Recovery of Links Deleted by Defender ASR Update

January 18, 2023 Zack Prichard

Exclamation point symbol on digital display

On January 13th, Microsoft released an update for Microsoft Defender that incorporated a change to the Attack Surface Reduction (ASR) rule known as “Block Win32 API calls from Office macro” in Configuration Manager and “Win32 imports from Office macro code” in Intune. The rule detects and blocks malware from using VBA macros to call Win32 APIs. However, an unplanned inclusion in the Defender ASR update caused Microsoft Defender to exhibit a series of false positive detections. These detections resulted in the deletion of files matching the incorrect detection logic, primarily impacting Windows shortcut (.lnk) files, including shortcuts from the desktop, the Start menu, and the Windows Taskbar.

Impacted users

Microsoft has stated that all users who updated to security intelligence builds between 1.381.2134.0 and 1.381.2163.0 face potential impact.

However, Microsoft adds that there is no danger of impact for users who do not have the “Block Win32 API calls from Office macro” rule turned on in block mode or did not update to security intelligence update builds 1.381.2134.0, 1.381.2140.0, 1.381.2152 or 1.381.2163.0.


Steps for those affected

Impacted users will need both the updated security intelligence build and to run a secondary script to recover the start menu shortcuts.

Firstly, all users should update to build 1.381.2164.0 or later. Users employing automatic updates for Microsoft Defender do not need to take any additional steps, as the updated security intelligence build will be pushed out to them. However, enterprise customers managing updates must download and deploy the latest update across their environments. One important aspect of which to take note, the security intelligence build does not restore deleted files.


How to recover deleted shortcuts

Microsoft swiftly established the steps necessary for users to recreate start menu links for a substantial subset of the affected applications. Detailed instructions can be found here.

Microsoft also has provided additional guidelines for deploying the script using Microsoft Intune.

The latest updated script (Version 3.0) includes restores from Volume Shadow Copy Service by default, recovery of “.url” files in a user’s profile’s favorites and desktop directories, improvements for non-English language machines, as well as enhanced error handling. At this time, the script does not currently restore taskbar shortcuts, though Microsoft is continuing to work on a solution.


Manual recovery

Customers preferring to employ manual steps to resolve the issue may run the Application Repair functionality for programs such as Microsoft 365, Microsoft Edge, and Microsoft Visual Studio.

Instructions for Windows 10 and Windows 11 machines are as follows:

Windows 10:

  1. Start > Settings > Apps > Apps & features
  2. Select the app you want to fix
  3. Select Modify link under the name of the app if it is available
  4. A new page will launch and allow you to select the repair

Windows 11:

  1. Type “Installed Apps” in the search bar
  2. Click “Installed Apps”
  3. Select the app you want to fix
  4. Click on “…”
  5. Select Modify or Advanced Options if it is available
  6. A new page will launch and allow you to select the repair


OneNeck, We’ve Got Your Back

If you have any questions on how to update, recover deleted links or are unsure if your organization has been affected, we’re here to help. Talk to one of our skilled team members today.



Previous Article
Microsoft CSP Self-Service Portal Available for OneNeck Clients
Microsoft CSP Self-Service Portal Available for OneNeck Clients

Microsoft CSP Self-Service Portal for OneNeck Clients Microsoft continues to evolve the rules for ordering ...

Next Article
Is My Password as Safe as I Think It Is?
Is My Password as Safe as I Think It Is?

Password Security Challenges Passwords have long been the leading method of authentication and protecting s...