This article is more than 1 year old

Microsoft and community release scripts to help mitigate Defender mess

Techies forced to mop up after update caused ASR rules to detect false positives, wiping icons and apps shortcuts

Techies are fearing the worst in efforts to recover from Microsoft's bug laden Defender for Endpoint pre-weekend rollout after updates removed icons and applications shortcuts from Windows 11 and 10 desktop, Taskbar and Start Menu.

The update dispatched to users on the morning of January 13 caused nightmares for Windows admins, forcing Microsoft to issue Advanced Hunting Queries and a PowerShell script the following day in a bid to help spot and recover applications.

In a post on its Tech Community forum on 14 January, Microsoft said:

"Windows Security and Microsoft Defender for Endpoint customers may have experienced a series of false positive detections for the Attack Surface Resolution (ASR) rule 'Block Win32 API calls from Office macro' after updating to security intelligence builds between 1.381.2134.0 and 1.381.2163.0. These detections resulted in the deletion of files that matched the incorrect detection logic primarily impacting Windows shortcut (.lnk) files."

There are thousands of administrators across the globe now having to repair their environments, which is causing a major impact on productivity

Microsoft is currently advising customers to update to 1.381.2164.0 (the latest updated security intelligence build) or later. It means block mode could be safely turned on however, crucially, this will not restore deleted files.

Those who didn't have the "Block Win32 API call from Office macro" turned on in block mode or didn't update to the builds 1.381.2134.0, 1.381.2140.0, 1.381.2152 and 1.381.2163.0 were not hit by the mess. Sources told us Microsoft halted the update before it reached users in North America.

"Microsoft has confirmed steps that customers can take to recreate start menu links for a significant subset of the affected applications that were deleted. These have been consolidated into the PowerShell script below to help enterprise administrators take recovery actions in their environment," said the Windows giant.

Version 1.1 of the script is available here, and instructions to deploy the script using Microsoft InTune are here.

IT pros the Reg spoke to on the condition of anonymity told us Microsoft had screwed up royally here and one said the provision of scripts was like "pissing in the wind." Version 1 of the script has around 20 applications and version 1.1 has in excess of 30.

"The vast majority of application shortcuts that people use are not there. I can't see a way that Microsoft can recover, this is a permanent delete. They've done well with this one."

On Microsoft's Tech Community forum, one admin said: "I suspect these these links have been lost indefinitely and us administrators are going to have to recover the Star Menu, and the users are going to have to rein every Taskbar and Quick Launch shortcut manually.

"Who on earth released that update without checking the impact? There are thousands of administrators across the globe now having to repair their environments, which is causing a major impact on productivity."

Another commenter on the forum said they doubted AHQ was sufficient. “In our case hundreds of Office links were deleted, but only 16 were displayed in the advanced hunt… How can I find everything which was blocked (and [by] blocked I mean deleted?)"

Others ask for credits or some sort of compensation to pay for the "huge burden on IT to fix it" manually and some called for a rollback feature for Defender.

"I will eat my hat if Microsoft has a fix," one hard-pressed Windows admin told The Register.

We asked Microsoft to comment on Friday and it has yet to respond with a statement. ®

More about


Send us news

Other stories you might like