Block Win32 API calls from Office macros blocks all app shortcuts from working

Iron Contributor

Block Win32 API calls from Office macros currently blocks all app shortcuts from working. We also cannot add shortcuts to the task bar.

 

Anybody else experiencing something similar?

13 Replies

@Kiril As visible from the report, the rule is running wild. I just deactivated it, but damage is done.

 

Kiril_0-1673612180387.png

 

All apps shortcuts are removed from the system, e.g. I cannot find edge anymore:

 

Kiril_1-1673612276902.png

 

 

 

How did you disable it? @Kiril 

 

From here?

BogdanM84_0-1673618257477.png

 

And did you set it to off or Not configured?

 

Thank you

 

PS: Shortcuts wiped from most of our devices.. Citrix, Chrome, Office apps, etc

Yes, I disabled it there, and set it from "Block" to "Audit" so I can still see the events.

 

Kiril_0-1673618570830.png

 

Now at least everything is audited:

 

Kiril_1-1673618759744.png

 

Running into the same issue. Can someone from Microsoft look into this please?

@Kiril   We are also getting the same in our office. Half of our MS Application Shortcuts have gone. Even I lost entire Office Suite. heaven knows when this will be fixed. Any info or update will be appreciated.

 

anirban80in_0-1673620448016.png

 

@Kiril Yes, I'm seeing exactly the same thing.  No recent administrative changes Defender for Endpoint's config.  Just yesterday's MS intel update.

Go to: https://endpoint.microsoft.com/#view/Microsoft_Intune_Workflows/SecurityManagementMenu/~/asr

Then create a new Policy if you haven't done that already.
Set the Block Win32 API calls from Office macros to Warn or Audit

In Audit you will see what Defender might have done (block or allow) in case it was set to Block.
In Warn mode, the users will be able to bypass that "block" and allow it to run.

Push it out to everybody and ask them to go into Company Portal, Settings and do a Sync to receive the new policy and pray :)

For me it stopped with the stupid deletion.
It will remove anything related to Adobe, Chrome, Citrix, ASG Remote, Putty, and many many more.

My desktop is half empty now and wondering if there's any way to bring them back...
PS: also some of your taskbar icons will turn white, and as soon as you want to click on them it will ask you to remove the shortcut.
It just removed my office enterprise suite. Luckily, a "Quick Repair" from the "Control Panel\All Control Panel Items\Programs and Features" fixed everything.

@Kiril 

When will it be safe to enable the 'Block Win32 API call from Office macro'  ASR policy again?

 

Here is Microsoft's current status. The key takeaway should be:

 

We've completed a hotfix deployment within the build 1.381.2164.0 on Friday, January 13, 2023, 7:03 PM (6:03 PM UTC)
. This fix update will not restore previously removed shortcut files, but it will prevent any additional shortcut files from being incorrectly removed.

January 16, 2023 8:24 PM

Title: Some users are unable to utilize the Application shortcuts on the Start menu and taskbar

User Impact: Users are unable to utilize the Application shortcuts on the Start menu and taskbar.

More info: The shortcut icons in the taskbar or Start menu may no longer be visible or may not work as intended. Additionally, for some users, they may receive errors when trying to run Executable (.exe) files, if they have dependencies on the shortcut file path.

We've completed a hotfix deployment within the build 1.381.2164.0 on Friday, January 13, 2023, 7:03 PM (6:03 PM UTC)
. This fix update will not restore previously removed shortcut files, but it will prevent any additional shortcut files from being incorrectly removed.

Microsoft has confirmed steps that users can take to recreate start menu links for a significant subset of the affected applications that were deleted. These steps have been consolidated into the PowerShell script in the following link. Users must be a local administrator on the machine that the script will be run on: https://aka.ms/asrfprecovery

Current status: We've updated the guidance provided within https://aka.ms/asrfprecovery, and have confirmed steps that customers can take to recreate start menu links for a significant sub-set of the affected applications that were removed. These have been consolidated into the PowerShell script to help administrators take recovery actions within their environment.

Scope of impact: This issue likely affects users within your organization and is not specific to Office apps, and can impact any application's shortcut file. There is no impact for customers who do not have the “Block Win32 API calls from Office macro” rule turned on in block mode or did not update to security intelligence update build 1.381.2140.0.

Start time: Friday, January 13, 2023, 9:51 AM (8:51 AM UTC)

Root cause: During a recent update to the Windows Security and Microsoft Defender for Endpoint service, user devices experienced a series of false positive detections for the Attack Surface Reduction (ASR) rule "Block Win32 API calls from Office macro" after updating to security intelligence build 1.381.2140.0. These detections resulted in the identification of certain Windows shortcut (.lnk) files that matched the incorrect detection pattern and were subsequently removed.

Next update by: Tuesday, January 17, 2023, 9:00 PM (8:00 PM UTC)