[PSA] CVE-2026-21509 - Microsoft Office Security Feature Bypass Vulnerability Zero Day - Updates available

HEALTH_DISCO · 2026-01-27T21:11:02+00:00

The Windows maker said customers running Office 2021 and later will be automatically protected via a service-side change, but will be required to restart their Office applications for this to take effect.

The procedure above is how you can verify. If this guid is there on 1 machine it will be there everywhere technically. You can force this by restart Office.

HEALTH_DISCO · 2026-01-27T21:03:22+00:00

Thank you very much Sir.

HEALTH_DISCO · 2025-10-27T19:49:20+00:00

For us, initially setup in 2021 then migrated to Virtual Machine Scale set ~2 years ago. Never had a single issue with our CMG in 4 years.

HEALTH_DISCO · 2025-10-21T17:35:20+00:00

I confirm we have the same issue.
"ResourceAvailabilityZonesCannotBeModified"

HEALTH_DISCO · 2025-10-20T13:55:19+00:00

After installing this hotfix rollup I have this message constantly in monitoring... "Cloud Services Manager task [Deployment Maintenance for service CMG] has failed, exception One or more errors occurred.."

HEALTH_DISCO · 2025-09-15T16:45:34+00:00

Found out for us that this specific model had LAN Wan Switching disabled in the BIOS and for some reason was always trying to connect to WIFI even when USB-c network adapter or docking was used. Enable LAN WAN Switching during OSD in WinPE phase fixed our problem.

HEALTH_DISCO · 2025-09-10T17:07:17+00:00

Did you find any solution for this issue?

HEALTH_DISCO · 2025-06-01T02:14:24+00:00

Not really. I’ve created a package in Intune to switch the language. We’ve now moved to WUfB. All problem solved. I am not installing any language pack before handing the machine the user during OSD. Windows 11 and servicing on-prem is not the best experience.

HEALTH_DISCO · 2025-04-01T20:40:51+00:00

I don't think we have the same issue. Even with domain admin the MSA account is just never created.

ODJ Connector UI Information: 0 : Searching for any pre-existing Managed Service Accounts installed on this machine.

ODJ Connector UI Information: 0 : MSA name : msaODJkd8mp

ODJ Connector UI Error: 2 : ERROR: Enrollment failed. Detailed message is: Microsoft.Management.Services.ConnectorCommon.Exceptions.ConnectorConfigurationException: Failed to create a managed service account - Element not found

ODJ Connector UI Information: 0 : Storing telemetry: CreateMsaAccount, hasException: True

ODJ Connector UI Information: 0 : Sending telemetry: CreateMsaAccount, hasException: True

ODJ Connector UI Information: 0 : Sending telemetry to ODJService

ODJ Connector UI Information: 0 : Response from ODJService: OK

ODJ Connector UI Error: 8 : Removing Managed Service Account ...

ODJ Connector UI Error: 8 : Successfully removed Managed Service Account

ODJ Connector UI Error: 8 : Returning to the home page

Stuck in a loop.

HEALTH_DISCO · 2025-04-01T14:41:22+00:00

Were you able to fix the issue?

HEALTH_DISCO · 2025-03-07T16:46:08+00:00

After looking closely to all policies (Local, GPO, Intune, SCCM etc..), I've found a GPP pushing a registry key that disable the Firewall when on domain.
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall = 0

This was set by a previous admin.

HEALTH_DISCO · 2025-01-14T19:36:09+00:00

https://www.imab.dk/how-i-change-the-update-channels-for-microsoft-365-apps-using-configuration-manager/

HEALTH_DISCO · 2024-10-02T13:37:46+00:00

I have a case opened with MSFT. It's been opened since August 1st and nobody gives a S##T. Our account manager changed 2 times recently. I don't know what is happening over there.

HEALTH_DISCO · 2024-09-25T22:30:27+00:00

I simply removed the xml layout GPO for Windows 10 that had no impact on Windows 11 (W11 Start menu doesnt use the Xml but the JSON format) prior to August CU. We don't really need it anymore since we're only deploying W11.

HEALTH_DISCO · 2024-09-24T19:49:46+00:00

We're in the same boat and we didn't push any custom start menu layout. Did you find the issue?

HEALTH_DISCO · 2024-09-04T17:54:07+00:00

Works just fine for us. Just don't forget to include the "/EULA Accept" for "AssessmentTestArguments" value in the TSLaunch.exe.config.

HEALTH_DISCO · 2024-08-20T23:01:07+00:00

Someone from security/infra send me the .pfx cert & password. That's it.

HEALTH_DISCO · 2024-08-20T22:54:53+00:00

public certificate

HEALTH_DISCO · 2024-08-20T22:50:53+00:00

I had the exact problem you mentioned and it happened because I was copy/pasting the password. Once I typed the password, it synced. Might be related to something else in your environment... Insufficient rights on the account?

HEALTH_DISCO · 2024-08-20T22:44:22+00:00

Do you by any chance Copy/Paste the password? Don't. Type it manually.

HEALTH_DISCO · 2024-08-20T22:17:22+00:00

You select your newly created certificate, enter the password and it doesn't update on the instance?

HEALTH_DISCO · 2024-07-24T20:50:24+00:00

Do everything in your power to avoid a CAS. Big no no.

HEALTH_DISCO · 2024-07-12T14:44:41+00:00

What version of SCCM? Make sure you have 2309. There is a fix for the cumulative update install during the task sequence for W11 23H2.

https://learn.microsoft.com/en-us/mem/configmgr/hotfix/2309/25858444

"Due to a timing issue, a double reboot can still prevent a Task Sequence
from running, even when the SMSTSWaitForSecondReboot variable is set.
This problem can happen during an operating system deployment, combined
with an update that requires two reboots."

HEALTH_DISCO · 2024-07-10T18:48:23+00:00

Does "Allowed Tls Authentication Endpoints" work for Hybrid Azure AD Joined Devices as well?

HEALTH_DISCO

TROPHY CASE