While recently undertaking some Operating system and Microsoft office upgrades, upon completion we began to encounter issues with some of the applications and the .net framework.
The Issue
What was being reported is as follows, when users would try and open an office application such as Outlook, Word or Excel. The application would begin to load with the generic splash box, and a few moments after it would crash.
After an unsuccessful attempt to load the applications, i did some digging around through the application event logs and came across the following entry.
What we can see here is that the .Net framework version 2.0 is causing the applications to crash.
As with all office applications, Microsoft has done a good job in trying to make these applications stable, and given that i was not able to find many others who are encountering the same issue, it was quickly obvious that this is something specifically related to other applications that we are using.
Through some investigation and troubleshooting, i was able to determine that this application crash was happening as a byproduct of having the .NET Framework 3.5(includes .NET 2.0 and 3.0) installed and the Microsoft Azure Information Protection application installed. Either disabling the .NET Framework or disabling the AIP Plugin would cause this issue to stop occuring.
However, disabling either of these was not an option. The organisation relies on having the AIP plugin installed and available for users, and disabling the .NET Framework would result in other applications not being able to run.
The Solution
1. Open the Office app with the issue in safe mode.
2. Open a PowerShell window as administrator.
3. Run the command in PowerShell:
Set-ProcessMitigation -Name “” -Disable EnableExportAddressFilterPlus, EnableExportAddressFilter, EnableImportAddressFilter
should be like this: C:\Program Files (x86)\Microsoft Office\root\Office16\excel.exe, and you need to run the command above for each office application.
4. Then enable the AIP add-in and restart the app.
After restarting the apps – if the above has rectified the issue then great. The next step is to restart the computer and see if the fix above has “stuck” or not. In many cases, the issue will re-occur, if this is the case then it points to a policy that is re-applying the settings that we have disabled using the powershell commands.
In most cases, this is an Intune exploit guard configuration xml that needs amending. In most cases, this will be configured by a security baseline in Intune.
- Open Intune and navigate to security baselines > Properties > Exploit guard and see if you have an xml file in there.
- Copy and past the xml into an easy to read text editor such as Notepad++ and find the settings that the powershell commands above are disabling. You will want to disable them in the xml.
If you are unsure about how to edit your xml feel free to copy paste the one below however it is important that you know what you are doing here.
<?xml version="1.0" encoding="UTF-8"?><MitigationPolicy><AppConfig Executable="ONEDRIVE.EXE"><DEP Enable="true" EmulateAtlThunks="false" /><ASLR Enable="true" ForceRelocateImages="true" /><ImageLoad BlockRemoteImageLoads="true" /><Payload EnableExportAddressFilter="false" EnableExportAddressFilterPlus="false" EnableImportAddressFilter="false" EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" /></AppConfig><AppConfig Executable="firefox.exe"><DEP Enable="true" EmulateAtlThunks="false" /><ASLR ForceRelocateImages="true" RequireInfo="false" BottomUp="true" HighEntropy="false" /></AppConfig><AppConfig Executable="fltldr.exe"><DEP Enable="true" EmulateAtlThunks="false" /><ImageLoad BlockRemoteImageLoads="true" /><ChildProcess DisallowChildProcessCreation="true" /><Payload EnableExportAddressFilter="false" EnableExportAddressFilterPlus="false" EnableImportAddressFilter="false" EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" /></AppConfig><AppConfig Executable="GROOVE.EXE"><DEP Enable="true" EmulateAtlThunks="false" /><ASLR Enable="true" ForceRelocateImages="true" /><ImageLoad BlockRemoteImageLoads="true" /><Payload EnableExportAddressFilter="false" EnableExportAddressFilterPlus="false" EnableImportAddressFilter="false" EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" /><ChildProcess DisallowChildProcessCreation="false" /></AppConfig><AppConfig Executable="Acrobat.exe"><DEP Enable="true" EmulateAtlThunks="false" /><ASLR ForceRelocateImages="true" RequireInfo="false" BottomUp="true" HighEntropy="false" /><Payload EnableExportAddressFilter="false" EnableExportAddressFilterPlus="false" EnableImportAddressFilter="false" EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" /></AppConfig><AppConfig Executable="AcroRd32.exe"><DEP Enable="true" EmulateAtlThunks="false" /><ASLR ForceRelocateImages="true" RequireInfo="false" BottomUp="true" HighEntropy="false" /><Payload EnableExportAddressFilter="false" EnableExportAddressFilterPlus="false" EnableImportAddressFilter="false" EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" /></AppConfig><AppConfig Executable="chrome.exe"><DEP Enable="true" EmulateAtlThunks="false" /></AppConfig><AppConfig Executable="EXCEL.EXE"><DEP Enable="true" EmulateAtlThunks="false" /><ASLR Enable="true" ForceRelocateImages="true" /><Payload EnableExportAddressFilter="false" EnableExportAddressFilterPlus="false" EnableImportAddressFilter="false" EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" /></AppConfig><AppConfig Executable="iexplore.exe"><DEP Enable="true" EmulateAtlThunks="false" /><ASLR ForceRelocateImages="true" RequireInfo="false" BottomUp="true" HighEntropy="false" /><Payload EnableExportAddressFilter="false" EnableExportAddressFilterPlus="false" EnableImportAddressFilter="false" EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" /></AppConfig><AppConfig Executable="INFOPATH.EXE"><DEP Enable="true" EmulateAtlThunks="false" /><ASLR Enable="true" ForceRelocateImages="true" /><Payload EnableExportAddressFilter="false" EnableExportAddressFilterPlus="false" EnableImportAddressFilter="false" EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" /></AppConfig><AppConfig Executable="java.exe"><DEP Enable="true" EmulateAtlThunks="false" /><Payload EnableExportAddressFilter="false" EnableExportAddressFilterPlus="false" EnableImportAddressFilter="false" EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" /></AppConfig><AppConfig Executable="javaw.exe"><DEP Enable="true" EmulateAtlThunks="false" /><Payload EnableExportAddressFilter="false" EnableExportAddressFilterPlus="false" EnableImportAddressFilter="false" EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" /></AppConfig><AppConfig Executable="javaws.exe"><DEP Enable="true" EmulateAtlThunks="false" /><Payload EnableExportAddressFilter="false" EnableExportAddressFilterPlus="false" EnableImportAddressFilter="false" EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" /></AppConfig><AppConfig Executable="LYNC.EXE"><DEP Enable="true" EmulateAtlThunks="false" /><ASLR Enable="true" ForceRelocateImages="true" /><Payload EnableExportAddressFilter="false" EnableExportAddressFilterPlus="false" EnableImportAddressFilter="false" EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" /></AppConfig><AppConfig Executable="MSACCESS.EXE"><DEP Enable="true" EmulateAtlThunks="false" /><ASLR Enable="true" ForceRelocateImages="true" /><Payload EnableExportAddressFilter="false" EnableExportAddressFilterPlus="false" EnableImportAddressFilter="false" EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" /></AppConfig><AppConfig Executable="MSPUB.EXE"><DEP Enable="true" EmulateAtlThunks="false" /><ASLR Enable="true" ForceRelocateImages="true" /><Payload EnableExportAddressFilter="false" EnableExportAddressFilterPlus="false" EnableImportAddressFilter="false" EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" /></AppConfig><AppConfig Executable="OIS.EXE"><DEP Enable="true" EmulateAtlThunks="false" /><Payload EnableExportAddressFilter="false" EnableExportAddressFilterPlus="false" EnableImportAddressFilter="false" EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" /></AppConfig><AppConfig Executable="OUTLOOK.EXE"><DEP Enable="true" EmulateAtlThunks="false" /><ASLR Enable="true" ForceRelocateImages="true" /><Payload EnableExportAddressFilter="false" EnableExportAddressFilterPlus="false" EnableImportAddressFilter="false" EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" /></AppConfig><AppConfig Executable="plugin-container.exe"><DEP Enable="true" EmulateAtlThunks="false" /><Payload EnableExportAddressFilter="false" EnableExportAddressFilterPlus="false" EnableImportAddressFilter="false" EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" /></AppConfig><AppConfig Executable="POWERPNT.EXE"><DEP Enable="true" EmulateAtlThunks="false" /><ASLR Enable="true" ForceRelocateImages="true" /><Payload EnableExportAddressFilter="false" EnableExportAddressFilterPlus="false" EnableImportAddressFilter="false" EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" /></AppConfig><AppConfig Executable="PPTVIEW.EXE"><DEP Enable="true" EmulateAtlThunks="false" /><ASLR Enable="true" ForceRelocateImages="true" /><Payload EnableExportAddressFilter="false" EnableExportAddressFilterPlus="false" EnableImportAddressFilter="false" EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" /></AppConfig><AppConfig Executable="VISIO.EXE"><DEP Enable="true" EmulateAtlThunks="false" /><ASLR Enable="true" ForceRelocateImages="true" /><Payload EnableExportAddressFilter="false" EnableExportAddressFilterPlus="false" EnableImportAddressFilter="false" EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" /></AppConfig><AppConfig Executable="VPREVIEW.EXE"><DEP Enable="true" EmulateAtlThunks="false" /><ASLR Enable="true" ForceRelocateImages="true" /><Payload EnableExportAddressFilter="false" EnableExportAddressFilterPlus="false" EnableImportAddressFilter="false" EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" /></AppConfig><AppConfig Executable="WINWORD.EXE"><DEP Enable="true" EmulateAtlThunks="false" /><ASLR Enable="true" ForceRelocateImages="true" /><Payload EnableExportAddressFilter="false" EnableExportAddressFilterPlus="false" EnableImportAddressFilter="false" EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" /></AppConfig><AppConfig Executable="wmplayer.exe"><DEP Enable="true" EmulateAtlThunks="false" /><Payload EnableExportAddressFilter="false" EnableExportAddressFilterPlus="false" EnableImportAddressFilter="false" EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" /></AppConfig><AppConfig Executable="wordpad.exe"><DEP Enable="true" EmulateAtlThunks="false" /><Payload EnableExportAddressFilter="false" EnableExportAddressFilterPlus="false" EnableImportAddressFilter="false" EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" /></AppConfig></MitigationPolicy>
- Once that is done, perform testing again – hopefully your issue is gone.
The below information has unfortunately been deemed to not fix the issue. Although it helps the programs run more stable – they do still crash
The solution then, was to force the applications that are crashing, to use a certain .NET Framework. This can be accomplished by navigating to the source file location that contains the application exe and creating what is called an exe.config file where you can specify parameters for an application.
These are the steps to complete this.
- Navigate to the source file location. In my scenario i have two applications that i need to complete this for. Outlook and Microsoft AIP.
- AIP – C:\Program Files (x86)\Microsoft Azure Information Protection
- Outlook – C:\Program Files\Microsoft Office\root\Office16
- In each of these locations you need to create a txt file in the format of
applicationname.exe.config, in my scenario they are;- Outlook.exe.config
- MSIP.viewer.exe.config
- For each of the files, you will want to enter the below code, modifying the .net framework version required to suit your needs.
<?xml version="1.0" encoding="utf-8"?> <configuration> <startup> <supportedRuntime version="v4.0"/> </startup> <runtime> <AppContextSwitchOverrides value="Switch.System.IO.UseLegacyPathHandling=false;Switch.System.IO.BlockLongPaths=false;Switch.System.Windows.DoNotScaleForDpiChanges=false"/> </runtime> </configuration>
Once complete, perform a restart(although not always necessary) and test the applications again, they should load fine and without crashing.
I hope that this post can prove useful.
Thank you for reading.
Omar,
Thank you so much! We started experiencing this issue on the 21st of February and have spent hours on the phone with Microsoft. It’s a bit early to say for sure, but your recommended fix is looking promising!
Much appreciated,
John
I take it back, still having the issue 🙁
Hey John, you’re right, Unfortunately the fix in this post appears to stabilise the application however not resolve the issue as it still crashes. Try the below, it should resolve it for you.
1. Open the Office app with the issue in safe mode.” -Disable EnableExportAddressFilterPlus, EnableExportAddressFilter, EnableImportAddressFilter
2. Open a PowerShell window as administrator.
3. Run the command in PowerShell:
Set-ProcessMitigation -Name “
4. Then enable the AIP add-in and restart the app.
We are also seeing this while we are starting to test Intune. The problem is the same, where Office applications will crash suddenly and produce an app event log 1023 referencing .net 2.0. (happens most when opening specific meeting invites in Outlook)
When the machine is managed by intune, the problem occurs, and when intune management is removed, the problem goes away. I have confirmed the above solution to set process mitigation does work, but it is clearly an issue that Microsoft needs to address. We will have hundreds of machines managed by Intune. Test machines are Win 10 1903 and 1909 with latest updates. Please post if you hear anything about a more permanent fix. I will (reluctantly) open a ticket with Microsoft.
Eric, I suspect you are using Exploit Protection from either a configuration profile or by rolling out a ATP Secuirty Baseline (version 1) via Intune. We are also seeing this issue but only on machines that have NetFX3 enabled which goes along with the blog post. For us its the Teams plugin that crashes when staff try and open invites that have teams details in or calendar events in Outlook. I am currently reviewing the configuration in Intune as the ATP baseline is now at Version 3 and it removes the ability to manage to manage the Exploit Protection XML. I also have a case open with MS to see what they say about this.
@james – thank you! I’m willing to bet our outlook invites had Teams meetings in them when they were crashing. However, we’ve also seen other things crash, like an excel file that has an external data source. Something interesting we found was that we were able to (mostly) resolve the issue on Intune devices by installing Microsoft Azure Information Protection application. This is exactly the opposite of what is recommended in the above article. I say mostly though, because we have seen Outlook crash a few times on launch with the same .NET error, but it does get rid of the crashing when opening the documents or meeting invites. I’m anxious to hear what Microsoft has to say to you. Let me know if I can help by opening another ticket, or pressing them for information about your ticket #.
@Eric – Outlook crashing on startup I find is due to the first item in the Inbox being an invite with a Teams meeting attached. Way around that I have for our staff is to start outlook using “c:\Program Files\Microsoft Office\root\Office16\outlook.exe /safe” you can then accept the invite and delete it before restarting outlook normally. You mention you have found by deploying the AIP app it has fixed this issue for you did you deploy this as a Win32 App or another method? We are planning on using AIP but not quite ready for it.
We also have a ticket open with MS and waiting on a reply. IF and when we get an answer, i will be sure to share it here.
I have now opened a ticket with MS as well. We just installed it standalone AIP as a test (also not ready for it). Although it fixed the Teams crashing issue, it caused random crashing of Outlook on startup (not linked to Teams). I figured out that the powershell above in this article does fix the problem temporarily, but seems to reset after a reboot. I run it again, and things work again. I hope between our tickets we make progress with MS.
Hey Eric, Josh.
If after a pc reset you need to enter the powershell commands again then it’s indicating that these settings are being set somewhere else. In my case it was from an intune exploit guard configuration xml that needed these settings adjusted.
I hope you get further with Microsoft than I did. The below was there response to me after I pressed them for a permanent fix.
“We have talked with the corresponding product group regarding this issue, and the feedback from them is that they currently do not have plan to investigate the root cause in a short term, because this issue is more complicated then what we have expected, and three products (Office, AIP, .Net) are involved. They may fix this issue in the future, but there is no ETA for that.”
Good luck!
Curious to see how things fair for you, gents. We’re running into this on several machines as well.
Even though others here have open tickets with Microsoft, an Intune tech told me they had not heard of this problem. I was able to resolve the issue myself from the information posted here. Under Intune security baselines, there is a bunch of XML under “Exploit Guard.” For each office application, the XML references “address filter” properties. I changed the 3 address filter properties to “false”, just like the powershell commands above were doing temporarily to the machine, and the apps no longer crash. Microsoft supposedly was going to escalate to the development team for further research, as the apps should not be crashing with these properties enabled.
Here’s an example of one app’s modified XML in Exploit Guard:
Correct, as per an earlier comment – the powershell commands do identify the issue, However, just like any other policy, if after a restart the issue re-occurs its due to a policy that is re-applying the settings.
Happy that you got it sorted!
Hi gyus.
Absolutely the same issue for us.
More than 80 machines with Intune Security Baseline assigned and AIP Client crash Outlook.
Other behaivor sometime – Outlook can start up to 30 minutes if AIP add-in enabled.
Once I disable add-in – Outlook works perfect.
The bad thing here that I can’t reproduce the same on my test Virtual Machine. Only real users machines are affected, Not sure where is the difference.
Omar and Eric, great find and fix for us as well. We’re running under GCC-High, and when we turned on AIP ( installed the AIP classic client) on our local machines, all OFFICE apps stopped functioning. I used Eric’s recommendation from Omar’s original post to edit the Intune MDM Security Baseline>Exploit Guard xml. Copied it into notepad, performed global edits on the three settings Omar mentions from “true” to “false”, uploaded back to the MDM policy, Synch’ed my machine (Intune>Devices) and rebooted for good measure as a vestige of Outlook was still hung open). Everything for AIP now works, no crashes, no complaints in the event log.
Thanks a ton!
I just wanted to stop by and say that this is currently happening for us as well. Thank you for all the comments and attempts.