Forum Discussion

Kiril's avatar
Kiril
Steel Contributor
Jan 13, 2023

Block Win32 API calls from Office macros blocks all app shortcuts from working

Block Win32 API calls from Office macros currently blocks all app shortcuts from working. We also cannot add shortcuts to the task bar.

 

Anybody else experiencing something similar?

14 Replies

  • GuruLee's avatar
    GuruLee
    Copper Contributor
    We tried ASR per rule exclusions for this using both the absolute path and also a wildcard '*\path\to\folder\*' and it did not work at allowing the trusted Excel spreadsheet to fully open.
    Anyone else having issues with ASR per rule exclusions not working?
  • Chris017's avatar
    Chris017
    Copper Contributor

    Kiril 

    When will it be safe to enable the 'Block Win32 API call from Office macro'  ASR policy again?

     

    • Kiril's avatar
      Kiril
      Steel Contributor

      Here is Microsoft's current status. The key takeaway should be:

       

      We've completed a hotfix deployment within the build 1.381.2164.0 on Friday, January 13, 2023, 7:03 PM (6:03 PM UTC)
      . This fix update will not restore previously removed shortcut files, but it will prevent any additional shortcut files from being incorrectly removed.

      January 16, 2023 8:24 PM

      Title: Some users are unable to utilize the Application shortcuts on the Start menu and taskbar

      User Impact: Users are unable to utilize the Application shortcuts on the Start menu and taskbar.

      More info: The shortcut icons in the taskbar or Start menu may no longer be visible or may not work as intended. Additionally, for some users, they may receive errors when trying to run Executable (.exe) files, if they have dependencies on the shortcut file path.

      We've completed a hotfix deployment within the build 1.381.2164.0 on Friday, January 13, 2023, 7:03 PM (6:03 PM UTC)
      . This fix update will not restore previously removed shortcut files, but it will prevent any additional shortcut files from being incorrectly removed.

      Microsoft has confirmed steps that users can take to recreate start menu links for a significant subset of the affected applications that were deleted. These steps have been consolidated into the PowerShell script in the following link. Users must be a local administrator on the machine that the script will be run on: https://aka.ms/asrfprecovery

      Current status: We've updated the guidance provided within https://aka.ms/asrfprecovery, and have confirmed steps that customers can take to recreate start menu links for a significant sub-set of the affected applications that were removed. These have been consolidated into the PowerShell script to help administrators take recovery actions within their environment.

      Scope of impact: This issue likely affects users within your organization and is not specific to Office apps, and can impact any application's shortcut file. There is no impact for customers who do not have the “Block Win32 API calls from Office macro” rule turned on in block mode or did not update to security intelligence update build 1.381.2140.0.

      Start time: Friday, January 13, 2023, 9:51 AM (8:51 AM UTC)

      Root cause: During a recent update to the Windows Security and Microsoft Defender for Endpoint service, user devices experienced a series of false positive detections for the Attack Surface Reduction (ASR) rule "Block Win32 API calls from Office macro" after updating to security intelligence build 1.381.2140.0. These detections resulted in the identification of certain Windows shortcut (.lnk) files that matched the incorrect detection pattern and were subsequently removed.

      Next update by: Tuesday, January 17, 2023, 9:00 PM (8:00 PM UTC)

    • Technigogo's avatar
      Technigogo
      Copper Contributor
      It just removed my office enterprise suite. Luckily, a "Quick Repair" from the "Control Panel\All Control Panel Items\Programs and Features" fixed everything.
  • paulsukhu's avatar
    paulsukhu
    Copper Contributor

    Kiril Yes, I'm seeing exactly the same thing.  No recent administrative changes Defender for Endpoint's config.  Just yesterday's MS intel update.

  • BogdanM84's avatar
    BogdanM84
    Copper Contributor

    How did you disable it? Kiril 

     

    From here?

     

    And did you set it to off or Not configured?

     

    Thank you

     

    PS: Shortcuts wiped from most of our devices.. Citrix, Chrome, Office apps, etc

    • Kiril's avatar
      Kiril
      Steel Contributor

      Yes, I disabled it there, and set it from "Block" to "Audit" so I can still see the events.

       

       

      Now at least everything is audited:

       

       

      • anirban80in's avatar
        anirban80in
        Copper Contributor

        Kiril   We are also getting the same in our office. Half of our MS Application Shortcuts have gone. Even I lost entire Office Suite. heaven knows when this will be fixed. Any info or update will be appreciated.

         

         

  • Kiril's avatar
    Kiril
    Steel Contributor

    Kiril As visible from the report, the rule is running wild. I just deactivated it, but damage is done.

     

     

    All apps shortcuts are removed from the system, e.g. I cannot find edge anymore:

     

     

     

     

Resources