Major Microsoft Defender ASR issue confirmed: shortcuts broken, application start up issues
Microsoft is investigating a major issue affecting users of its Windows operating system currently. According to the company's short message on Twitter, it is investigating an "issue where users are unable to access application shortcuts on the Start menu and Taskbar in Windows".
Microsoft published a follow-up to the initial confirmation of its investigation. It states that Microsoft has identified the issue and "reverted the rule to prevent further impact" while the investigation continues.
Update: Microsoft confirmed that it has resolved the issue in " security intelligence update build 1.381.2164.0". The update won't restore lost shortcuts, however, and Microsoft mentions nonchalantly that these need to be recreated or restored through other means, without providing any guidance. End
Users with Admin Center access are asked to follow SI MO497128.
There, Microsoft provided more feedback on the issue.
"User impact: Users are unable to utilize the Application shortcuts on the Start menu and taskbar.
More info: The shortcut icons may not appear or would not work. We've receive reports that the ASR rule 'Block Win32 API calls from Office macro' is deleting the application shortcuts"
Günter Born notified me about the issue and collected information from various sources on his English blog. First user reports that he received indicated that an Office 365 update could have been the culprit, but further research suggests that the issue is not limited to Office 365.
Affected users and system administrators report that program icons disappear suddenly from the start menu and the desktop.
Martin Schmidli confirmed on Twitter that his organization was seeing the issue:
"We currently experience a weird issue. ASR is triggering the deletion of Shortcuts in the taskbar. OfficeClickToRun is blocked. Does somebody have this issue as well? Currently 2 Tenants. #Intune #MDE #Microsoft"
One administrator on Reddit suggested that the cause of the issue was an ASR, Attack Surface Restriction, rule. A potential workaround for the issue is to set the ASR Rule to audit in Intune.
Block Win32 API calls from Office macros
The workaround was confirmed by several users on various sites and messaging services already.
The issue should die down in the coming hours thanks to the reverting of the rule by Microsoft. It is unclear if shortcuts will be restored somehow once a permanent fix for the issue is published by Microsoft. Several
The reports suggest that the issue is affecting business and Enterprise environments only or predominantly.
Now You: were you are machines in your organization affected by the issue?Advertisement