Techies are reporting that Microsoft Defender for Endpoint attack surface reduction (ASR) rules have gone haywire and are removing icons and applications shortcuts from the Taskbar and Start Menu.
The problems were first noted early today, Friday 13th, by multiple IT folk and many seem to be scratching their head as to the cause. Some said they are experiencing it on both Windows 10 and Windows 11.
“I noticed it at around 8.45am (UTC),” one techie at an independent software shop told us. “The ASR rule is removing icons on the taskbar and Start Menu and in some cases uninstalling Microsoft Office as well.”
ASR is designed to make a PC safer by blocking macros etc, but the clean-up is certainly more dramatic than expected. “It just happened, we don’t know what caused it.
“We suspected it was a KP – a patch from Tuesday – that went wrong but I’ve spoken to plenty of others this morning and we think it is definitely related to the ASR rules.”
A thread on Reddit indicates this isn’t an isolated incident with other sysadmins jumping in. The person that started the conversation said:
“We recently onboarded our estate to Defender for Endpoint and we’ve had a number of reports this morning that their program shortcuts (Chrome, Firefox, Outlook have all vanished following a reboot of their machine, which has also occurred for me too. It seems to be blocking from the rule: ‘Block Win32 API calls from Office macro’.”
Another said they were seeing “exactly the same issue” and had to “push a policy update to set this rule into Audit mode instead of Block – as it’s trashing almost all 3rd party apps and even first party ones as you’ve said – Slack, Chrome, Outlook.”
“Same. Huge numbers of machines nuked in the past hour. Happy Friday,” said another. All Microsoft apps including Excel and Word had also gone AWOL, said yet one more sysadmin.
Microsoft has so far remained publicly silent on the problem, although it has published MO497128 under the Microsoft 365 Suite category and not the Defender category, warning:
One techie has claimed the problem is related to the newest Defender signature (1.381.2140.0). They said it then appears “all shortcuts located ProgramData\Microsoft\Windows\Start Menu\Programs will be deleted instantly.”
Deleting ASR rules worked for one IT pro, and another said it changed the rule to Audit “and it appears to work. The difficulty is that the InTune policy isn’t applying particularly quickly and we also need to repair Office on some machines as the outlook.exe is literally missing (not just the shortcut).”
In agreement, a poster said: “Set defender ASR rule 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b to audit only. Confirmed working but will lessen your defences. Big risk if applied org wide, run it by management.”
Frustration then turned to anger. “How in the hell did this update make it past Microsoft testing/QA?? They test before they push updates, right? Guys? Right?”.
And: “Yep Microsoft have fucked it. False Attack Surface alerts for most of Start Menu shortcuts.”
One more added: “Defender really is the Gift that keeps on giving!”
We have asked Microsoft to comment and will update when Redmond makes it to the keyboard. ®