Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Recovering from Attack Surface Reduction rule shortcut deletions
Published Jan 14 2023 12:12 AM 285K Views

Updated 1/23/2023 @ 1:10pm PST


On January 13th, Windows Security and Microsoft Defender for Endpoint customers may have experienced a series of false positive detections for the Attack Surface Reduction (ASR) rule "Block Win32 API calls from Office macro" after updating to security intelligence builds between 1.381.2134.0 and 1.381.2163.0. These detections resulted in the deletion of files that matched the incorrect detection logic primarily impacting Windows shortcut (.lnk) files.


There is no impact for customers who do not have the “Block Win32 API calls from Office macro” rule turned on in block mode or did not update to security intelligence update builds 1.381.2134.0, 1.381.2140.0, 1.381.2152 and 1.381.2163.0. 


For currently impacted customers: what do I need to do? 

Impacted customers will need both the updated security intelligence build and follow the process to recover start menu and taskbar shortcuts.


The updated security intelligence build

Customers should update to build 1.381.2164.0 or later. Customers utilizing automatic updates for Microsoft Defender antivirus do not need to take additional action to receive the updated security intelligence build. Enterprise customers managing updates should download the latest update and deploy it across their environments.  The security intelligence build does not restore deleted shortcuts. Instructions on how to restore those are immediately below. If you turned “Block Win32 calls from Office macros” into audit mode per prior guidance you can now safely turn on block mode.


To recover deleted start menu and taskbar shortcuts

Microsoft has confirmed steps that customers can take to recreate start menu links for a significant sub-set of the affected applications that were deleted.  


Version 5.0 provides improved error handling for AddShortcuts.ps1 to ensure RunOnce executes when a logged off user logs back in. MpRecoverTaskbar.exe now supports restoring each user’s Chrome and Edge pinned taskbar shortcuts found per profile. For more details click here.


1/ Download both AddShortcuts.ps1 and MpRecoverTaskBar.exe and select from the following options:


Option A/ If you are using System Center Config Manager or Group Policy Object Editor or third-party tools then deploy both files and run the command “powershell -ep bypass -file .\AddShortcuts.ps1 -MpTaskBarRecoverUtilDownload=false as Administrator.


Option B/ If you are using Intune or no management tool then deploy AddShortcuts.ps1 and run the command “powershell -ep bypass -file .\AddShortcuts.ps1” as Administrator.  This will automatically download MPTaskBarRecover.exe from the Microsoft download center onto the user’s machine and run the script. Detailed instructions on how to deploy the script using Microsoft Intune are here. 


2/ The changes will come into effect after users logout and login to their accounts.


3/ The MPRecoverTaskbar.exe can be run multiple times on end-user machines if necessary.  If end-users are missing taskbar icons after completing this process, then try running it a second time from %windir%\MPRecoverTaskbar.exe in the user context.


The script requires PowerShell 5.x and does not currently support PowerShell 7.x.


Version 5.0 includes all the improvements from Version 4.0: restores from Volume Shadow Copy Service by default, recovers .URL files in the user's profile's Favorites and Desktop directories, if those URL files exist in the Volume Shadow Copy Service, contains improvements for non-English language machines, improved error handling and additional checks that help recover more shortcuts and links, better error handling to perform all the actions including running the MpRecoverTaskbar.exe, while adding support for better error handling using AddShortcuts.ps1 to ensure RunOnce executes when a logged off user logs back in, and enabling MPRecoverTaskbar.exe to restore each user’s Chrome and Edge pinned taskbar shortcuts found per profile.


To add programs to the script: edit the $program variable and add a new line with the name of the application lnk and the executable. 


For customers that prefer manual steps rather than the script running an application repair on affected applications will recreate deleted links.  Users can run the Application Repair functionality for programs including Microsoft 365, Microsoft Edge, and Microsoft Visual Studio.

To repair an application, follow these instructions:

    1. Windows 10:
      1. Select Start  > Settings  > Apps > Apps & features
      2. Select the app you want to fix.
      3. Select Modify link under the name of the app if it is available.
      4. A new page will launch and allow you to select repair.
    2. Windows 11:
      1. Type “Installed Apps” in the search bar.
      2. Click “Installed Apps”.
      3. Select the app you want to fix.
      4. Click on “…”
      5. Select Modify or Advanced Options if it is available.
      6. A new page will launch and allow you to select repair.

Verifying environment impact

Customers can verify the impact of this issue in their environment through the following advanced hunting queries (AHQs):


This AHQ can retrieve all block events from devices with ASR rule "Block Win32 API calls from Office macro" enabled on “Block” mode, run this query.


| where Timestamp >= datetime(2023-01-13)

| where ActionType contains "AsrOfficeMacroWin32ApiCallsBlocked"

| extend JSON = parse_json(AdditionalFields)

| extend isAudit = tostring(JSON.IsAudit)

| where isAudit == "false"

| summarize by Timestamp, DeviceName, DeviceId, FileName, FolderPath, ActionType, AdditionalFields

| sort by Timestamp asc


This AHQ can retrieve all events from devices with ASR rule "Block Win32 API calls from Office macro" enabled on “block” and “audit” mode, run this query.



| where Timestamp >= datetime(2023-01-13)

| where ActionType contains "AsrOfficeMacroWin32ApiCallsBlocked"

| summarize by Timestamp, DeviceName, DeviceId, FileName, FolderPath, ActionType, AdditionalFields

| sort by Timestamp asc


This AHQ can retrieve the device count with this ASR rule “Block Win32 API calls from Office macro” enabled and if the number is exceeding 10K, run this query.



| where Timestamp >= datetime(2023-01-13)

| where ActionType contains "AsrOfficeMacroWin32ApiCallsBlocked"

| summarize deviceCount = dcount(DeviceId)

| extend IsMoreThanTenThousand = iif(deviceCount> 10000, True, False)


Advanced Hunting Queries are not available in Defender for Endpoint P1 which is also included in E3 and A3 or in Defender for Business.  To identify affected machines run the script here on individual user machines.  



Additional questions are addressed in the FAQ document

Brass Contributor

Timestamp is not correct, change it to : >= datetime(2023-01-13)


For convenience you may add the DeviceName to the summarize line. 

| summarize by Timestamp, DeviceName, DeviceId, FileName, FolderPath, ActionType, AdditionalFields
Brass Contributor

What about advanced custom shortcuts like Autocad and other business line applications? 

And Microsoft: You need to fix this. Not us.

Brass Contributor

I've just run the following code to find all the .lnk files affected.

| where Timestamp > datetime(2023-01-13)
| where ActionType contains "AsrOfficeMacroWin32ApiCallsBlocked"
| where FileName contains ".lnk"
| extend JSON = parse_json(AdditionalFields)
| extend isAudit = tostring(JSON.IsAudit)
| where isAudit == "false"
| summarize by Timestamp, DeviceId, FileName, FolderPath, ActionType, AdditionalFields, isAudit
| sort by Timestamp asc


This isn't just impacting the Start Menu (C:\ProgramData\Microsoft\Windows\Start Menu\Programs). What about recovering all of the User's pinned taskbar links (C:\Users\<username>\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar) and their Quick Access links (C:\Users\<username>\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch)?!


I suspect that these links have been lost indefinitely and us administrators are going to have to recover the Start Menu, and the users are going to have to repin every Task bar and Quick Launch shortcut manually.


Who on earth released that update without checking the impact! There are thousands of administrators across the globe now having to repair their environments which is causing a major impact on productivity.


I've always been avid user of your various cloud solutions, but this error is appauling Microsoft!

Copper Contributor

Unfortunately, this doesn't restore Microsoft Office shortcuts which were deployed per-user - which is most 365 C2R installations. This is the default installation behaviour for M365 deployed through Intune, so if this can be reflected in the script - this would be very helpful. 


I understand you can't do every application, but at least get your core offering resolved. 

Brass Contributor

Can you please describe the steps required to push this through with Intune/Endpoint. The Microsoft Health portal is saying that in order to run the script, users must be part of the local administrators group - something Microsoft have told us not to do in the past. 


I really hope Microsoft are releasing credits for this month. This has been a major impact for users and IT staff.

Brass Contributor
How many months of free Defender Subscription (Compensation) do we get to fix this by ourselves?

TaskBar and Quick Launch are lost for the users, and we must fix Start Menu right?

Copper Contributor

Great, but yes it would be really helpful if there would be some information on pushing this through Intune as a script or a proactive remediation!

Brass Contributor

I'm just doing some testing for repairing the Taskbar... You're going to need to manually generate a list of all applications and create the shortcuts back in the start menu. You can find most (but not all) of the shortcut paths here HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\


Once you've created the shortcuts, you can just copy the .lnk files back into the following path C:\Users\<username>\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar and the taskbar will correct itself. If you copy .lnk files that the user hasn't previously pinned, it will only show/correct their pinned taskbar shortcuts and explorer appears to ignore all of the other .lnk files that were not pinned.


I'm thinking, we can run a script from Intune in the user context to copy shortcuts into their %AppData% directory? Alternatively, we could maybe run the script as admin context, but recursively list the C:\Users\ directory and inject all the shortcuts back into everyone's taskbar. Not sure the best approach yes, but I will be spending my afternoon scripting and testing, but just thought I'd pass the information on to someone else if this helps.




Iron Contributor

Will you compensate customers as this create a huge burden on IT to fix it and employees are really upset their Windows is broken now.

Copper Contributor


After install last build update. We can rollback with ASR rule Block Win32 API calls from Office macros to block mode?

Brass Contributor

@Scott Woodgate thank you for posting some information and getting a message out as soon as possible, but I don't think a single sentence explaining that this mess was due to an "incorrect detection pattern" even begins to handle the mess we're all in. A root cause analysis and details on how you're going to prevent this in the future goes a long way in restoring faith. A few questions so that we can better prepare for the future:


  1. How can we know ahead of time if security intelligence updates will include this sort of disruptive updates?
  2. Did this "incorrect detection pattern" also get pushed out through cloud-delivered protection service, a service that is also referred to as Microsoft Active Protection Service (MAPS)?
  3. Currently, there are not that many options regarding security intelligence updates in terms of phasing/staging/deployment in rings. What options do we have in the future? Other Microsoft products have rings available and we can configure the devices in each of those rings.....did we forget to provide the same functionality for Defender updates?
  4. Other technology products, specifically EDR/XDR, include file recovery/rollback. Is that not a possibility for you to leverage and help organizations with the support operations we will all be dealing with during the next few days?

I would also suggest you publish a step-by-step guide on how to deploy the script mentioned above through Intune/MEM, MECM and GPO, as that would reduce the stress levels on the teams. Balancing the "what's going on?" coming in from the organization/business and "figuring out how to deploy this" is not a fun thing to do right now for a lot of teams.


Brass Contributor

@Jalamos - The current advice from the health portal in Office 365 does not say to switch the ASR rule back to active. I would wait for further clarafication.

Copper Contributor

When i try to open both links above for advanced hunting when i click the link, it just shows the security score.  Do you then click Custom detection rules within advanced as this page is not loading for me. Do you need a particular license to access this we have A1 and A3.


Also a user guide on how to deploy this through intune would be useful.


The first version of the script is available here: MDE-PowerBI-Templates/AddShortcutsV1.ps1 at master · microsoft/MDE-PowerBI-Templates · GitHub


I have added into endpoint under devices and scripts, but does not appear to be sending out. 


Copper Contributor

Hey guys,


It's great that we have a fix, but people who are struggling with restoring icons hear me out, I have repaired my Microsoft Suite via Control Panel > Programs > Microsoft Office > Change > Repair > Repair online and worked like a charm! All my MS Office icons are back! Even Onedrive!


Hope this helps , let me know what y'all think. 




Copper Contributor

First, we appreciate the script, in the future it would be nice for Defender to have a roll back / reply feature or similar to other anti-virus products on the market, however, customers need to also be aware that this did not only affect the Start Menu in ProgramData but also the Start Menu in AppData/Roaming for the signed in user. The issue also affected C:\Users\Public\Desktop and C:\Users\<username>\Desktop or C:\Users\<username>\OneDrive\Desktop, luckily for us we use OneDrive to protect Important Files so these links were in the Recycle Bin for OneDrive online.  @Pernille-Eskebo - your script should also check to see if OneDrive is protecting their Desktop to restore these files too as lots of people have shortcuts to websites, folder paths, etc. (not just applications).


As a thought for others, we took copies of the Start Menu (ProgramData and AppData/Roaming) from a computer that was not affected and zipped them and created a simple Powershell script in Intune to download the zip and extract (overwrite) to the appropriate folders.  One script ran as system (to restore ProgramData) and the other ran as the users credentials (to restore AppData/Roaming).




Jason B.

Brass Contributor

Defender for Business customers don't have the Advanced Hunting feature and cannot run the query.  Is there another option to see the impact?

Brass Contributor

A1 and A3 unfortunately don't have Advanced Hunting, same as Defender for Business. I'm afraid I don't have a simple alternative for you either. I have the same problem with many of my customers using A3.

As usual, MS have released a fix forgetting that a large part of the world doesn't have english as their first language, and so the Administrators-group is not named Administrators...

Quick and dirty fix:
Change line 87

	$group = New-Object System.Security.Principal.NTAccount("Builtin", "Administrators")


$groupname = Get-LocalGroup -SID 'S-1-5-32-544' | Select-Object -ExpandProperty Name
$group = New-Object System.Security.Principal.NTAccount("Builtin", $groupname)
Copper Contributor

Script seems to work when uploaded to Intune / Devices / Script with "Run this script using the logged on credentials" on "No".


It will recreate the shortcuts at the Start Menu.

Copper Contributor

@DanielV1595   can i ask what group you are deploying this to, is it users or computers, I have tried creating a computer group with two computers in and the policy has not gone out after a couple of hours and several reboots.

Copper Contributor

@NeilConstant I'm using our Dynamic Group that filtering devices with OS Windows and Corporate tag.

So it's on a device group.


Please note that I only see it executed when the system is rebooted. Also the reporting back in Intune about the script is a bit slow :).

Copper Contributor

since we know the path of the task bar items, we should be able to include those in the script Microsoft provided. I am doing further research and testing.

Copper Contributor

How to identify if you have more than 10000 impacted devices?

Brass Contributor

I doubt that the AHQ is sufficient,

in our case hundreds of Office links were deleted, but only 16 were displayed in the advanced hunt.

Worth mentioning im filtering for:


|where FolderPath contains "AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Program" or FolderPath contains "PROGRAMDATA\\Microsoft\\Windows\\Start Menu\\"

but we should have a more than 16 entries here.


@Scott Woodgate 


How can i find everything which was "blocked" (and with blocked i mean deleted)?

Brass Contributor

I noticed at least in my systems @aeudian that when I restored the deleted links from Onedrive Desktop the images were broken.  Nice touch.  For example, the Edge shortcut now just looks like a folder.  I only had ten effected machines so far and have spent hours manually fixing them (implement Intune change, push it out, repair Office, delete blank broken shortcuts with no images associated with them), find exe files and point them to the start menu, rebuild critical task bar icons only as needed).   The screams are softer this morning but my users lost productivity yesterday! Fool I am for implementing the protection rules in Intune, should have stuck with Bitdefender. 

Screenshot 2023-01-14 102013.png

Copper Contributor

I found this helpful when the advanced hunting wasn't showing what they alleged:

From a reddit post - Run this on each endpoint. I'm not sure how long those logs last though. Many of mine look empty...perhaps unaffected.




$supportFiles = Get-ChildItem -Path 'C:\ProgramData\Microsoft\Windows Defender\Support\'
foreach ($file in $supportFiles){
 if ($file.Name -like "MPLog*"){
 $MPLog = $file.Name 
 $fileData = Get-Content "C:\ProgramData\Microsoft\Windows Defender\Support\$MPLog"
foreach ($entry in $fileData) {
 if ($entry -like "2023-01-13*Blocked file*") {
  if ( $entry -match '\\Device.*\.(?= )'){



Copper Contributor

If you are using the script Microsoft gave us you will find some apps may not exist in the registry, have custom locations, etc. So I have created this script to resolve this and also add on a desktop icons. It's only created for a single app install. You can clear the variable's then copy and paste the code as many times as you want i.e. $Shortcut = "".

The code can be found here

Copper Contributor

Our Team is working on their own internal script to repair our missing icons/shortcuts.  We may leverage Microsoft's posted Github solution.  But it does not include Zoom and MECM - and those shortcuts reside in Program Files rather than ProgramData.  Can Microsoft please include these 2 programs in their recovery solution for today's noon Incident Update?

Additionally, can you please add comments / explain the Advanced Hunting technique for those who are not familiar with that process?  Will the results be aggregated in such a way we can easily determine what hosts were affected as well as their ASR build number?  Thank you.

Copper Contributor

I don't think I've seen this mentioned yet, but my team has been able to leverage ShadowExplorer (free tool) to recover the exact contents of C:\ProgramData\Microsoft\Windows\Start Menu\Programs from prior to the morning of 1/13/2023. This tool is simple but not really suited to end-user use. Of course, it also requires a shadow copy is available which may not be the case.


Microsoft has a commandline tool to access shadow copies and I'm currently looking to see if I can script a way to put the contents back and push it to all my end users. Here's the MS tool in case anyone else wants to mess with it:

Copper Contributor

make sure you have the latest defender updates?


Please follow the instructions below to clear cached detections and to obtain the latest malware definitions:
1. Open command prompt as administrator and change directory to C:\Program Files\Windows Defender
2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
3. Run "MpCmdRun.exe -SignatureUpdate"

Iron Contributor

We kind of used a solution similar to @aeudian. We have around 500 machines in our school district and used a program called batchpatch to Robocopy desktop shortcuts and the start menu from unaffected computers. We use baseline images and do a pretty good job of not letting staff install an "odd ball" application. For the most part we recovered shortcuts for 90% of their installed applications. For those we missed, they are opening tickets. 


Small rant here. Now that we live in the age of "AI" why the heck is this not being applied to Defender. Like shouldn't flags be raised when it starts deleting hundreds of files. In what world is that normal behavior? A simple check would be hey I'm about to delete a lot of stuff from a lot of computers worldwide, maybe I should ask for human intervention. 

Copper Contributor

I've created a script to restore any shortcut files that have been removed from OneDrive at tenant level. Blog post linked for anyone who needs/would find useful. Has full auditing/error handling and can be run in audit mode to do a "what-if" type function: 

Restore links deleted from OneDrive locations by attack surface reduction rules - MO497128 (thextrab...

Copper Contributor

I believe I've found a general purpose command line solution that can be deployed to leverage any existing shadow copies and put shortcuts back on the Start Menu. Shadow copies are predictably named which is helpful. I believe they only persist for a couple of weeks so the contents should be recent enough to be useful as well. 


Consider the following script which will mount the last five shadow copies, one-by-one, attempt to copy the contents of the Start Menu folder back to the live location, and then dismount the shadow copy. If the shadow copies don't exist, the command will fail but no damage will be done and nothing will be overwritten. Note this script does require admin privileges.


mklink /d c:\shadowrestore \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
robocopy /e /r:1 /w:1 "c:\shadowrestore\ProgramData\Microsoft\Windows\Start Menu\Programs" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"
rmdir c:\shadowrestore

mklink /d c:\shadowrestore \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\
robocopy /e /r:1 /w:1 "c:\shadowrestore\ProgramData\Microsoft\Windows\Start Menu\Programs" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"
rmdir c:\shadowrestore

mklink /d c:\shadowrestore \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\
robocopy /e /r:1 /w:1 "c:\shadowrestore\ProgramData\Microsoft\Windows\Start Menu\Programs" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"
rmdir c:\shadowrestore

mklink /d c:\shadowrestore \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4\
robocopy /e /r:1 /w:1 "c:\shadowrestore\ProgramData\Microsoft\Windows\Start Menu\Programs" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"
rmdir c:\shadowrestore

mklink /d c:\shadowrestore \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\
robocopy /e /r:1 /w:1 "c:\shadowrestore\ProgramData\Microsoft\Windows\Start Menu\Programs" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"
rmdir c:\shadowrestore


Thoughts or comments? This seems to work well in my test environment. Note that you can list shadow copies for a volume with the following command:


vssadmin list shadows /for=c:


Hope this helps someone.

Copper Contributor

I'm happy to see that this uses the exact same approach and even the same hashtable name of the solution that I posted 29 hours ago on reddit:

Brass Contributor

I must acknoledge Ma-tth´s info that AH only gives incomplete results. We have many devices that have lost at least all office shortcuts. The AH only reports a few of them. I also gave Eric Ortegos script a try. For a certain machine it dows come to the same result as AH.

I rechecked it in the logs, it's the same. 

As we don´t have file access audit active on our clients, what chance do we have to identify all affected machines?

I can only guess if/that one machine that definitely was affected (as I see by SOME deleted shortcuts with AH) for sure has lost all shortcuts.

Copper Contributor

This thread came perfectly on time, and most of the comments are relevant, especially the one from @lat-lukepollard.

If I may add my own 2 cents, not on the recovery of the shortcuts, but for whoever (like me) manage multiple clients with limited admin resources: a way I've dealt with shortcuts problems in the past (and now with all my clients who recently accepted to "Block Win32 Macro from Office"..) was to use Microsoft MDM (Intune) with a Configuration Profile - Device restrictions:

Choose the "Start" option for customizing the Start and Taskbar shortcutsChoose the "Start" option for customizing the Start and Taskbar shortcuts


This is what I've done for all my clients TenantsThis is what I've done for all my clients Tenants

By asking many users on their shortcuts pattern, I could split them in two main groups: Powerusers and classic.

Powerusers are the group of users who want to manage the shortcuts the way they want, and are so picky that you should not try to customize anything for them. They will need all the time and effort to attempt all the solutions mentionned above to recover them.

The Classic user group is the majority of users I've seen. They need what the company provide to them + Office/Web Browsers. For these users, I suggest to create the Device restrictions Configuration Profile that will automatically re-create the shortcuts for them. The way to customize everything is done through XML such as the one I created bellow:



<LayoutModificationTemplate xmlns:defaultlayout="" xmlns:start="" Version="1" xmlns="" xmlns:taskbar="">
  <LayoutOptions StartTileGroupCellWidth="6" />
  <DefaultLayoutOverride LayoutCustomizationRestrictionType="OnlySpecifiedGroups">
      <defaultlayout:StartLayout GroupCellWidth="6">
        <start:Group Name="Office">
          <start:DesktopApplicationTile Size="2x2" Column="0" Row="2" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\OneNote.lnk" />
          <start:DesktopApplicationTile Size="2x2" Column="2" Row="2" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\PowerPoint.lnk" />
          <start:DesktopApplicationTile Size="2x2" Column="4" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Outlook.lnk" />
          <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Excel.lnk" />
          <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Word.lnk" />
        <start:Group Name="Internet">
          <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk" />
          <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Firefox.lnk" />
        <start:Group Name="Cloud">
          <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Microsoft Teams.lnk" />
          <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk" />
  <CustomTaskbarLayoutCollection PinListPlacement="Replace">
        <taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk" />
        <taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Firefox.lnk" />
        <taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk" />
        <taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Word.lnk" />
        <taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Excel.lnk" />
        <taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Outlook.lnk" />
        <taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\PowerPoint.lnk" />
        <taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\OneNote 2016.lnk" />
        <taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Microsoft Corporation\Microsoft Teams.lnk" />
        <taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk" />


To understand and create your own one today, please use the series of documentation from Microsoft.


Mine is going maybe a bit too far, I create three groups in the Start menu (Office, Internet and Cloud) with all the required applications for all users, and I force the placement of all the shortcuts mentioned in the <taskbar> (which means this policy takes control of the way shortcuts are displayed). In the documentation, you have plenty of options that are well explained today, so you can create something bespoke for each Tenants.


This is a unique opportunity to dive deep in those policies, so when the problem comes back (I'm sure it will) we will limit the damage by focusing more on the Powerusers than the majority of Classic users.

I'll assess Tuesday if that policy solved the shortucts for the Classic user group by itslef.



Brass Contributor

What are all the logs in the query output for:

  • Videos.library-ms
  • Pictures.library-ms
  • Music.library-ms

I see no mention of those in this script.

We also had PCs with SSMS links go missing, which also isn't in the script.  I'd imagine it's a lot more than this list.  


Looks like a long way is left to globally fixing this issue. Automatically.


Personally, I consider deleting files from user's PCs is generally a big issue.  Why were they not quarantined on clients with an easy restore option?



Copper Contributor
New Contributor
‎Jan 14 2023 07:46 AM

If you are using the script Microsoft gave us you will find some apps may not exist in the registry, have custom locations, etc. So I have created this script to resolve this and also add on a desktop icons. It's only created for a single app install. You can clear the variable's then copy and paste the code as many times as you want i.e. $Shortcut = "".

The code can be found here




Hi Darren,


I tested your script and it works for me. However, we found that the some paths are end with ";".  Like "Internet Explorer", the path in the registry is "C:\Program Files\Internet Explorer;"

It will cause the script cannot create the correct shortcut and reported error "Cannot find path 'C:\Program Files\Internet Explorer;\IEXPLORE.EXE' because it does not exist."


Could you please help us to fix it as well?

Brass Contributor

I´d like to figure out which machines had the Definitions 1.381.2140.0 installed. It seems that I can´t catch that information via AH. Is there another way?

Copper Contributor

Cute script especially in combination with "Microsoft recommended block rules" ...

Copper Contributor

This is an error loop on an Object Class

"!=" ="=="

Iron Contributor

For the files that were fortunate enough to have been synced with the OneDrive known folder move or otherwise, you could use this query (adjust for your time zone) to find and then the pnp module to restore those items:




Get-PnPRecycleBinItem | ? -Property LeafName -like "*.lnk" | Restore-PnPRecycleBinItem 





Screenshot 2023-01-14 211035.png




EDIT 16Nov2023 - I've run this recovery for a tenant (restored all OneDrive recycle bin .lnk deletions, fixing desktop etc. for KFM users). My code isn't very efficient, but feel free to DM me if you want a copy.

It also occurred to me that many icons are on the public desktop (C:\Users\Public\Desktop) which wouldn't be synced to onedrive. Microsoft's shadow copy script would be better here.

Copper Contributor

When trying to run the Advance Hunting rule to determine business impact for my organisation I am seeing the below error message on the query?

Can anyone advise what I am doing wrong, please?



Thanks in advance!

Copper Contributor



This error appears when your account doesn't have sufficient admin rights. Just run the query with your Global Admin account (or figure out which exact permissions are needed).

Copper Contributor

my modify link is greyed out when repairing manually as the script only covers a few applications.

Copper Contributor






Copper Contributor

@Matt Rouse Having suffered like others with shortcuts suddenly disappearing from taskbar, start menu and desktop, and having also used Shadow Explorer to tediously restore the .lnk files from the various locations of a pre-13/01/2023 Shadow Copy, I was inspired by your idea of a script to do this. So this morning I wrote this script.


It builds on your script, with an option to additionally restore shortcuts from a user profile folder. By default my script doesn't actually restore any files, as I wanted to give the user a chance to see what would be restored first (using robocopy's /L option).


Other noteworthy changes:

  • I've put the various commands in a FOR loop, to avoid repetition.
  • I've also tightened it up so that it copies specifically *.lnk files.
  • I've changed the /E for a /S (I presume that we wouldn't be interested in copying empty directories from the source).
  • I've added /XO (exclude older) so if a .lnk file is found in both source and destination, it keeps the one in the destination (say, if the user had updated the shortcut in some way, since the Shadow Copy was made, they'd likely want the newer file).

I haven't tested it very well, and I'm sure improvements can be made. But hopefully it's useful.

Thanks for the inspiration - it was just enough to get me started!


Iron Contributor

@Matt Rouse Volume Shadow Copies is definitely an avenue worth exploring to get back custom shortcuts. I can confirm on one of my machines that the VSS service took a shadow copy around the beginning of the month and using mkdir I was able to link to the shadow copy and recover the custom links to Start Menu and Taskbar. However, on another corporate machine the VSS service is not enabled and so no shadow copies to recover.

Copper Contributor

Hi @Scott Woodgate , (and everyone else)


The taskbar shortcut information is still stored in binary/hex in this registry location: HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion > Explorer > Taskband > FavouritesResolve


It should be possible to exact it into shortcut files to place in the users Quick Launch TaskBar folder. Can your team please add this to the script?


This would recover the taskbar exactly as it was.

If anyone else knows how to do this, that would be great as well.



Copper Contributor

@fergaloneill if you had the use of a binary or kex key conversion?

Copper Contributor

Class Object:
If Object is not null
then = != ==

Version history
Last update:
‎Jan 23 2023 01:10 PM
Updated by: