Major Microsoft Defender ASR issue confirmed: shortcuts broken, application start up issues

Martin Brinkmann
Jan 13, 2023
Updated • Jan 14, 2023
The issue was resolved security intelligence update build 1.381.2164.0, but shortcuts are not restored.
Windows
|
17

Microsoft is investigating a major issue affecting users of its Windows operating system currently. According to the company's short message on Twitter, it is investigating an "issue where users are unable to access application shortcuts on the Start menu and Taskbar in Windows".

windows issue shortcuts

Microsoft published a follow-up to the initial confirmation of its investigation. It states that Microsoft has identified the issue and "reverted the rule to prevent further impact" while the investigation continues.

Update: Microsoft confirmed that it has resolved the issue in " security intelligence update build 1.381.2164.0". The update won't restore lost shortcuts, however, and Microsoft mentions nonchalantly that these need to be recreated or restored through other means, without providing any guidance. End

Users with Admin Center access are asked to follow SI MO497128.

There, Microsoft provided more feedback on the issue.

"User impact: Users are unable to utilize the Application shortcuts on the Start menu and taskbar.

More info: The shortcut icons may not appear or would not work. We've receive reports that the ASR rule 'Block Win32 API calls from Office macro' is deleting the application shortcuts"

Günter Born notified me about the issue and collected information from various sources on his English blog. First user reports that he received indicated that an Office 365 update could have been the culprit, but further research suggests that the issue is not limited to Office 365.

Affected users and system administrators report that program icons disappear suddenly from the start menu and the desktop.

Martin Schmidli confirmed on Twitter that his organization was seeing the issue:

"We currently experience a weird issue. ASR is triggering the deletion of Shortcuts in the taskbar. OfficeClickToRun is blocked. Does somebody have this issue as well? Currently 2 Tenants. #Intune #MDE #Microsoft"

One administrator on Reddit suggested that the cause of the issue was an ASR, Attack Surface Restriction, rule. A potential workaround for the issue is to set the ASR Rule to audit in Intune.

Block Win32 API calls from Office macros

Rule-ID 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b

The workaround was confirmed by several users on various sites and messaging services already.

The issue should die down in the coming hours thanks to the reverting of the rule by Microsoft. It is unclear if shortcuts will be restored somehow once a permanent fix for the issue is published by Microsoft.  Several

The reports suggest that the issue is affecting business and Enterprise environments only or predominantly.

Now You: were you are machines in your organization affected by the issue?

Summary
Major Microsoft Defender ASR issue confirmed: shortcuts broken, application start up issues
Article Name
Major Microsoft Defender ASR issue confirmed: shortcuts broken, application start up issues
Description
Microsoft confirmed a major issue caused by Microsoft Defender ASR that breaks shortcuts and prevents application starts.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Tree said on January 15, 2023 at 12:03 am
    Reply

    Glad to have windows 7! Microsoft Security Essential not affected. Just have it to run occasional scan: not running on background unless I want to run a Quick scan.

  2. just an Ed said on January 14, 2023 at 2:15 pm
    Reply

    I would like to point out one problem to anyone wishing to move to Linux, and that is a dearth of PDF editors. I’ve run Mint for some years now, and keep a copy of Win 10 and Win 7 (separate hard drives) just for a printing program and PDF editors.
    Aside from that, I’ve found worthwhile replacements for everything else I use; just an FYI.

    1. Peterc said on January 20, 2023 at 4:56 pm
      Reply

      @just an Ed:

      What do you use to edit PDFs in Windows? I’ve never edited a PDF in Linux (nor have I had to in Windows for at least 20 years), but a quick websearch for PDF Editor Linux yields a few options. In the purpose-built, proprietary, payware camp, it looks like Qoppa PDF Studio and Master PDF Editor are available. (You can indefinitely use a free stripped-down version of Master PDF Editor that allows you to fill out forms, though I read it watermarks your output. You can buy the fully featured version for a one-time payment of US$70.) There are also non-purpose-built FOSS programs that can be wrangled into service, like LibreOffice Draw and Scribus. Okay, so there’s a dearth of *bona fide* PDF editors in Linux compared to Windows, but what are you doing in your Windows PDF editors that can’t be done in Master PDF Editor?

  3. Joe Hardy said on January 14, 2023 at 12:39 pm
    Reply

    Wiped me out to the point where I couldn’t use my system. Start Menu / taskbar shortcuts gone. MS Defender blocked my system from accessing “AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations”. I put that folder in the exclusion list and turned off all my ASR rules and restored from a backup. Problem seems to be under control right now. Windows 10 expires in a few years. I am not wanting to move to Windows 11. I won’t miss all of these problems, the telemetry and the ads. I’ll miss Excel / Word but they are inaccessible to non-windows or Apple users. I think I’ll move to some distro of GNU/Linux – they seem to be getting better with each release. Learn LibreOffice I will. MS quality control has really gone downhill. I hate beta testing their crappy updates. They’ve gotten so big and have such a stranglehold over the consumer market that they can afford to cut quality, ignore user complaints and continue to push out poorly tested patches. I was glad to see my issue is not an isolated issue. Had me worried I was “infected”.

  4. chesscanoe said on January 14, 2023 at 12:35 pm
    Reply

    Windows Defender Virus Definitions 1.381.2181.0 update appears to be roughly 10 times its usual size. I have not seen the problem under Windows 10 x64 Home with KB5022282 installed, but have seen the problem several times in the last year to a minor degree.

  5. Albert said on January 13, 2023 at 11:28 pm
    Reply

    I have Windows 10 Home edition. No domain or anything like that. This sh*t started this morning with the Defender rules update installed at 4am.

    Lost all my Quick Access links. Defender message every 30 seconds or so. Some apps, like NZXT Cam that controls the CPU cooler completely stopped working.

    Had to disable Defender completely. Run a System Restore. Re-disable Defender. And wait for the Defender definitions update around 10am before re-enabling Defender.

    Thanks Microsoft. Say have you ever heard of a Quality Control Dept. ???

    1. Peterc said on January 19, 2023 at 5:40 pm
      Reply

      @Albert: “Quality control”? Is that a new thing, like “agile” and “scrum”?

  6. StudentLoanDebt said on January 13, 2023 at 10:21 pm
    Reply

    What happens when you employ shoddy, buggy software and cut corners by depending on end users to test it. Because of the garbage since Windows 8, Microsoft should be held accountable through litigation.

    1. Anonymous said on January 14, 2023 at 8:37 pm
      Reply

      It would be pretty hard to win litigation.
      Because you agreed in the ‘Terms and Conditions’ that it is sold “as-is” and that you bear all risks of using it, and you agreed that the most you can claim from Microsoft in damages is limited to $5.00.

      1. Peterc said on January 18, 2023 at 2:17 am
        Reply

        @StudentLoanDebt & Anonymous:

        “It would be pretty hard to win litigation.”

        As a private party, yes, thanks to corporate America’s wholly owned US Supreme Court. But repeatedly foisting bug-ridden updates on end-users and using the hapless suckers as unpaid beta testers can fairly be characterized as an “unfair or deceptive act or practice in or affecting commerce,” which would be grounds for the Federal Trade Commission to investigate and bring suit. The new FTC chair is even pro-consumer for the first time in quite a while! Unfortunately, the FTC’s budget depends on the good graces of Congress, and Microsoft outright *owns* at least two US senators (as their biggest source of campaign contributions) and one US representative (a former Microsoft executive who is married to an even higher-powered and still-active Microsoft senior executive). If there’s ever a reckoning, it’s probably going to have to come from the EU’s consumer-protection and antitrust agency … if *they* haven’t been bought off yet.

        By the way, this bug hit me with a *vengeance*, on Windows 10 Home and with my bundled trial version of Office 365 never having been launched, activated, or used. (I use LibreOffice.) I initially thought it might be because Windows Update failed to offer and install the 22H2 build over my end-of-life 21H1 and that the updated Windows Defender went haywire because of *that*. But no, thanks to this article, I now know that it savaged even up-to-date systems. I began trying to restore shortcuts, but the damage was so extensive — even some actual program files got zapped — that I decided to restore my most recent Macrium Reflect system-drive image, manually install 22H2, and apply the January Patch Tuesday updates to *that*. Luckily, I wasn’t feeling up to it until yesterday — I limped along for a few days, using Everything to find and launch program EXE files directly — and by then the rogue ASR definitions had apparently been fixed. One of the first things I read online after restoring and properly updating my system was this article!

        For what it’s worth, nothing remotely this bad has ever happened to me in Linux Mint or Kubuntu. (Manjaro, yes, but I’m a Linux noob, and Linux noobs should be very cautious about running AUR scripts in Arch-based distros, in my humble Linux-noob opinion. Yes, even if they read the notes, because to paraphrase Jamie Lee Curtis in “A Fish Called Wanda,” while apes may *read* philosophy, they don’t *understand* it. ;-)

        On the plus side, this gave me the opportunity to restore an image for the first time. (My older laptops had user-accessible, swappable drives, so I cloned instead of imaging and I would still prefer to do that if I could. Clones are easy to test and swap in quickly.) I was relieved when it took only 30-40 minutes to restore the image instead of the 4 hours 40 minutes it took to create. I was NOT so relieved to discover that the function key that was supposed to pull up the UEFI/BIOS’s boot menu at startup did not reliably work, especially when both my Macrium PE thumb drive and my USB hard drive with the image were attached at power-on. I ended up having to schedule a boot menu from within Windows, in the System Recovery section of Settings. If my Windows install had been completely borked instead of just damaged, I might have been in trouble…).

        In conclusion: BAD Microsoft! BAD!

  7. ECJ said on January 13, 2023 at 9:17 pm
    Reply

    People rightly criticise Microsoft for pushing out too many bad updates since Satya got rid of large numbers of QA staff. However, the team in charge of Microsoft Defender are by far the worst offenders – it’s almost as if they don’t do any testing *at all*. This ASR rule is part of the Windows Security Baseline – which was created precisely to help prevent this type of thing. The Windows security team really need to rethink their processes and procedures.

    1. Jek Porkins said on January 13, 2023 at 10:46 pm
      Reply

      I tought QA got removed when there was some woman CEO who only tried to make witty posts on Twitter and contributed with nothing.

  8. ilev said on January 13, 2023 at 8:29 pm
    Reply

    Glad I never used Defener or Office in 40 years using PCs.

  9. Anonymous said on January 13, 2023 at 6:07 pm
    Reply

    I have this problem. I have been hours busy to find out if I was hit by a virus or ICT-vandal.

    I am very happy to find the GHack-message, so it is not a virus.

    At this moment I have been able to replace some sort of icons (not the original ones) on the desktop from the executables of ProgramFiles and ProgramFilesX86. REVO seemd gone!?
    So obviously now the defect Defender-info has been replaced.

    I hop that a repair-program will come. Otherwise I will have to reinstall Windows !!

    However

  10. Tachy said on January 13, 2023 at 4:22 pm
    Reply

    @Martin

    Can you tell us which versions of windows have been affected?

    1. John G. said on January 14, 2023 at 3:53 am
      Reply

      A friend of mine has W11 22H2 22621.1105 and he lost almost every shortcuts. There was no way to recover them and the only solution was to recover the entire OS from ISO backup. He was lucky because if no ISO backup is available then the entire OS should be replaced or reinstalled. Just a shame from Microsoft because this is a very hard problem with serious consequences! Thanks for the article by the way.

      1. Ray said on January 17, 2023 at 4:57 pm
        Reply

        He needs to add them back, they are just shortcuts

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.