Forum Discussion
Block Win32 API calls from Office macros blocks all app shortcuts from working
Block Win32 API calls from Office macros currently blocks all app shortcuts from working. We also cannot add shortcuts to the task bar.
Anybody else experiencing something similar?
14 Replies
- We tried ASR per rule exclusions for this using both the absolute path and also a wildcard '*\path\to\folder\*' and it did not work at allowing the trusted Excel spreadsheet to fully open.
Anyone else having issues with ASR per rule exclusions not working? Here is Microsoft's current status. The key takeaway should be:
We've completed a hotfix deployment within the build 1.381.2164.0 on Friday, January 13, 2023, 7:03 PM (6:03 PM UTC)
. This fix update will not restore previously removed shortcut files, but it will prevent any additional shortcut files from being incorrectly removed.
January 16, 2023 8:24 PM
Title: Some users are unable to utilize the Application shortcuts on the Start menu and taskbar
User Impact: Users are unable to utilize the Application shortcuts on the Start menu and taskbar.
More info: The shortcut icons in the taskbar or Start menu may no longer be visible or may not work as intended. Additionally, for some users, they may receive errors when trying to run Executable (.exe) files, if they have dependencies on the shortcut file path.
We've completed a hotfix deployment within the build 1.381.2164.0 on Friday, January 13, 2023, 7:03 PM (6:03 PM UTC)
. This fix update will not restore previously removed shortcut files, but it will prevent any additional shortcut files from being incorrectly removed.
Microsoft has confirmed steps that users can take to recreate start menu links for a significant subset of the affected applications that were deleted. These steps have been consolidated into the PowerShell script in the following link. Users must be a local administrator on the machine that the script will be run on: https://aka.ms/asrfprecovery
Current status: We've updated the guidance provided within https://aka.ms/asrfprecovery, and have confirmed steps that customers can take to recreate start menu links for a significant sub-set of the affected applications that were removed. These have been consolidated into the PowerShell script to help administrators take recovery actions within their environment.
Scope of impact: This issue likely affects users within your organization and is not specific to Office apps, and can impact any application's shortcut file. There is no impact for customers who do not have the “Block Win32 API calls from Office macro” rule turned on in block mode or did not update to security intelligence update build 1.381.2140.0.
Start time: Friday, January 13, 2023, 9:51 AM (8:51 AM UTC)
Root cause: During a recent update to the Windows Security and Microsoft Defender for Endpoint service, user devices experienced a series of false positive detections for the Attack Surface Reduction (ASR) rule "Block Win32 API calls from Office macro" after updating to security intelligence build 1.381.2140.0. These detections resulted in the identification of certain Windows shortcut (.lnk) files that matched the incorrect detection pattern and were subsequently removed.
Next update by: Tuesday, January 17, 2023, 9:00 PM (8:00 PM UTC)
- It just removed my office enterprise suite. Luckily, a "Quick Repair" from the "Control Panel\All Control Panel Items\Programs and Features" fixed everything.
Yes, I disabled it there, and set it from "Block" to "Audit" so I can still see the events.
Now at least everything is audited:
Kiril We are also getting the same in our office. Half of our MS Application Shortcuts have gone. Even I lost entire Office Suite. heaven knows when this will be fixed. Any info or update will be appreciated.
