Forum Discussion

Kiril's avatar
Kiril
Iron Contributor
Jan 13, 2023

Block Win32 API calls from Office macros blocks all app shortcuts from working

Block Win32 API calls from Office macros currently blocks all app shortcuts from working. We also cannot add shortcuts to the task bar.   Anybody else experiencing something similar?
mobile device management (mdm)
Chris017's avatar
Chris017
Copper Contributor
Jan 17, 2023

Kiril 

When will it be safe to enable the 'Block Win32 API call from Office macro'  ASR policy again?

 

Kiril's avatar
Kiril
Iron Contributor
Jan 17, 2023

Here is Microsoft's current status. The key takeaway should be:

 

We've completed a hotfix deployment within the build 1.381.2164.0 on Friday, January 13, 2023, 7:03 PM (6:03 PM UTC)
. This fix update will not restore previously removed shortcut files, but it will prevent any additional shortcut files from being incorrectly removed.

January 16, 2023 8:24 PM

Title: Some users are unable to utilize the Application shortcuts on the Start menu and taskbar

User Impact: Users are unable to utilize the Application shortcuts on the Start menu and taskbar.

More info: The shortcut icons in the taskbar or Start menu may no longer be visible or may not work as intended. Additionally, for some users, they may receive errors when trying to run Executable (.exe) files, if they have dependencies on the shortcut file path.

We've completed a hotfix deployment within the build 1.381.2164.0 on Friday, January 13, 2023, 7:03 PM (6:03 PM UTC)
. This fix update will not restore previously removed shortcut files, but it will prevent any additional shortcut files from being incorrectly removed.

Microsoft has confirmed steps that users can take to recreate start menu links for a significant subset of the affected applications that were deleted. These steps have been consolidated into the PowerShell script in the following link. Users must be a local administrator on the machine that the script will be run on: https://aka.ms/asrfprecovery

Current status: We've updated the guidance provided within https://aka.ms/asrfprecovery, and have confirmed steps that customers can take to recreate start menu links for a significant sub-set of the affected applications that were removed. These have been consolidated into the PowerShell script to help administrators take recovery actions within their environment.

Scope of impact: This issue likely affects users within your organization and is not specific to Office apps, and can impact any application's shortcut file. There is no impact for customers who do not have the “Block Win32 API calls from Office macro” rule turned on in block mode or did not update to security intelligence update build 1.381.2140.0.

Start time: Friday, January 13, 2023, 9:51 AM (8:51 AM UTC)

Root cause: During a recent update to the Windows Security and Microsoft Defender for Endpoint service, user devices experienced a series of false positive detections for the Attack Surface Reduction (ASR) rule "Block Win32 API calls from Office macro" after updating to security intelligence build 1.381.2140.0. These detections resulted in the identification of certain Windows shortcut (.lnk) files that matched the incorrect detection pattern and were subsequently removed.

Next update by: Tuesday, January 17, 2023, 9:00 PM (8:00 PM UTC)

Resources