Microsoft releases a script to restore a 'subset' of shortcuts deleted by rogue Defender ASR rule
Towards the end of last week, Microsoft confirmed an issue that stemmed from a flawed Microsoft Defender for Endpoint ASR rule that results in the deletion of app shortcuts from the Start menu, desktop and taskbar.
The company issued an update to prevent the problem from arising again, but said that there was no alternative but to manually recreate any shortcuts that had been lost. Now though Microsoft has released a PowerShell script that will automatically recreate some -- but not all -- deleted shortcuts. The company has also released a trio of advanced hunting queries (AHQs) to help with the issue.
See also:
- Tweetbot and other third-party clients stop working as Twitter 'intentionally' blocks API access
- Microsoft brings the Windows 11 Media Player to Windows 10
- Future versions of Chrome will allow browser extensions to be disabled on a site-by-site basis
Explaining the issue in a blog post, Microsoft's Scott Woodgate says: "On January 13th, Windows Security and Microsoft Defender for Endpoint customers may have experienced a series of false positive detections for the Attack Surface Reduction (ASR) rule 'Block Win32 API calls from Office macro' after updating to security intelligence builds between 1.381.2134.0 and 1.381.2163.0. These detections resulted in the deletion of files that matched the incorrect detection logic primarily impacting Windows shortcut (.lnk) files".
He goes on to reveal that Microsoft has now been able to create a script that will "recreate start menu links for a significant sub-set of the affected applications that were deleted". The PowerShell script is available to download here.
The blog post also includes manual instructions for Windows 10 and Windows 11 users:
Windows 10:
- Select Start > Settings > Apps > Apps & features
- Select the app you want to fix.
- Select Modify link under the name of the app if it is available.
- A new page will launch and allow you to select repair.
Windows 11:
- Type "Installed Apps" in the search bar.
- Click "Installed Apps".
- Select the app you want to fix.
- Click on "..."
- Select Modify or Advanced Options if it is available.
- A new page will launch and allow you to select repair.
Microsoft has also revealed details of advanced hunting queries (AHQs) which it says can be used to verify the impact of the problem.
The first AHQ can be used to retrieve all block events from devices with ASR rule "Block Win32 API calls from Office macro" enabled on "Block" mode.
A second AHQ can be used to retrieve all events from devices with ASR rule "Block Win32 API calls from Office macro" enabled on "block" and "audit" mode.
A third and final AHQ can retrieve the device count with this ASR rule "Block Win32 API calls from Office macro" enabled and if the number is exceeding 10K.
Image credit: monticello / depositphotos
Pingback: Microsoft releases a script to fix a ‘subset’ of shortcuts removed by a rogue Defender ASR rule | hoolus.in – hoolus.in
Pingback: Microsoft releases a script to fix a 'subset' of shortcuts removed by a rogue Defender ASR rule - newsnss.in