Hey everyone!

I had an interesting issue at a customer recently where Outlook would crash to the desktop without error whenever a Teams meeting invite was selected – not ideal when we’re all trying to work from home!

Examining the Application log in Event Viewer showed the following .NET Framework 2.0 runtime error when the crash would occur:

.NET Runtime version 2.0.50727.9151 - Fatal Execution Engine Error (00007FFAAD0A6D4E) (80131506)

I came across this article from Microsoft which pointed to Windows Defender Exploit Guard:

This happens because Windows Defender Exploit protection prevents Outlook from growing beyond its assigned memory. This often occurs when Windows is running the Microsoft .Net framework 3.5 and other versions of .Net framework at the same time.

In this case, we’re running Windows 10 Enterprise 1909, Microsoft 365 Apps release 2004 on Semi-Annual Enterprise channel and devices Hybrid Azure AD joined, with the Microsoft MDM Security Baseline being applied from Endpoint Manager (formerly Intune) which includes an Exploit Guard policy. We’re also running .NET Framework versions 4.8 and 3.5 which is why we’re seeing this behaviour.

The article also states in Method 2 of the resolution that setting EnableExportAddressFilterPlus and EnableExportAddressFilter to false addresses this issue. But first to confirm that these are enabled, we can run the following PowerShell command and examine the output:

Get-ProcessMitigation -Name outlook.exe

The resulting output shows the payload where EnableExportAddressFilterPlus and EnableExportAddressFilter are both set to ON

Payload:
EnableExportAddressFilter : ON
AuditEnableExportAddressFilter : NOTSET
Override ExportAddressFilter : False
EnableExportAddressFilterPlus : ON
AuditEnableExportAddressFilterPlus : NOTSET
Override ExportAddressFilterPlus : False
EAFModules : {}
EnableImportAddressFilter : ON
AuditEnableImportAddressFilter : NOTSET
Override ImportAddressFilter : False
EnableRopStackPivot : ON
AuditEnableRopStackPivot : NOTSET
Override EnableRopStackPivot : False
EnableRopCallerCheck : ON
AuditEnableRopCallerCheck : NOTSET
Override EnableRopCallerCheck : False
EnableRopSimExec : ON
AuditEnableRopSimExec : NOTSET
Override EnableRopSimExec : False

We can manually overwrite this using Set-ProcessMitigation as follows to test this solution:

Set-ProcessMitigation -Name outlook.exe -Disable EnableExportAddressFilterPlus, EnableExportAddressFilter

Running Get-ProcessMitigation -Name outlook.exe now shows that EnableExportAddressFilterPlus and EnableExportAddressFilter are now both OFF

As a result, Outlook now opens and we can again accept Teams meeting invites, great! However we’re not done yet – our MDM Security Baseline policy in Endpoint Manager will come along and revert this back on next refresh.

So in this case, we’ll need to update the Exploit Guard policy delivered by our MDM Security Baseline in MEM. This can be done by navigating to the Exploit Guard section of your MDM Security Baseline property and copying the XML code (if someone knows how to get this out using Graph API let me know!)

If we take a look at the XML in vscode we’ll see the following policy for outlook.exe:

<AppConfig Executable="OUTLOOK.EXE">
	<DEP Enable="true" EmulateAtlThunks="false" />
	<ASLR Enable="true" ForceRelocateImages="true" />
	<Payload EnableExportAddressFilter="true" EnableExportAddressFilterPlus="true" EnableImportAddressFilter="true" EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" />
</AppConfig>

So as EnableExportAddressFilter="true" and EnableExportAddressFilterPlus="true" is set here, we’ll need to change them both to “false” and re-upload the modified XML file:

<AppConfig Executable="OUTLOOK.EXE">
	<DEP Enable="true" EmulateAtlThunks="false" />
	<ASLR Enable="true" ForceRelocateImages="true" />
	<Payload EnableExportAddressFilter="false" EnableExportAddressFilterPlus="false" EnableImportAddressFilter="true" EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" />
</AppConfig>

In MEM navigate to Endpoint security > Security baselines > Windows 10 Security Baseline > your security baseline profile > Properties.

Then Edit the Configuration Settings and navigate to Exploit Guard and you’ll see the option + Select XML file and from there you can use Select file to select your modified XML file

Click Review + save to continue and you’ll then be able to preview the pending policy change and confirm that EnableExportAddressFilter=”false” and EnableExportAddressFilterPlus=”false” are both set correctly:

From there click Save and the policy will now be active. You can then force a device sync status within Windows 10 and then run Get-ProcessMitigation -Name outlook.exe and confirm both values are now set to false!

Hope this helps!

Cheers

Sam

Published On: September 25th, 2020 / Categories: Uncategorised / Tags: , , , /

2 Comments

  1. Tobi 8 March, 2021 at 8:27 pm - Reply

    Thanks for your article. We deactivated EnableExportAddressFilter and EnableExportAddressFilterPlus but had the same issues. In our case the problem was AuditEnableExportAddressFilter and AuditEnableExportAddressFilterPlus. Both settings also needs to be deactivated.

    • Sam Lewis 8 March, 2021 at 8:29 pm - Reply

      Good to know, thanks for the tip Tobi!

Leave A Comment

Subscribe to Receive the Latest Updates

Get our latest recommendations, advice and offers direct to your inbox.

We won’t share your details – but you can read more in our Privacy Policy.

Related Posts

KB4041676 (OS Build 15063.674) – Inaccessible Boot Device – Blue Screen of Death

October 13th, 2017|0 Comments