Jan 13 2023 03:40 AM
Block Win32 API calls from Office macros currently blocks all app shortcuts from working. We also cannot add shortcuts to the task bar.
Anybody else experiencing something similar?
Jan 13 2023 04:18 AM
@Kiril As visible from the report, the rule is running wild. I just deactivated it, but damage is done.
All apps shortcuts are removed from the system, e.g. I cannot find edge anymore:
Jan 13 2023 05:58 AM
How did you disable it? @Kiril
From here?
And did you set it to off or Not configured?
Thank you
PS: Shortcuts wiped from most of our devices.. Citrix, Chrome, Office apps, etc
Jan 13 2023 06:00 AM - edited Jan 13 2023 06:06 AM
Yes, I disabled it there, and set it from "Block" to "Audit" so I can still see the events.
Now at least everything is audited:
Jan 13 2023 06:34 AM
Jan 13 2023 06:34 AM
@Kiril We are also getting the same in our office. Half of our MS Application Shortcuts have gone. Even I lost entire Office Suite. heaven knows when this will be fixed. Any info or update will be appreciated.
Jan 13 2023 06:40 AM
Jan 13 2023 06:45 AM
@Kiril Yes, I'm seeing exactly the same thing. No recent administrative changes Defender for Endpoint's config. Just yesterday's MS intel update.
Jan 13 2023 06:53 AM
Jan 13 2023 07:02 AM
Jan 13 2023 07:16 AM
Jan 13 2023 11:08 AM
Jan 17 2023 02:38 AM
When will it be safe to enable the 'Block Win32 API call from Office macro' ASR policy again?
Jan 17 2023 04:31 AM - edited Jan 17 2023 04:31 AM
Here is Microsoft's current status. The key takeaway should be:
We've completed a hotfix deployment within the build 1.381.2164.0 on Friday, January 13, 2023, 7:03 PM (6:03 PM UTC)
. This fix update will not restore previously removed shortcut files, but it will prevent any additional shortcut files from being incorrectly removed.
January 16, 2023 8:24 PM
Title: Some users are unable to utilize the Application shortcuts on the Start menu and taskbar
User Impact: Users are unable to utilize the Application shortcuts on the Start menu and taskbar.
More info: The shortcut icons in the taskbar or Start menu may no longer be visible or may not work as intended. Additionally, for some users, they may receive errors when trying to run Executable (.exe) files, if they have dependencies on the shortcut file path.
We've completed a hotfix deployment within the build 1.381.2164.0 on Friday, January 13, 2023, 7:03 PM (6:03 PM UTC)
. This fix update will not restore previously removed shortcut files, but it will prevent any additional shortcut files from being incorrectly removed.
Microsoft has confirmed steps that users can take to recreate start menu links for a significant subset of the affected applications that were deleted. These steps have been consolidated into the PowerShell script in the following link. Users must be a local administrator on the machine that the script will be run on: https://aka.ms/asrfprecovery
Current status: We've updated the guidance provided within https://aka.ms/asrfprecovery, and have confirmed steps that customers can take to recreate start menu links for a significant sub-set of the affected applications that were removed. These have been consolidated into the PowerShell script to help administrators take recovery actions within their environment.
Scope of impact: This issue likely affects users within your organization and is not specific to Office apps, and can impact any application's shortcut file. There is no impact for customers who do not have the “Block Win32 API calls from Office macro” rule turned on in block mode or did not update to security intelligence update build 1.381.2140.0.
Start time: Friday, January 13, 2023, 9:51 AM (8:51 AM UTC)
Root cause: During a recent update to the Windows Security and Microsoft Defender for Endpoint service, user devices experienced a series of false positive detections for the Attack Surface Reduction (ASR) rule "Block Win32 API calls from Office macro" after updating to security intelligence build 1.381.2140.0. These detections resulted in the identification of certain Windows shortcut (.lnk) files that matched the incorrect detection pattern and were subsequently removed.
Next update by: Tuesday, January 17, 2023, 9:00 PM (8:00 PM UTC)