1/17/2023 – Microsoft provides a script that recovers deleted start menu and taskbar shortcuts. See Recovering from Attack Surface Reduction rule shortcut deletions.
Reports of Microsoft Defender for Endpoint attack surface reduction (ASR) rules removing icons and application shortcuts from the Start Menu and Taskbar have been increasing as Microsoft investigates. This issue stems from the latest update (Defender Update KB2267602 Version 1.381.2140.0) and affects businesses and organizations using Microsoft 365 and Defender for protection against malware, viruses, and other threats. IT admins are currently trying to work around the issue by setting the “Block Win32 API calls from Office macro” rule to audit only. When working correctly, this ASR rule (known as “Block Win32 API calls from Office macro” in Configuration Manager and “Win32 imports from Office macro code” in Intune) should block malware from using VBA macros to call Win32 APIs.
Details and Recommendation
Microsoft has recently announced that they reverted the rule to prevent further impact and will investigate further. Although there currently is no mitigation for the problem, Microsoft recommends that you take action to place the offending ASR rule into Audit Mode and prevent further impact until the update has completed deployment. You can put the ASR rule to Audit Mode using one of the following methods:
- Using Powershell: Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions AuditMode
- Using Intune
- Using Group Policy
- Set the rule to disabled mode using the following Powershell command:
“Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions Disabled”
Until the issue is completely fixed and all deleted shortcuts can be restored, Microsoft advised customers to directly launch Office apps using the Office app or the Microsoft 365 app launcher.
The latest Defender Update KB2267602 (Version 1.381.2140.0) bug deleted shortcuts from the desktop, start menu, and taskbar. Microsoft has since reverted the rule and recommends users to place the offending ASR rule into Audit Mode.
Microsoft has advised users to follow the SI MO497128 for more details and instructions. This is an ongoing problem and updates should be expected.
Resources & Related Articles
(Twitter) Microsoft M365 Status: https://twitter.com/MSFT365Status