IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Windows Defender update deletes Start Menu, Taskbar, Desktop shortcuts

For now, it appears that administrators will have to manually recreate their shortcuts once the issue has been fixed

A new Windows Defender update has caused issues for IT admins, deleting Start Menu, Taskbar, and desktop shortcuts on Windows devices.

One user raised the issue in a Microsoft community support thread, saying that after the morning update of security intelligence to version 1.381.2140.0, Defender appears to be deleting clients' links to applications.

The issue appears to stem from an attack surface reduction (ASR) rule made in the latest Defender update. Users reported that the problem is with the specific ASR rule: Block Win32 API calls from Office macros. 

Discussions began during the late morning on Friday in an online community for IT system administrators, where a number of users have reported that applications went missing from their devices. 

“I've seemed to have lost all Microsoft apps, outlook/excel/word,” wrote one user. “an error message comes up saying it's not supported and then the app seems to have uninstalled.”

Another said: “...looks like that all shortcuts which are located in ProgramData\Microsoft\Windows\Start Menu\Programs will be deleted instantly".

Wider complaints revealed all .LNK files were being automatically deleted. Some reported seeing them all send to OneDrive's Recycle Bin.

Related Resource

Four steps to better business decisions

Determining where data can help your business

Whitepaper cover with image of a smiling female with glasses sat on an orange sofaFree Download

“We're investigating an issue where users are unable to access application shortcuts on the Start menu and Taskbar in Windows,” Microsoft said on Twitter. “For more details and updates, please follow the SI MO497128 in your admin center.”

Microsoft said it has identified the specific rule which was “resulting in impact” and has reverted the rule to prevent any further impact while it investigates further.

To fix the issue, some users advised that changing the "Block Win32 API calls from Office macro" rule to audit only worked for them. Others said deleting the ASR rules, specifically 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b, also remedied the situation. 

However, it remains unclear whether after implementing the fix, whether the shortcuts will automatically return. Some users have had to manually recreate their shortcuts again.

"IT administrators have reported that users of Microsoft Defender have lost desktop and taskbar application shortcuts," said Muhammad Yahya Patel, security engineer at Check Point Software, to IT Pro. 

"The immediate reaction is to think the machine has been breached, as this would be a classic sign of files and shortcuts disappearing, especially on a large scale. That means IT admins are rushing to perform virus scans to detect the attack.

"The impact of this update is huge as IT teams do not know if they will be able to recover all the deleted icons and shortcuts, or if they are going to have to recreate this for all endpoints in their organisation.”

IT Pro has contacted Microsoft for comment.

Featured Resources

2023 Strategic roadmap for data security platform convergence

Capitalise on your data and share it securely using consolidated platforms

Free Download

The 3D trends report

Presenting one of the most exciting frontiers in visual culture

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

Leverage automated APM to accelerate CI/CD and boost application performance

Constant change to meet fast-evolving application functionality

Free Download

Recommended

Microsoft Azure spending notifications unavailable until March
Cloud

Microsoft Azure spending notifications unavailable until March

2 Feb 2023
Hackers target business cloud environments by abusing Microsoft’s ‘verified publisher’ status
Security

Hackers target business cloud environments by abusing Microsoft’s ‘verified publisher’ status

1 Feb 2023
Google to cut global workforce by 12,000 roles
Careers & training

Google to cut global workforce by 12,000 roles

20 Jan 2023
Windows 11 System Restore bug preventing users from accessing apps
Microsoft Windows

Windows 11 System Restore bug preventing users from accessing apps

19 Jan 2023

Most Popular

Yandex data breach reveals source code littered with racist language
data breaches

Yandex data breach reveals source code littered with racist language

30 Jan 2023
Dutch hacker steals data from virtually entire population of Austria
data breaches

Dutch hacker steals data from virtually entire population of Austria

26 Jan 2023
What's powering Britain’s fibre broadband boom?
Network & Internet

What's powering Britain’s fibre broadband boom?

3 Feb 2023