Friday the 13th is considered an unlucky day in most of the west and several system admins across multiple IT companies definitely felt that yesterday. That's because Microsoft Defender went rogue and deleted shortcuts from the Start menu and Taskbar, among other places. Although the user reports indicated that the issue was present on Windows 10 systems, Microsoft has confirmed today on its health dashboard that Windows 11 was also affected.
After installing security intelligence update build 1.381.2140.0 for Microsoft Defender, application shortcuts in the Start menu, pinned to the taskbar, and on the Desktop might be missing or deleted. Additionally, errors might be observed when trying to run executable (.exe) files which have dependencies on shortcut files. Affected devices have the Atack Surface Reduction (ASR) rule "Block Win32 API calls from Office macro" enabled. After installing security intelligence build 1.381.2140.0, detections resulted in the deletion of certain Windows shortcut (.lnk) files that matched the incorrect detection pattern.
Windows devices used by consumers in their home or small offices are not likely to be affected by this issue.
Client: Windows 11, version 22H2; Windows 10, version 22H2; Windows 11, version 21H2; Windows 10, version 21H2; Windows 10, version 20H2; Windows 10 Enterprise LTSC 2019; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise 2015 LTSB
System admins soon discovered that a hardened ASR rule in Defender's security intelligence update version 1.381.2140.0 was the culprit and hence a workaround was devised to get around this. Microsoft has also officially validated the workaround:
Workaround: Changes to Microsoft Defender can mitigate this issue. The Atack Surface Reduction (ASR) rules in Microsoft Defender are used to regulate software behavior as part of security measures. Changing ASR rules to Audit Mode can help prevent this issue. This can be done through the following options:
- Using Intune: Enable attack surface reduction rules | Defender for Endpoint: Microsoft Endpoint Manager
- Using Group Policy: Enable attack surface reduction rules | Defender for Endpoint: Group Policy
Microsoft Office applications can be launched through the Microsoft 365 app launcher. More details on the Microsoft 365 app launcher can be found in Meet the Microsoft 365 app launcher
Microsoft has also published the steps needed to resolve the issue fully. However, sysadmins are likely to be disappointed by the fact that restoring back the deleted shortcuts is not something fixable with this and all Microsoft says here is that affected admins and users "need to recreate or restore these shortcuts through other methods":
Next steps: This issue is resolved in security intelligence update build 1.381.2164.0. Installing security intelligence update build 1.381.2164.0 or later should prevent the issue, but it will not restore previously deleted shortcuts. You will need to recreate or restore these shortcuts through other methods.
Hence, users are advised to update their Defender security intelligence version to 1.381.2164.0 or later. You can find more details about these definition updates here.