Antivirus deletes all shortcuts from the desktop

Brass Contributor

After this morning's update of security intelligence to version 1.381.2140.0, defender is deleting on all clients all links to applications; does anyone have the same problem?

47 Replies
@michelariis, please open a MS CSS support ticket, and mark it as a Sev-A.
Yong Rhee - MSFT



We have the same issue and many more.


Set the following ASR rule to Audit.

Block Win32 API calls from Office macros

Rule-ID 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b


Then you can restore the links. Microsoft needs to fix this ASAP

I modified the rule: Block Win32 API calls from Office macros
from Block to Audit mode
in MDM Security Baseline
category Microsoft Defender
yeah we are seeing this across multiple orgs too. We are testing the suggested fix

@Dreamaker We haven´t had a block roule, but all shortcuts were deleted. We changed to audit, but without a change on the tested mashines.

Probably you can have this setting in different way: local GPO, ASR rule, Security baseline rule.

Has Microsoft made any comment 

Now there is the advisory on Service health in Microsoft365 Admin portal: Some users are unable to utilize the Application shortcuts on the Start menu and taskbar
MO497128, Last updated: January 13, 2023 12:57 PM
Estimated start time: January 13, 2023 12:43 PM

We are also affected, started around 10:30am GMT+2. We saw Defender deleting .lnk files and also blocking/deleting Windows Store Apps from Microsoft. We changed the affected ASR rule and try to force all clients to sync, but it may be to late from my reports we got so far.


Also affected here. Latest from MS...

January 13, 2023 1:06 PM · Quick update

We've identified that a specific rule was resulting in impact. We've reverted the rule to prevent further impact whilst we investigate further. This quick update is designed to give the latest information on this issue.
It looks like having a rule set to "Warn" also causes the issue. You need to set to audit or disabled.
We also see some other files affacted, for examples .xml files and Microsoft Store Apps like Picture.library-ms and some other.
We've had the same problem .. all shortcuts on every device has been deleted
Yes! We were also affected.
The support team have confirmed this is a known issue from today .. and recommend doing this until the fix. They also tell me that they will get the shortcuts put back.. but we'll see
Yes I was bit by this problem this morning. Thank goodness for Macrium Reflect backups. However, it won’t do me any good unless this issue is resolved as the shortcuts will just be deleted again.

Have the same exact issue but we do not even have the Block Win32 API Calls from Office Macro configured within our ASR rules so very frustrated to be in this position.


To force the point.  I have created a new rule and set Block Win32 API Calls from Office Macro to Audit mode.  


Hoping this calms things down.

Have released the updated to version 1.381.2152.0



After updating and restarting, the links are no longer deleted.
The problem remains that if I run the search for a program it does not find it unless I add .exe (e.g., outlook.exe)

1 best response