Friday the 13th is considered an unlucky day in most of the West and many system admins at various IT companies certainly felt that way yesterday. That’s because Microsoft Defender went rogue and deleted shortcuts from the Start menu and taskbar, among other places. Although user reports indicated that the issue was present on Windows 10 systems, Microsoft today confirmed on its health dashboard that Windows 11 was also affected.
After you install Security Intelligence Update Build 1.381.2140.0 for Microsoft Defender, application shortcuts in the Start menu, pinned to the taskbar, and on the desktop may disappear or be deleted. Additionally, errors may be seen when trying to run executable (.exe) files that depend on shortcut files. Affected devices have ATech Surface Reduction (ASR) The rule “Block Win32 API calls from Office macros” is enabled. After installing Security Intelligence build 1.381.2140.0, the detection resulted in the deletion of some Windows shortcut (.lnk) files that matched the incorrect detection pattern.
Windows devices used by consumers at home or in small offices are unlikely to be affected by this issue.
Client: Windows 11, version 22H2; Windows 10, version 22H2; Windows 11, version 21H2; Windows 10, version 21H2; Windows 10, version 20H2; Windows 10 Enterprise LTSC 2019; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise 2015 LTSB
System administrators soon discovered that a strict ASR rule in Defender’s Security Intelligence Update version 1.381.2140.0 was the culprit and so a fix was developed to address it. Microsoft Is also officially endorsed the work:
Solution: Changes to Microsoft Defender may alleviate this problem. Attack Surface Reduction (ASR) rules in Microsoft Defender are used to manage software behavior as part of security measures. Changing ASR rules to audit mode can help prevent this problem. This can be done through the following options:
Microsoft Office applications can be launched through the Microsoft 365 App Launcher. More details about the Microsoft 365 App Launcher can be found here. Meet the Microsoft 365 App Launcher.
Microsoft has also published the steps needed to fully resolve the issue. However, sysadmins are frustrated by the fact that restoring deleted shortcuts isn’t fixable with this and all Microsoft says here is that affected admins and users can “restore these shortcuts by other means.” needs to be created or restored”:
Next Steps: This issue is resolved in Security Intelligence Update build 1.381.2164.0. Installing Security Intelligence Update build 1.381.2164.0 or later should prevent the problem, but it will not restore previously deleted shortcuts. You will need to recreate or restore these shortcuts in other ways.
Therefore, users are advised to update their Defense Security Intelligence version to 1.381.2164.0 or later. You can find more details about these complimentary updates here. Here.