Microsoft Defender ASR rules remove icons and apps shortcuts from Taskbar

vtqhtr413

Level 26
Thread author
Verified
Top Poster
Well-known
Aug 17, 2017
1,448
Techies are reporting that Microsoft Defender for Endpoint attack surface reduction (ASR) rules have gone haywire and are removing icons and applications shortcuts from the Taskbar and Start Menu. The problems were first noted early today, Friday 13th, by multiple IT folk and many seem to be scratching their head as to the cause. Some said they are experiencing it on both Windows 10 and Windows 11."I noticed it at around 8.45am (UTC)," one techie at an independent software shop told us. "The ASR rule is removing icons on the taskbar and Start Menu and in some cases uninstalling Microsoft Office as well." ASR is designed to make a PC safer by blocking macros etc, but the clean-up is certainly more dramatic than expected. "It just happened, we don't know what caused it. "We suspected it was a KB – a patch from Tuesday – that went wrong but I’ve spoken to plenty of others this morning and we think it is definitely related to the ASR rules."
 

kC77

Level 5
Verified
Well-known
Aug 16, 2021
230
i thought i was going mad earlier... random icons just vanished but could see in protection history the reason why (the "block win32 API calls from office Macro" ASR Rule
1673622401427.png

so i set the asr rule to audit in dui
1673622432216.png



then restored icon files from macrium refelect (mounted image and robocopy .lnk only)
so far so good, but i am sill in audit mode on that rule

MS have tweeted and already rolled out a fixed signature
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
Thank you for posting this, I was wondering what the heck is going on ;). I have been working on this issue for the last hour or so, and it appears to be related to the Block Win32 API calls from Office macros rule.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Microsoft reminds all it's Friday the 13th as Defender deletes shortcuts on Windows 10
Although Microsoft Defender is generally a good anti-malware solution, the program can often go haywire on harmless stuff leading to its very poor false positive scores in third-party assessment programs.

Earlier today, a similar thing happened when IT and system admins began reporting that after updating Defender definitions, they could no longer access shortcuts for apps in the Taskbar and Start menu. The issue was seemingly caused by the security intelligence update version 1.381.2140.0, as Defender would delete all shortcuts (.lnk) files located inside ProgramData\Microsoft\Windows\Start Menu\Programs.

Users say the issue is happening on Windows 10 though it is possible that Windows 11 might have been affected too. System admins were working around the issue by setting Attack Surface Reduction Rule (ASR) rule "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" to Audit only (via Reddit).
 
F

ForgottenSeer 76546

I saw that this morning and immediately set it to audit mode so I was not affected.

There is a script to recreate the shortcuts for those affected by the bug:
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Microsoft says it can't restore Defender-deleted shortcuts on Windows 11 and 10 for you
Friday the 13th is considered an unlucky day in most of the west and several system admins across multiple IT companies definitely felt that yesterday. That's because Microsoft Defender went rogue and deleted shortcuts from the Start menu and Taskbar, among other places. Although the user reports indicated that the issue was present on Windows 10 systems, Microsoft has confirmed today on its health dashboard that Windows 11 was also affected.

System admins soon discovered that a hardened ASR rule in Defender's security intelligence update version 1.381.2140.0 was the culprit and hence a workaround was devised to get around this. Microsoft has also officially validated the workaround.

Microsoft has also published the steps needed to resolve the issue fully. However, sysadmins are likely to be disappointed by the fact that restoring back the deleted shortcuts is not something fixable with this and all Microsoft says here is that affected admins and users "need to recreate or restore these shortcuts through other methods".

Hence, users are advised to update their Defender security intelligence version to 1.381.2164.0 or later. You can find more details about these definition updates here.
 

CyberTech

Level 44
Verified
Top Poster
Well-known
Nov 10, 2017
3,247
I just did a system restore to yesterday, it's easier than messing around with that script.
Imagine when you forgot System Restore even you are IT guy, actually why didn't think this before? when i see all icons are gone i was like damn! ffs i thought i reinstall all softwares again later because i was too lazy i saw your post it worked! thank you! giving you 🍪🍪 dont tell any staff, go to your DM as private and eat it there dude!
 
F

ForgottenSeer 97327

Defender eat some of my icons. When I disable the faulty ASR and attach those programs to my taskbar, something funny occurs
1. Icons of normal (program Files) programs can be attached again are shown
2. Icons of WindowsApps (the ones in C:\Program Files\WindowsApps) don't show up, while the application is attached without showing the icon (the tile is transparent)

On my desktop I can revert to a previous image, so I have no real problem. Just out of curiosity I am trying to find out what caused this (have disabled all security features). Doe any of the MT members have a clue why WindowsApps attach to taskbar without showing their icon?
 

windows1064

Level 1
Jan 7, 2020
23
They fixed it 10-12 hours ago. Just updated MD and reset icon cache:
run cmd as admin
taskkill /f /im explorer.exe
cd %homepath%\AppData\Local\Microsoft\Windows\Explorer
del iconcache*
explorer.exe

I'm using Hard Configurator, Firewall Hardening and Configure Defender and all good now.
 

wat0114

Level 11
Verified
Top Poster
Well-known
Apr 5, 2021
547
@oldschool & @windows1064

I tried did not work. I am going back to previous image, thanks for the suggestions

After trying all kinds of suggestions through search and elsewhere, including above suggested, I restored a previous image to get the edge transparent icon back to normal. Good ol' image backup/restore to the rescue (y)
 
Last edited:

Andrezj

Level 6
Nov 21, 2022
248
@oldschool & @windows1064

I tried did not work. I am going back to previous image, thanks for the suggestions
which image recovery solution you use?
After trying all kinds of suggestion through search and elsewhere, including above suggested, I restored a previous image to get the edge transparent icon back to normal. Good ol' image backup/restore to the rescue (y)
same question, which image recovery solution you use?
 

windows1064

Level 1
Jan 7, 2020
23
I forgot to mention that first I restored default settings in H_C, Firewall Hardening and Configure Defender.
Restarted PC, applied the fixes above and restored H_C recommended settings, Firewall Hardening (lolbins, h_c) and Configure Defender (high). Restarted PC again and this time icons wasn't blank or disappeared.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top