Microsoft script creates shortcuts that were deleted due to bad Defender ASR rules

Microsoft has released Advanced Hunting Queries (AHQs), and a PowerShell script that can be used to recover Windows shortcuts from a Microsoft Defender ASR Rule.

Microsoft published a new Microsoft Defender Signature Update in the early morning of January 13th. It included changes to the Attack Surface Reduction rule. These were “Block Win32 API Calls from Office Macro” in Configuration Manager, and “Win32 Imports from Office Macros Code” in Intune.

This rule blocks malicious code from calling Win32 APIs using VBA macros.

Microsoft Defender displayed false positives updates rules. This caused Microsoft Defender’s desktop and Start menu shortcuts to be deleted.

The faulty rule led to widespread disruption within corporate environments. Users were unable to launch applications quickly and Windows administrators had to scramble to fix the problem.

Microsoft reversed the changes in the signature update 1.381.2164.0, but advised admins it might take some time for all signatures to spread to other environments.

To recreate shortcuts that were deleted, a script has been released

Microsoft published advanced hunting queries Saturday morning to locate shortcuts affected and a PowerShell script that recreates shortcuts for certain commonly deleted apps.

Microsoft has provided details in an .

These have been combined into the PowerShell script to assist enterprise administrators in taking recovery actions within their environment.

are useful to determine how this bug has affected your company. They allow you to search for events that occurred on Friday as a result of the flawed rule.

If impacted, you can use , which will scan the HKLMSOFTWAREMicrosoftWindowsCurrentVersionApp Paths registry key to check if thirty-three different programs are installed on a computer.

When a program has been installed, it will verify that the Start Menu contains the shortcut and, if so, create the shortcut.

Here is a list of apps whose shortcuts can be reproduced:

Adobe Acrobat Adobe Photoshop 2023
Adobe Illustrator 2023 Adobe Creative Cloud
Firefox Private Browsing Firefox
Google Chrome Microsoft Edge
Notepad++ Parallels Client
Remote Desktop TeamViewer
Royal TS6 Elgato StreamDeck
Visual Studio 2022 Visual Studio Code
Camtasia Studio Camtasia Recorder
Jabra Direct 7-Zip File Manager
Access Excel
OneDrive OneNote
Outlook PowerPoint
Project Publisher
Visio Word
PowerShell 7 (x64). SQL Server Management Studio
Azure Data Studio

If you don’t have shortcuts to programs listed above, organizations can edit the PowerShell script $programs array so that other applications are included.

Microsoft also shares on devices within a Windows domain.

Microsoft has provided the steps for repairing an installation error.

This process can take longer as it will most likely reinstall all of the program. Not all programs offer repair functions.

Repair an application in Windows 10:

  1. Choose Start > Setting> Apps Apps & Features

  2. Choose the app that you wish to fix.

  3. If the Modify Link is present, select it.

  4. You will be redirected to a new page that allows you to choose repair.

Repair an application in Windows 11:

  1. In the search box, type “Installed Apps”.

  2. To install apps, click “Installed Apps”.

  3. Choose the app that you wish to fix.

  4. Click on “…”

  5. If Modify is an option, select Advanced Options or modify.

  6. You will be redirected to a new page that allows you to choose repair.

This is not a satisfactory solution.

Although the PowerShell script is intended to create shortcuts for certain applications, administrators of Windows say it doesn’t work enough.

This script is limited to thirty-three applications and will not create shortcuts for other programs that are commonly installed on computers.

But even Microsoft Office targeted applications aren’t being rewritten in every case.

This doesn’t allow you to restore Microsoft Office shortcuts that were installed per-user, which is the majority of 365 C2R installation. “This is the default M365 installation behavior for Intune. It would be great if the script could reflect this,” commented a Windows administrator about this script.

Windows administrators also noted that while the script creates shortcuts within the Start Menu, it does not recreate deleted ones from the Windows Taskbar Quick Launch Toolbar or on the Windows desktop.

One admin pointed out that it might be possible to retrieve the Start menu, Quick Launchbar, and Desktop shortcuts from Shadow Volume Copies .

To check whether shortcuts have been saved to previous snapshots, users can use tools such as and . Then simply copy the files back to your system drive.

It may be possible to use for multiple devices in order to search and retrieve files from Shadow Volume Copies.

This bug is a huge mess that has impacted Windows administrators as well IT support. They will most likely need to manually recreate some missing shortcuts.