Microsoft Defender update/ASR deletes desktop shortcuts, taskbar broken, Office apps don't start anymore

Stop - Pixabay[German]Currently, there seem to be nasty problems with Windows and Microsoft Office. Users report in the blog that under Office 365, build 16.0.15831.20252, the taskbar in Windows is broken and the Office applications no longer start. In many clients, the shortcuts disappear and can no longer be found in the Start menu. There are indications that Microsoft ASR (Attac Surface Restriction) could be responsible for this. One user states that a Defender signature update deletes the shortcuts in Windows.

First user reports

German blog reader Jannik O. reported in this comment on the blog post Patchday: Microsoft Office Updates (10. Januar 2023) massive isseus with an Office 365 update.

Hello,
does anyone else currently have problems with build no. 16.0.15831.20252 for O365?
Since the update, the taskbar no longer works on hundreds of clients and the Office programs no longer start!

EAnother user confirms this observation in this German comment:

Hello,
Same problem here at our company. With many clients, the shortcuts disappear and the Office apps as well as the Edge can no longer be found via the Start menu.

Thanks to users for the tips, which point to more serious problems, as Windows is also affected with Start menu shortcuts and the taskbar.

A message on Twitter

I was just about to start researching this when Phil Randal on Twitter sent me a tip about MS ASR being the cause of deleted shortcuts (thanks for that).

User @FraserIRL asks whether other companies have also noticed that shortcuts and program icons have suddenly disappeared from the desktop under Windows 10. He states that many devices are affected. Phil Randal states that Microsoft ASR (Attack Surface Reduction) is responsible for these deleted desktop shortcuts (and then probably also for the Start menu shortcuts and other problems).

Reports on reddit.com

Meanwhile, on reddit.com, the thread Multiple users reporting Microsoft apps have disappeared, can be found, which also gives a solution (when auditing via Intune). The user in question writes:

Hi all,

Have you had anyone report applications going missing from there laptops today?

I've seemed to have lost all Microsoft apps, outlook/excel/word

an error message comes up saying it's not supported and then the app seems to have uninstalled.

Some users can open Teams and Outlook, and strangely, it seems some users are unable to open Chrome too.

We're on InTune, FWIW

Anyone else experiencing the same?

In the meantime, someone in the reddit.com thread Potentially faulty Virus Definition Update causing issues win Block Win32 API calls from Office Macro ASR? Desktop shortcuts deleted out of the blue and Office executables disappearing has evaluated more details. There he writes:

In the last hour, we've had half our organisation report that shortcuts have disappeared from their desktop and Microsoft Office has ceased working. Outlook.exe has flat out disappeared for some.

Whilst not logged in Windows Defender->Operational, if we try to do a quick repair of Office we see that Windows Defender Exploit Guard has blocked the creation of .lnk files

From what I can see, this appears to be the "Block Win32 API calls from Office Macro" ASR rule malfunctioning, potentially after the installation of AntivirusSignatureVersion 1.381.2140.0

Is anyone else seeing similarly?

One one machine I've changed that rule to audit rather than block and Office repair has since been successful and the creation of .lnk files via our powershell scripts is functioning again.

Meanwhile, a possible solution has been outlined by u/wilstoncakes in another post:

We have the same issue with the definition version 1.381.2140.0.

Even for non-office applications like Notepad++, mRemoteNG, Teamviewer, …

We changed the ASR Rule to Audit via Intune.

Block Win32 API calls from Office macros

Rule-ID 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b

Perhaps it helps for those affected. Another user tweeted me this:

We are seeing the same. Disabling the ASR rule did work. After a sevice sync we now can recreate Shortcuts. For Office a repair did the trick on my machine.

Defender signature update responsible?

Another user writes that Defender (Signature update 1.318.2140.0) is responsible for this behavior:

Its a problem with the newest defender signature (1.381.2140.0). Tested it by my self. fuck.

Edit: looks like that all shortcuts which are located in

ProgramData\Microsoft\Windows\Start Menu\Programs

will be deleted instantly.

If you have further information, leave a comment. If something comes to me, I'll add it.

Discussion in Techcommunity

Addendum: Meanwhile, in the Techcommunity there is a discussion thread Antivirus deletes all shortcuts from the desktop, which clearly names Defender as the cause.

Microsoft confims the issue

Addendum: Microsoft has confirmed the issue on Twitter:

We're investigating an issue where users are unable to access application shortcuts on the Start menu and Taskbar in Windows. For more details and updates, please follow the SI MO497128 in your admin center.

and added later:

We've identified that a specific rule was resulting in impact. We've reverted the rule to prevent further impact whilst we investigate further. For more information, please follow the SI MO497128 in your admin center.

The problem only occurs with Microsoft Defender for Endpoint (from Plan 1), if the ASR feature is active.

By the way, today is Friday the 13th

Explanations and various workarounds

Addendum: The German colleagues from deskmodder.de also address the issue in this article. There they state that for some users it is sufficient to enter the following command in an administrative prompt.

MpCmdRun.exe -RemoveDefinitions

The command removes the last Defender definitions. I received reports from private users also affected by the issue – maybe the command will be helpful.

Meanwhile, the colleagues from Bleeping Computer have published this article with some mor information about the problem (my article above was a first shot, long before MS confirmed that).

The ASR rule "Block Win32 API calls from Office macros" in Configuration Manager or "Win32 imports from Office macro code" in Intune is supposed to prevent malware from using VBA macros to call Win32 APIs.

A flawed Defender signature (1.381.2140.0) caused the ASR rule (rule ID: 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b) to incorrectly classify users' shortcuts as malicious and delete them.

Microsoft has withdrawn the erroneous ASR rule (see SI MO497128 in the Admin Center), but it takes time for the change to arrive. Therefore, it is recommended to put the ASR rule in question into audit mode via PowerShell, Intune or GPOs – the Bleeping Computer article gives the details.

Meanwhile, system administrators here and here have developed PowerShell scripts to restore the Microsoft Office and other application shortcuts in the Start menu. However, these scripts should be tested before they are used in production. In addition, I received the following Lnk Restor action instruction via FB as a screenshot.

Restore .lnk

There is now a confirmation from Microsoft – and there are hints, how to recover shortcuts, see Windows deleted shortcuts; Microsoft explains Windows Defender ASR issue Jan. 13, 2023.

Similar articles:
Microsoft Office Updates (January 3, 2022)
Microsoft Security Update Summary (January 10, 2023)
Patchday: Windows 10 Updates (January 10, 2023)
Patchday: Windows 11/Server 2022 Updates (January 10, 2023)
Windows 7/Server 2008 R2; Windows 8.1/Server 2012 R2: Updates (January 10, 2023)
Patchday: Microsoft Office Updates (January 10, 2023)

Exchange Server Security Updates (January 10, 2023)
Microsoft Exchange January 2023 patchday issues
Windows January 2023 patchday issues

This entry was posted in issue, Office, Security, Windows and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).