Microsoft Defender for Endpoint ASR rule blamed for deleting desktop, taskbar and Start menu shortcuts
Users of Microsoft Defender for Endpoint have been experiencing what has been described as a "weird issue" that not only caused shortcuts to be deleted from the Start menu, desktop and taskbar, but also led to issues with Office apps.
The problem was traced to a flawed Microsoft Defender for Endpoint ASR (attack surface reduction) rule, and while Microsoft has now released a fix, this is not without problems of its own. Users are being warned that any shortcuts that have disappeared will need to be manually recreated.
- Use these hacks to unlock hidden taskbar and Start menu search options in Windows 11
- Microsoft brings the Windows 11 Media Player to Windows 10
- Microsoft is launching Teams Premium and some features that are currently free will be paywalled
The problems started yesterday, and affected Windows 10 and Windows 11 after the release of security intelligence update build 1.381.2140.0 for Microsoft Defender.
In the known issues section of the Windows Health page, Microsoft explains the cause of the issue in a post entitled Application shortcuts might not work from the Start menu or other locations:
After installing security intelligence update build 1.381.2140.0 for Microsoft Defender, application shortcuts in the Start menu, pinned to the taskbar, and on the Desktop might be missing or deleted. Additionally, errors might be observed when trying to run executable (.exe) files which have dependencies on shortcut files. Affected devices have the Attack Surface Reduction (ASR) rule "Block Win32 API calls from Office macro" enabled. After installing security intelligence build 1.381.2140.0, detections resulted in the deletion of certain Windows shortcut (.lnk) files that matched the incorrect detection pattern.
With the release of security intelligence update build 1.381.2164.0, Microsoft fixed the problem, but the company issued a warning:
This issue is resolved in security intelligence update build 1.381.2164.0. Installing security intelligence update build 1.381.2164.0 or later should prevent the issue, but it will not restore previously deleted shortcuts. You will need to recreate or restore these shortcuts through other methods.