On 13 January, Microsoft faced an unexpected issue with a Windows Defender update, which led to the unintentional deletion of Windows shortcuts. In response, the tech giant has released scripts to assist users in resolving this problem and restoring their shortcuts.
The faulty Microsoft Defender for Endpoint update caused a series of false positive detections for the Attack Surface Reduction (ASR) rule ‘Block Win32 API calls from Office macro’. This resulted in the deletion of Windows shortcut (.lnk) files, affecting update builds between 1.381.2134.0 and 1.381.2163.0.
To address this issue, Microsoft published instructions on 14 January to guide system administrators in restoring the accidentally deleted shortcuts. Users are advised to update to build 1.381.2164.0 or a later version, although this alone will not restore the deleted files.
Initially, administrators recommended switching the ‘Block Win32 calls from Office macros’ rule to audit mode to resolve the problem. Microsoft now confirms that users can safely revert back to block mode after installing the new update.
Microsoft has also provided steps to retrieve deleted Windows shortcuts, which applies to a significant number of affected applications. These steps are outlined in a PowerShell script available on GitHub as Version 1.1.
To help administrators identify affected shortcuts, Microsoft has shared Microsoft Defender advanced hunting queries (AHQs) specifically designed for the “Block Win32 API calls from Office macro” rule. These queries include:
- Retrieving block events from devices where the ASR rule is running in block mode.
- Retrieving events from devices running the ASR rule in both block and audit modes.
- Determining the number of devices running the ASR rule and checking if it exceeds 10,000 devices.
Some administrators have expressed concerns about the scripts provided by Microsoft, stating that not all lost shortcuts are reported. In response, the community has developed their own solutions and shared them on GitHub.
While the community-developed scripts may have limitations for non-English speakers, they have proven effective for major applications from Microsoft, Adobe, Google, Mozilla, Dell, Nvidia, RingCentral, and others.