MicrosoftIn Defender Hunting perform this query to get the list of users, and then create this query with the associated accountname and export this list to apply the GPO by logon and run the Microsoft scripts. And it massively solved the issue.
DeviceEvents
| where Timestamp >= datetime(2023-01-13)
| where ActionType contains "AsrOfficeMacroWin32ApiCallsBlocked"
| summarize by Timestamp, DeviceName, DeviceId, FileName, FolderPath, ActionType, AdditionalFields, InitiatingProcessAccountName
| sort by Timestamp asc
From Defender Hunting perform this query to obtain the list of users, and export this list in a csv and open it in excel to select the accountname column and copy and paste it in a group of Active directory (When copying it will filter out duplicates) that later we will execute a GPO with Microsoft instructions... Here is an idea of how to do it...
Step by step
From Defender Hunting, Export the csv with the list of users (removing system user) and copy and paste it into a group that you can create in the Active directory OU, you can call it: "Restore Shorcuts" and it will filter the list in Excel, then create a cmd script ("Restore-Shortcuts.cmd".) to call the Microsoft powershell files.
On this server \\SERVER\temp$\Recover Shortcuts" Copy the AddShorcuts.ps1 files (In this blog is the download link) and Copy the file: MpTaskBarRecover.exe
And create and save the "Restore-Shortcuts.cmd". Example:
@echo off
Robocopy "\\SERVER\temp$\Recover Shortcuts" "C:\Temp\Recover Shortcuts" /S
cd "C:\Temp\Recover Shortcuts"
powershell.exe Set-ExecutionPolicy unrestricted
powershell.exe -file .\AddShortcuts.ps1 -MpTaskBarRecoverUtilLocal -ForceRepair
Finally, assign the Recover-Scripts.cmd through a GPO and associate it to the group where you add the list of affected users and done.
