Techies are reporting that Microsoft Defender for Endpoint Attack Surface Reduction (ASR) rules have gone haywire and are removing icons and application shortcuts from the taskbar and Start menu.
The problems were first noted today, Friday the 13th, by several IT folks and have left many scratching their heads as to the cause. Some said that they are experiencing it on both Windows 10 and Windows 11.
“I saw it around 8.45am (UTC),” a techie at an independent software shop told us. “The ASR rule is removing icons on the taskbar and Start menu and in some cases uninstalling Microsoft Office as well.”
ASR is designed to make the PC safer by blocking macros etc., but the clean-up is definitely more dramatic than expected. “It just happened, we don’t know what caused it.
“We suspected it was the KB – a patch from Tuesday – that went wrong but I’ve spoken to a lot of people this morning and we think it’s definitely related to the ASR rules.”
A thread on Reddit indicates that this is not an isolated incident with other sysadmins jumping in. The person who started the conversation said:
“We recently onboarded our assets to Defender for Endpoint and this morning we have had several reports that their program shortcuts (Chrome, Firefox, Outlook have all disappeared after a reboot of their machine, which to me Happened too. It) seems to be blocking by the rule: ‘Block Win32 API calls from Office macros’.”
Another said they were seeing “exactly the same problem” and that they had to “push forward a policy update to set this rule to audit mode instead of block – as you said it does for almost all third parties.” Trashing third party apps and even the first party ones – Slack, Chrome, Outlook.”
Another said: “That’s it. Lots of nuclear bombs exploded in the last hour. Happy Friday.” All Microsoft apps, including Excel and Word, had also gone AWOL, another sysadmin said.
Microsoft has so far been publicly silent on the issue, although it published MO497128 under the Microsoft 365 Suite category and not the Defender category, warning:
A techie has claimed that the problem is related to the latest Defender Signature (1.381.2140.0). They said it appears that “all shortcuts located at ProgramData\Microsoft\Windows\Start Menu\Programs will be removed immediately.”
Removing the ASR rules worked for one IT pro, and another said “change the rule to audit” and it seems to be working. The trouble is that the InTune policy isn’t being enforced particularly quickly. And we also need to repair Office on some machines as Outlook.exe is literally missing (not just the shortcut).
In agreement, one poster said: “Defender ASR rule set 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b for audit only. Confirmed to work but will reduce your defenses. Big risk if implemented widely, it run by management.
Disappointment then turned to anger. “How come this update made it past Microsoft testing/QA?? They test before updating, right? People? Right?”.
And: “Yeah Microsoft messed it up. False attack surface alerts for most Start menu shortcuts.”
Another added: “The defender really is the gift that keeps on giving!”
We’ve asked Microsoft for comment and will update when Redmond gets access to the keyboard.