Apologies for inconvenience, On January 13th, Windows Security and Microsoft Defender for Endpoint customers may have experienced a series of false positive detections for the Attack Surface Reduction (ASR) rule "Block Win32 API calls from Office macro" after updating to security intelligence builds between 1.381.2134.0 and 1.381.2163.0. These detections resulted in the deletion of files that matched the incorrect detection logic primarily impacting Windows shortcut (.lnk) files.
There is no impact for customers who do not have the “Block Win32 API calls from Office macro” rule turned on in block mode or did not update to security intelligence update builds 1.381.2134.0, 1.381.2140.0, 1.381.2152 and 1.381.2163.0.
Customers should update to build 1.381.2164.0 or later. Customers utilizing automatic updates for Microsoft Defender antivirus do not need to take additional action to receive the updated security intelligence build. Enterprise customers managing updates should download the latest update and deploy it across their environments. The security intelligence build does not restore deleted shortcuts. Instructions on how to restore those are immediately below. If you turned “Block Win32 calls from Office macros” into audit mode per prior guidance you can now safely turn on block mode.
Kindly follow Recovering from Attack Surface Reduction rule shortcut deletions to recover deleted start menu and taskbar shortcuts and next actions
Microsoft has confirmed steps that customers can take to recreate start menu links for a significant sub-set of the affected applications that were deleted.
Version 5.0 provides improved error handling for AddShortcuts.ps1 to ensure RunOnce executes when a logged off user logs back in. MpRecoverTaskbar.exe now supports restoring each user’s Chrome and Edge pinned taskbar shortcuts found per profile. For more details click here.
- 1/ Download both AddShortcuts.ps1 and MpRecoverTaskBar.exe and select from the following options:
Option A/ If you are using System Center Config Manager or Group Policy Object Editor or third-party tools then deploy both files and run the command “powershell -ep bypass -file .\AddShortcuts.ps1 -MpTaskBarRecoverUtilDownload=false” as Administrator.
Option B/ If you are using Intune or no management tool then deploy AddShortcuts.ps1 and run the command “powershell -ep bypass -file .\AddShortcuts.ps1” as Administrator. This will automatically download MPTaskBarRecover.exe from the Microsoft download center onto the user’s machine and run the script. Detailed instructions on how to deploy the script using Microsoft Intune are here.
- 2/ The changes will come into effect after users logout and login to their accounts.
- 3/ The MPRecoverTaskbar.exe can be run multiple times on end-user machines if necessary. If end-users are missing taskbar icons after completing this process, then try running it a second time from %windir%\MPRecoverTaskbar.exe in the user context.
The script requires PowerShell 5.x and does not currently support PowerShell 7.x.
Version 5.0 includes all the improvements from Version 4.0: restores from Volume Shadow Copy Service by default, recovers .URL files in the user's profile's Favorites and Desktop directories, if those URL files exist in the Volume Shadow Copy Service, contains improvements for non-English language machines, improved error handling and additional checks that help recover more shortcuts and links, better error handling to perform all the actions including running the MpRecoverTaskbar.exe, while adding support for better error handling using AddShortcuts.ps1 to ensure RunOnce executes when a logged off user logs back in, and enabling MPRecoverTaskbar.exe to restore each user’s Chrome and Edge pinned taskbar shortcuts found per profile.
To add programs to the script: edit the $program variable and add a new line with the name of the application lnk and the executable.
For customers that prefer manual steps rather than the script running an application repair on affected applications will recreate deleted links. Users can run the Application Repair functionality for programs including Microsoft 365, Microsoft Edge, and Microsoft Visual Studio.
To repair an application, follow these instructions:
Windows 10:
Select Start > Settings > Apps > Apps & features
Select the app you want to fix.
Select Modify link under the name of the app if it is available.
A new page will launch and allow you to select repair.
Windows 11:
Type “Installed Apps” in the search bar.
Click “Installed Apps”.
Select the app you want to fix.
Click on “…”
Select Modify or Advanced Options if it is available.
A new page will launch and allow you to select repair.
Thanks,
Akshay Kaushik
Please "Accept the answer", "Upvote" and share your feedback (Yes/No) if the suggestion works as per your business need. This will help us and others in the community as well.