protected for a number of exploits, including ROP!

Resolution

The solution to both problems described in the Problems section is to adjust the Exploit Guard XML file to exclude OneDrive.exe and also the other Office applications to make the Office applications work as expected.

Use “attrib” to pin and unpin files and folders for OneDrive On-demand sync in Windows 10

Starting with Windows 10 Fall Creators Update Microsoft has revamped the OneDrive client and is now offering On-Demand synchronization of files. For those of you that remember we had the similar behavior in Windows 8.1 but this was changed for Windows 10.

There is a huge difference though in how OneDrive On-demand sync works in comparison to how it has been working in Windows 8 and 10 previously. OneDrive is now not just a part of the shell in Windows, it has integration with file system drivers from the kernel. This basically means that we do not face any compatibility issues with applications working with files in OneDrive as there is native Win32 support for accessing files in OneDrive.

So, with OneDrive On-Demand sync you have three states of the files (more about OneDrive On-Demand sync at the Windows blog). The Icons below marks that the files are downloaded and located on the machine.

Now, let’s look in the good old command prompt using the dir command to see the status of the above files. Nothing special with this, right?

But hey, the command attrib has been updated to adhere to the new features of OneDrive On-demand sync.

To pin a file (i.e. make it always available offline) use the command:

attrib +p -u Document2.docx

To unpin a file (i.e. make it available only in the cloud) use the command:

attrib -p +u Document1.docx

So, the end result in Windows File Explorer is as below. The cloud icon indicate that the file is only available in the cloud. The green circle with checkmark indicates that the file is always available offline.

Followed by this view in dir, i.e. note the parenthesis around the file which is available online only.

Pinning and unpinning multiple files and folders

To pin or unpin multiple files or folders, use the /s switch. To make all files and folders available recursively:

attrib +p -u /s

and to make all files and folders available in the cloud only:

attrib -p +u /s

Summary

To summarize with this new approach and the introduction of OneDrive On-demand sync you will have full application compatibility with OneDrive as well as the possibilities to aid users in controlling their OneDrive files state, or do inventory on it.