Windows Defender update deletes Start Menu, Taskbar, Desktop shortcuts
For now, it appears that administrators will have to manually recreate their shortcuts once the issue has been fixed
A new Windows Defender update has caused issues for IT admins, deleting Start Menu, Taskbar, and desktop shortcuts on Windows devices.
One user raised the issue in a Microsoft community support thread, saying that after the morning update of security intelligence to version 1.381.2140.0, Defender appears to be deleting clients' links to applications.
The issue appears to stem from an attack surface reduction (ASR) rule made in the latest Defender update. Users reported that the problem is with the specific ASR rule: Block Win32 API calls from Office macros.
Discussions began during the late morning on Friday in an online community for IT system administrators, where a number of users have reported that applications went missing from their devices.
“I've seemed to have lost all Microsoft apps, outlook/excel/word,” wrote one user. “an error message comes up saying it's not supported and then the app seems to have uninstalled.”
Another said: “...looks like that all shortcuts which are located in ProgramData\Microsoft\Windows\Start Menu\Programs will be deleted instantly".
Wider complaints revealed all .LNK files were being automatically deleted. Some reported seeing them all send to OneDrive's Recycle Bin.
Four steps to better business decisions
Determining where data can help your businessFree Download
“We're investigating an issue where users are unable to access application shortcuts on the Start menu and Taskbar in Windows,” Microsoft said on Twitter. “For more details and updates, please follow the SI MO497128 in your admin center.”
Microsoft said it has identified the specific rule which was “resulting in impact” and has reverted the rule to prevent any further impact while it investigates further.
To fix the issue, some users advised that changing the "Block Win32 API calls from Office macro" rule to audit only worked for them. Others said deleting the ASR rules, specifically 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b, also remedied the situation.
However, it remains unclear whether after implementing the fix, whether the shortcuts will automatically return. Some users have had to manually recreate their shortcuts again.
"IT administrators have reported that users of Microsoft Defender have lost desktop and taskbar application shortcuts," said Muhammad Yahya Patel, security engineer at Check Point Software, to IT Pro.
"The immediate reaction is to think the machine has been breached, as this would be a classic sign of files and shortcuts disappearing, especially on a large scale. That means IT admins are rushing to perform virus scans to detect the attack.
"The impact of this update is huge as IT teams do not know if they will be able to recover all the deleted icons and shortcuts, or if they are going to have to recreate this for all endpoints in their organisation.”
IT Pro has contacted Microsoft for comment.
2023 Strategic roadmap for data security platform convergence
Capitalise on your data and share it securely using consolidated platformsFree Download
The 3D trends report
Presenting one of the most exciting frontiers in visual cultureFree Download
The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana
Cost savings and business benefitsFree Download
Leverage automated APM to accelerate CI/CD and boost application performance
Constant change to meet fast-evolving application functionalityFree Download