An update pushed to Microsoft's Defender for Endpoints anti-malware utility has deleted application and utility shortcuts for Windows users worldwide, ahead of the weekend last week.
A Defender signature update, version 1.381.2140.0, contained an Attack Surface Reduction (ASR) rule named "Block Win32 API calls from Office macro",
Microsoft has confirmed that it is a faulty rule that deleted the Start menu and Taskbar shortcuts, and said the issue has now been resolved, referring users to item MO4977128 in the admin centre portal.
Users have published workarounds to remedy the issue, but applying them appear to be onerous for administrators.
I'm stunned with shock as a result of this. Imagine being the sole person responsible for patching of over 8000 assets. Now imagine half of those assets are now bricks to their users, now imagine being me.— Deon Seymour (@ghoststomper) January 13, 2023
Thank you very much for the worst day I've had in patching history ever.
It is possible to use Microsoft's InTune utility to restore shortcuts, icons and apps, but admins are complaining that the process is too slow and that they will have to spend days to manually repair each affected computer.
A large number of users and administrators have reported that icons and application shortcuts were deleted from the Start menu and Taskbar, although the exact number is not known.
ASRs were introduced with the Microsoft Defender Antivirus in Windows 10, version 1709, with the full set of rules only available to customers with an Enterprise license.
Update: Microsoft has since published recovery instructions, and published a script on Github that recovers some shortcuts deleted by Defender ASRs. However, admins have complained that the automated tools are incomplete.