Users of Microsoft Defender for Endpoint on Friday were unable to access application shortcuts and utility shortcuts on the Start menu, Desktop, and Taskbar in Windows 10 and 11.
Apparently, the problem was related to a flawed Microsoft Defender for Endpoint ASR (attack surface reduction) rule issued with Windows Defender security intelligence update 1.381.2140.0 on Friday morning.
In the known issues and notification section of the Windows Health page, Microsoft explains that affected devices which had the Atack Surface Reduction (ASR) rule “Block Win32 API calls from Office macro” enabled caused the application shortcuts in the Start menu, pinned to the taskbar, and on the Desktop to either go missing or get deleted.
“Additionally, errors might be observed when trying to run executable (.exe) files which have dependencies on shortcut files,” it wrote.
“After installing security intelligence build 1.381.2140.0, detections resulted in the deletion of certain Windows shortcut (.lnk) files that matched the incorrect detection pattern.”
The company, however, said that Windows devices used by consumers in their homes or small offices are not likely to be affected by this issue.
Immediately after identifying the problem, a workaround was worked out which was also officially validated by Microsoft.
Workaround: Changes to Microsoft Defender can mitigate this issue. The Atack Surface Reduction (ASR) rules in Microsoft Defender are used to regulate software behavior as part of security measures. Changing ASR rules to Audit Mode can help prevent this issue. This can be done through the following options:
- Using Intune: Enable attack surface reduction rules | Defender for Endpoint: Microsoft Endpoint Manager
- Using Group Policy: Enable attack surface reduction rules | Defender for Endpoint: Group Policy
Microsoft Office applications can be launched through the Microsoft 365 app launcher. More details on the Microsoft 365 app launcher can be found in Meet the Microsoft 365 app launcher
According to Microsoft, the issue has been resolved with the release of security intelligence update build 1.381.2164.0. Affected admins and users are advised to update their Defender security intelligence version to 1.381.2164.0 or later to prevent the problem.
However, the update will not restore previously deleted shortcuts. Microsoft says users are will need to recreate or restore these shortcuts through other methods.