An update pushed to Microsoft’s Defender for Endpoints anti-malware utility has deleted application and utility shortcuts for Windows users worldwide, ahead of the weekend.
A Defender signature update, version 1.381.2140.0, contained an Attack Surface Reduction (ASR) rule named “Block Win32 API calls from Office macro”,
Microsoft has confirmed that it is a faulty rule that deleted the Start menu and Taskbar shortcuts, and said the issue has now been resolved, referring users to item MO4977128 in the admin centre portal.
Users have published workarounds to remedy the issue, but applying them appear to be onerous for administrators.
I’m stunned with shock as a result of this. Imagine being the sole person responsible for patching of over 8000 assets. Now imagine half of those assets are now bricks to their users, now imagine being me.
Thank you very much for the worst day I’ve had in patching history ever.
— Deon Seymour (@ghoststomper) January 13, 2023
It is possible to use Microsoft’s InTune utility to restore shortcuts, icons and apps, but admins are complaining that the process is too slow and that they will have to spend days to manually repair each affected computer.
A large number of users and administrators have reported that icons and application shortcuts were deleted from the Start menu and Taskbar, although the exact number is not known.
ASRs were introduced with the Microsoft Defender Antivirus in Windows 10, version 1709, with the full set of rules only available to customers with an Enterprise license.