Whats the user count for users actually logged onto your devices – looking through Defender For Endpoint?
Quick-glance;
DeviceLogonEvents
| where AccountDomain == "YOURDOMAIN"
| where LogonType in ("Interactive","CachedInteractive") and ActionType == "LogonSuccess"
| extend parsed = parse_json(AdditionalFields)
| extend Localcheck = tostring(parsed.IsLocalLogon)
| where Localcheck notcontains "false"
| summarize AccountName=dcount(AccountName) by AccountDomain
Ned Pyle has ensured there is a Event-log that details any attempts to communicate with SMB1 (incase this still is enabled on your endpoint). It exists both for SMBServer and SMBClient
See his great post for specifics regarding the event;
In Windows 10/Server Ver 1709 (i.e. Fall Creators/RS3), we added auditing of SMB1 *client*. If SMB1 client installed, we write Microsoft-Windows-SMBClient/Audit event 32002 when the device is told by remote server "I require SMB1, I am scum!" See?
— Ned Pyle (@NerdPyle) February 23, 2018
Caveats though. 1/N pic.twitter.com/5yhXxkG0lN
As of Configuration Manager (or MECM) 1910 you can utilize CMPivot to query all Event-logs (previously only a subset where available is only the Get-WinEventLog cmdl:et was used) – including SMBClient/Audit.
Sample query – summarized the number of events 30 days backwards per client
WinEvent('Microsoft-Windows-SmbClient/Audit', 30d)
| where ID == 32002
| summarize count() by Device
Sample query – device, date and message
WinEvent('Microsoft-Windows-SmbClient/Audit', 30d)
| where ID == 32002
| project device, datetime, Message
In addition you can create a collection of the clients you found;
Or if it needs to be pretty;
WinEvent('Microsoft-Windows-SmbClient/Audit', 30d)
| where ID == 32002
| summarize count() by Device
| render barchart with (kind=stacked, title='SMB1 Events', ytitle='Events')
Wrote these notes on how so many Office issues were solved. Sadly – this still applies – and a recent thread from Twitter reminded me that it might be useful.
Printer
Temporarily set the printer to ‘PDFCreator’ as default printer
Verify if the issue is resolved
Addins
Start the application in safemode or without addins
Sample:
winword.exe /a
excel.exe /s
outlook.exe /safe
If the application doesn’t crash if the Office application is started without addins, verify what addins the user has installed.
Narrow down the issue and attempt to identify which addin is causing the crash
You can review installed addins by selecting;
File -> Options
Review the Addins-option
Temporarily disable addins by using the Manage -> Go.. at the bottom
Some addins may require that you temporarily start the application as Administrator.
Profile
Close all Office applications
Registry issues
Try to temporarily rename the settings for a specific application in registry
Open regedit.exe
Locate the;
HKEY_CURRENT_USER\Software\Microsoft\office
Locate the crashing application;
Word, Excel, PowerPoint
Sample Path;
HKEY_CURRENT_USER\Software\Microsoft\Office\Word
Rename the registry key for your application – using Word as a sample;
word_temp
Retry to start the application
Repeat the same steps for the specific application
HKEY_CURRENT_USER\Software\Microsoft\Office
Locate the specific version;
12.0 -> 2007
15.0 -> 2013
16.0 -> 2016
If the issue is not resolved, rename the version registry key – using 12.0 as a sample;
12.0_temp
If the issue is not resolved by temporarily renaming registry keys it is recommended to restore all registry-keys to their original name
Files
You can temporarily rename application specific folders for Office-applications. Suggestion is to rename the below folders to _temp and verify if the issue is resolved
%APPDATA%\Microsoft\Word
%APPDATA%\Microsoft\Excel
%APPDATA%\Microsoft\PowerPoint
%APPDATA%\Microsoft\Templates
%APPDATA%\Microsoft\Outlook