Well, my Friday 13th started well until that was just before lunchtime, we started to hear rumblings of Office shortcuts disappearing from User Desktops, and it appeared to be linked to Defender ASR Rules. I have tried to summarise the issues which are based on several articles and Microsoft information, as well as identify fixes (albeit temporary) and how to restore those shortcut links.

The Issue

The issue was spotted when devices started to lose Icons and application shortcuts from the taskbar and start menu. The most notable one being Office Applications. Initially reported via Twitter and Reddit, it soon appeared not to be an isolated issue

The underlying problem came from a security intelligence update released that morning (Build 1.381.2140.0.) and related to organisations who have the โ€œBlock Win32 API calls from Office macroโ€ Attack Surface Reduction (ASR) rule deployed in Block or Warn mode.

This resulted in a number of false positives for the โ€œBlock Win32 API Calls for Office Macrosโ€ ASR Rule. These detections resulted in the identification of certain Windows shortcut (.lnk) files that matched the incorrect detection pattern and were then subsequently removed.

Additionally, for some users, they may receive errors when trying to run Executable (.exe) files, if they have dependencies on the shortcut file path.

The Fix

The initial fix or workaround to try and mitigate the risk of these shortcuts being removed was to configure the โ€œBlock Win32 API Calls for Office Marcosโ€ ASR Rule from Block mode to Audit Mode. This is obviously a temporary workaround to start with as Microsoft eventually reverted the changes they had performed with a hotfix deployment within build 1.381.2164.0 at around 6 pm UTC.

However, by this time, the majority of damage had always been done within Organisationโ€™s environments, the fix does not restore the previously removed shortcuts but it will prevent any additional shortcut files from being incorrectly removed.

If you havenโ€™t received the build containing the fix and are still experiencing issues then you can put the โ€œBlock Win32 API Calls for Office Macrosโ€ ASR Rule into Audit Mode to reduce any additional impact. But remember you will need to re-enable this rule to the original setting once the issue has been fully resolved. There are a couple of options on how you can achieve this:

The above stops/prevents the removal of shortcuts but what if your shortcuts have already been removed?

As a temporary workaround, affected users can directly launch Office Apps by using the Office App, or through the Microsoft 365 app launcher. More details on the Microsoft 365 app launcher can be found here: https://support.microsoft.com/en-us/office/meet-the-microsoft-365-app-launcher-79f12104-6fed-442f-96a0-eb089a3f476a

Firstly you need to identify the shortcuts that have been removed, through the Advanced Hunting in Microsoft Security Portal, the following Query should help identify this:

DeviceEvents
| where ActionType == "AsrOfficeMacroWin32ApiCallsBlocked" and Timestamp >= datetime("2023-01-13 00:00:00Z")
| order by Timestamp
| where FileName endswith ".lnk"
| summarize count() by FileName
| sort by count_

Then the following blog has details on how you can restore these with a PowerShell Script and Intune or Configuration Manager - Restoring shortcuts for Microsoft SI MO497128 deleting shortcuts in start menu โ€“ CloudScript โ€“ Letโ€™s PowerShell IT

UPDATE 14/01/23 - Microsoft has now released technical guidance for Recovering from Attack Surface Reduction rule shortcut deletions.

Previous & Next
Streamlining Windows Client Vulnerability Management with Microsoft Security Services Resources for Microsoft Security Exams