anyweb

Introduction I'm writing this post to catalog problems I recently faced while doing Windows Autopilot installations, we use a very slim enrollment Status Page (ESP) configuration with only one app marked as required (Microsoft Edge Chromium). The remaining applications are a mix of Win32 apps and the all important Microsoft Office 365 suite. This suite was configured with the following apps. Excel, OneDrive Desktop, OneNote, Outlook, PowerPoint, Teams, Word This worked well since about mid-February 2020. However, starting week 46, I started noticing the following error on newly delivered HP computers with Windows 10 version 1909 (and some office components preinstalled) after clicking the Microsoft Outlook icon soon after Windows Autopilot had completed. It looks ominous. Clicking OK and trying again, the problem looked even worse, you'd see something like this, outlook prompting you to choose a Profile. followed by a Script error, stating Class not registered on Line 278. Choose Yes or No had pretty much the same effect, Outlook was well and truly broken. If you clicked on the Account Information in Outlook you'd see something like this. A Metered connection warning followed by a Upgrade in Progress warning. The first is definitely a red-herring as the Network card was not in a state that was metered. When checking the version of office installed on affected machines I could see it was as shown below, Office version 2011. The interesting thing to note is that Computers that had a clean image of Windows 10 version 1909 with no Office installed previously did not exhibit this problem, it only affected factory image(s) of HP computers with Windows 10 version 1909 factory image and those images come with a version of Microsoft Office installed (in the Nordics), namely Microsoft Office 365 ProPlus version 1908 (Build 11929.20394). Troubleshooting Based on the above I knew that clean installs of Windows 10 1909 did not have the issue (even though they subsequently got the Office 2011 version installed before the user logged on). I initially suspected that security software or a device configuration profile were to blame, and went through the time consuming task of excluding a computer from each profile, and then resetting it to verify the behavior. Excluding a device from an assignment takes precedence over including a device so it was a good way of testing Windows Autopilot without certain settings or configurations, to rule them out. Below you can see I've excluded a group (containing my test device) from a Device Configuration profile, to verify if that was the issue. trying this didn't help, but it at least ruled out the following from being part of the problem. Device Configuration Profiles Win32 based Security based apps (such as Azure Information protection, Crowdstrike, Symantec DLP) Armed with that knowledge I recreated the Office Suite settings in my own test tenant, and ran a Windows Autopilot build, to my surprise the HP failed starting outlook the exact same way as in Production, so that completely ruled out everything other than the version of Office installed on the HP. Next I turned to logging options within Office/Outlook to see if that would help, but in reality it just generated .ETL files that I'm still analyzing in order to root-cause this issue. The breakthrough came when looking at the settings of the Office suite in Endpoint Manager. The version of Office that gets installed is based on your settings in the Office Suite, and we had been using these settings without problem since February 2020. The really important bit was the update channel, shown below. The update channel we were using was Current Channel (Preview). You can get details of the update channels here. According to Microsoft: ... three primary update channels: Current Channel Monthly Enterprise Channel Semi-Annual Enterprise Channel We recommend Current Channel, because it provides your users with the newest Office features as soon as they are ready. But what is the difference between Current Channel and Current Channel (Preview). According to Microsoft: To become familiar with the new features coming in the next feature release of Current Channel, we recommend that you use Current Channel (Preview). There isn’t a set release schedule for Current Channel (Preview). In general, a new version of Current Channel (Preview) with new features is released at least a week or more before that new version is released to Current Channel. There might be several releases of Current Channel (Preview), with non-security updates, before that version is released to Current Channel. You should deploy Current Channel (Preview) to a small, representative sample of users in your organization. This can help you identify any possible issues for your organization before those new features are released more broadly to your users that have Current Channel. We also encourage you to use Current Channel (Preview) so that you can identify any possible issues that you want us to fix before that version is released to Current Channel. This can help reduce the number of non-security updates that are needed for Current Channel. And this pretty much matched what we were doing, so now that we had this knowledge, but still had no root-cause for the Outlook (and Word/Excel issues). The Resolution I decided to change the Update Channel from Current Channel (Preview) to Current Channel. This decision was based on the fact that the Preview channel may contain changes that are incompatible with our image in some way, which is odd because we are using the factory installed HP image. Once I made the change, and re-tested Windows Autopilot the difference was clear. Now Outlook worked as expected without issue (and Word/Excel issues disappeared also), however the version of Office installed was Version 2010 instead of Version 2011 that we got in the Current Channel (Preview). This didn't matter too much but of course it meant that some cool new cloud friendly features in Version 2011 were now no longer available on newly installed Windows Autopilot machines. The versioning used by Microsoft for Office is somewhat confusing, in the Office Account screen you'll see the version info, here you can see it's listed as Current Channel, Version 2010 (the version without the problem). So version 2010 relates to year 20, month 10, or the October release of Office 365. That would of course mean that version 2011 is the November release. Summary Sometimes living on the edge means you will fall over. I know that changing from Current Channel (Preview) to Current Channel might only delay the problem until the Current Channel update channel migrates to the new version of office next month, so we may actually encounter this problem again, and soon. So to conclude, if any of you have come across this exact issue (I have searched and found similar problems with "Library not registered", but the advice within them didn't apply here), then please get in touch with me. In the meantime I will look through the gathered ETL traces to see if they provide any clue as to why Office was so broken on these new devices in order to root-cause the problem. Links used in this blog post Github script, Metered - https://gist.github.com/nijave/d657fb4cdb518286942f6c2dd933b472 Update Channels - https://docs.microsoft.com/en-us/deployoffice/overview-update-channels Office Versions - https://docs.microsoft.com/en-us/officeupdates/current-channel

get-windowsupdatelog on the machine in question will allow you to see where the updates is being downloaded from

hi Scott and welcome the first thing i'd suggest you do is grab the smsts*.log files on one of the affected computers and zip them up and upload here so we can take a look, that will hopefully reveal what went wrong any additional info you can add, such as hardware that was affected and whether or not there's any changes to BIOS/UEFI setup in the task sequence ?

yup that should improve things try it however are you sure your computers are only getting updates from ConfigMgr and not somewhere else ?

have you configured anything in Client Settings for notifications ?

are you referring to the TPM hash ? if so read here TPM password hash Previous MBAM clients don't upload the TPM password hash to Configuration Manager. The client only uploads the TPM password hash once. If you need to migrate this information to the Configuration Manager recovery service, clear the TPM on the device. After it restarts, it will upload the new TPM password hash to the recovery service. Uploading of the TPM password hash mainly pertains to versions of Windows prior to Windows 10. Windows 10 by default does not save the TPM password hash so therefore does not normally upload the TPM password hash. For more information, see About the TPM owner password.

while it's not a report, have you looked at the Cloud Management overview in the ConfigMgr console ? for more details about monitoring the clients to your CMG and and traffic involved see https://docs.microsoft.com/en-us/mem/configmgr/core/clients/manage/cmg/monitor-clients-cloud-management-gateway to figure out how much it costs see

thanks for the update !

ah ok, well it's out of support and you'll need to ugprade it to a supported build before you decide to do anything with it, that would be your first task, to setup a plan for the upgrade, it's easy, and you'll gain access to lots of new features by doing so (as well as remain supported) cheers niall

hi and welcome, before we talk about distribution points can you please tell us what SCCM version you currently have and how many clients would it be managing approx ?

yeah that sounds good ping me then (pm)

ok i've you are using the latest version of ConfigMgr, and you still see the issue then please raise a case with Microsoft

did you verify your registry settings, is it pointing to the correct recovery service there ? if you have teamviewer i could remote in and take a look or Microsoft Quick Assist

thanks for the thanks ! I appreciate it however the links are not broken, you can only download scripts if you are a logged on member of windows-noob.com please retry the download now that you are a logged on member cheers niall

start by looking at my guide for troubleshooting on the client, does it look like you are missing something ?