Windows Defender update deletes Start Menu, Taskbar, Desktop shortcuts

A computer user stares at their computer with a worried expression on their face and their hands on their head

(Image credit: Getty Images)

published 13 January 2023

A new Windows Defender update has caused issues for IT admins, deleting Start Menu, Taskbar, and desktop shortcuts on Windows devices.

One user raised the issue in a Microsoft community support thread, saying that after the morning update of security intelligence to version 1.381.2140.0, Defender appears to be deleting clients' links to applications.

Microsoft Defender causes 'mass confusion' after legitimate apps trigger ransomware alerts Microsoft Defender drops "downpour" of false ransomware alerts on customers Microsoft's 'unusually large' Patch Tuesday fixes actively exploited zero day, 11 critical vulnerabilities

The issue appears to stem from an attack surface reduction (ASR) rule made in the latest Defender update. Users reported that the problem is with the specific ASR rule: Block Win32 API calls from Office macros.

Discussions began during the late morning on Friday in an online community for IT system administrators, where a number of users have reported that applications went missing from their devices.

“I've seemed to have lost all Microsoft apps, outlook/excel/word,” wrote one user. “an error message comes up saying it's not supported and then the app seems to have uninstalled.”

Another said: “...looks like that all shortcuts which are located in ProgramData\Microsoft\Windows\Start Menu\Programs will be deleted instantly".

Wider complaints revealed all .LNK files were being automatically deleted. Some reported seeing them all send to OneDrive's Recycle Bin.

RELATED RESOURCE

Four steps to better business decisions

Determining where data can help your business

FREE DOWNLOAD

“We're investigating an issue where users are unable to access application shortcuts on the Start menu and Taskbar in Windows,” Microsoft said on Twitter. “For more details and updates, please follow the SI MO497128 in your admin center.”

Microsoft said it has identified the specific rule which was “resulting in impact” and has reverted the rule to prevent any further impact while it investigates further.

To fix the issue, some users advised that changing the "Block Win32 API calls from Office macro" rule to audit only worked for them. Others said deleting the ASR rules, specifically 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b, also remedied the situation.

However, it remains unclear whether after implementing the fix, whether the shortcuts will automatically return. Some users have had to manually recreate their shortcuts again.

"IT administrators have reported that users of Microsoft Defender have lost desktop and taskbar application shortcuts," said Muhammad Yahya Patel, security engineer at Check Point Software, to IT Pro.

"The immediate reaction is to think the machine has been breached, as this would be a classic sign of files and shortcuts disappearing, especially on a large scale. That means IT admins are rushing to perform virus scans to detect the attack.

"The impact of this update is huge as IT teams do not know if they will be able to recover all the deleted icons and shortcuts, or if they are going to have to recreate this for all endpoints in their organisation.”

IT Pro has contacted Microsoft for comment.

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.