[SOLVED] Excel not launch but run in task manager

If you experience on excel issue, unable to launch but when you check from task manager you can see the file is running.

To solve, click Menu and search Windows Security.

Navigate to App & Browser control > Exploit Protection Settings > Program Settings. Search for EXCEL.EXE. Click Edit and turn off the SimExec settings.

If your environment using Intune/Microsoft Endpoint Manager, we can push the configuration to disable the setting via Security Baseline profile by Endpoint Manager. Copy xml file to notepad and change EnableRopSimExec="false" to disable the settings.

A very good news to the affected user, the hotfix has been released on the latest versions to fix this issue. Please update your Office client app to the latest version.

SCCM Firewall Port

 

Direction of the Communication	Port	Remarks
Client (HQ) à Primary Site Server (HQ)	80 (TCP) 443 (TCP) 445 (TCP)	HTTP HTTPS SMB
Client (Branch) à Primary Site Server (HQ)	80 (TCP) 443 (TCP)	HTTP HTTPS
Client (Branch) à  Distribution Point	80 (TCP) 443 (TCP) 445 (TCP)	HTTP HTTPS SMB
Primary Site Server (HQ) à Distribution Point	445 (TCP) 135 (UDP, TCP) RPC Dynamic TCP	SMB RPC Endpoint Mapper RPC
Distribution Point à Primary Site Server (HQ)	80 (TCP) 443 (TCP)	HTTP HTTPS
Primary Site Server (HQ) à  Client (HQ)	9 (UDP) 80 (TCP) 443 (TCP) 2701 (TCP)	Wake on LAN HTTP HTTPS Remote Control
Primary Site Server (HQ) à  Client (Branch)	9 (UDP) 2701 (TCP)	Wake on LAN Remote Control
Primary Site Server (HQ) à Active Directory Domain Controller	389 (TCP) 3268 (TCP) 135 (TCP, UDP) RPC Dynamic TCP	LDAP Global catalog LDAP RPC Endpoint Mapper RPC
Primary Site Server (HQ) à Microsoft Update Server (Internet)	80 (TCP) 443 (TCP)	HTTP HTTPS

 

VM SPECIFICATION

	HQ	BRANCH
Server Role	SCCM Primary Site Server	SCCM Distribution Point Server
No. & Type of Servers (Physical/Virtual)	1 x Virtual Machine	1 x Virtual Machine per site/facility
Recommended CPU	8 vCPU	4 vCPU
Recommended RAM	32 GB	At least 4 GB
OS / Software	WS2012 R2 / WS2016, SQL Server 2016 SP1 / SCCM 2016 (Current Branch)	Win 8.1, Win10, Win2012R2, Win2016
Disk	100 GB (OS), 500GB (Data)	100 GB (OS), 200 GB (Data)
Ethernet / Others	2 vNIC	1 vNIC

 

 

Summary for MDM assigned policy from user device

There's a few ways to check on the policy that has been assigned via MEM. 

1. Registry Editor for MDM device.

• Launch regedit.msc. 
• Navigate to  Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device

2. Info from Azure AD connected

• Navigate to Settings > Accounts > Access work or school 
• Expand the connected user
• Click on Info button
• The policies applied is appeared

3. Export the MDM Diagnostic report

• Navigate to Settings > Accounts
• At the right pane under Related Settings

• Click on Export your management log files

• Extract the MDMDiagHtmlReport.html and open in Microsoft Edge.

• Under Managed Policies details, you may find the policies assigned. 
• Example of highlighted below, WiFi policy is assigned to Disabled to Allow Auto Connect Wifi Hotspot. 

• Picture below is the WiFi policy assigned from MEM portal.

[MALAYSIA] Microsoft Partner of the Year 2018 & 2020

Microsoft Teams Custom Background

  Custom background

1.      Launch Microsoft Teams Desktop App (installed). When join a meeting, click on ... to select Show background effects. 

2.      At the left pane, Background settings will appear and click on + Add new to upload your image.

3.      Participant need to turn on the video to apply this feature.

Harvest Hardware ID for Windows Autopilot

Launch Windows PowerShell as administrator. 

Set-ExecutionPolicy unrestricted and accept All

Install-Script -Name Get-WindowsAutoPilotInfo and accept All

Get-WindowsAutoPilotInfo.ps1 -OutputFile store_location

Go to the target location and get the csv file to import into Autopilot Device.

And also can directly upload from the powershell script.

#set-executionpolicy bypass

#Install-Script -Name get-windowsautopilotinfo -Force

#Get-WindowsAutoPilotInfo -Online

Login as adminstrator

Windows Autopilot Hybrid Join Summarization

As per previous post main pre-requisite for Windows Autopilot deployment I've summarize the important configuration or pre-requisite for Windows Autopilot deployment. 

From the picture above, it is overall process for Windows Autopilot deployment from end-user perspective and administrator perspective. Let me elaborate on the process by the sequence. 

a) Windows 10 devices must 1809 version or later to deploy with Windows Autopilot. 

Once booted up and device must connected to the network that have an access to the local AD to succeed the process without using any VPN. (Note: VPN connection to On-Prem AD is not supported on Hybrid Domain Join for Windows Autopilot)

b) Network connection is required for the device to get connected to Autopilot Services and able to push the setting and policy configured.

c) Create the list of policy and profile below.

i- Register the device by import a hardware ID to the Intune and assign to Autopilot group
ii- Create an Autopilot Profile
iii- Create a Device Configuration
iv- Assign the profile to Autopilot group
v- Assign an Enrolment Status Page to the group
vi- Create and assign Domain Join Profile

d) From the Autopilot Services, it will connected to AAD to check if the user assigned with EMS license. In case user has no assign to the EMS license, it will not get the Autopilot Services and proceed to normal OOBE.

e) With AADC, ADDS users are synchronized to the Azure Active Directory.

f) Intune Connector must be installed on Windows 2016 server or later to start communication with Azure tenant.