Microsoft Defender ASR rules cause apps and icons to disappear • The Register

Techies are reporting that Microsoft Defender for Endpoint assault floor discount (ASR) rules have gone haywire and are eradicating icons and utility shortcuts from the Taskbar and Start Menu.

The issues have been first famous early in the present day, Friday the thirteenth, by a number of IT individuals and many appear to be scratching their heads as to the cause. Some stated they’re experiencing it on each Windows 10 and Windows 11.

“I seen it at round 8.45am (UTC),” one techie at an impartial software program store informed us. “The ASR rule is eradicating icons on the taskbar and Start Menu and in some instances uninstalling Microsoft Office as effectively.”

ASR is designed to make a PC safer by blocking macros and many others., however the clean-up is actually extra dramatic than anticipated. “It simply occurred, we do not know what brought on it.

“We suspected it was a KB – a patch from Tuesday – that went flawed however I’ve spoken to loads of others this morning and we predict it’s positively associated to the ASR rules.”

A thread on Reddit signifies that this is not an remoted incident with different sysadmins leaping in. The one who began the dialog stated:

“We just lately onboarded our property to Defender for Endpoint and we have had plenty of stories this morning that their program shortcuts (Chrome, Firefox, Outlook have all vanished following a reboot of their machine, which has additionally occurred for me too. It appears to be blocking from the rule: ‘Block Win32 API calls from Office macro’.”

Another stated they have been seeing “precisely the identical concern” and had to “push a coverage replace to set this rule into Audit mode as a substitute of Block – because it’s trashing nearly all third social gathering apps and even first social gathering ones as you’ve got stated – Slack , Chrome, Outlook.”

“Same. Huge numbers of machines nuked prior to now hour. Happy Friday,” stated one other. All Microsoft apps together with Excel and Word had additionally gone AWOL, stated one more sysadmin.

Microsoft has to date remained publicly silent on the issue, though it has printed MO497128 below the Microsoft 365 Suite class and not the Defender class, warning:

One technician has claimed that the issue is expounded to the most recent Defender signature (1.381.2140.0). They stated it then seems “all shortcuts positioned ProgramDataMicrosoftWindowsStart MenuPackages can be deleted immediately.”

Deleting ASR rules labored for one IT professional, and one other stated he modified the rule to Audit “and it seems to work. The issue is that the InTune coverage is not making use of significantly rapidly and we additionally want to restore Office on some machines because the outlook.exe is actually lacking (not simply the shortcut).”

In settlement, a poster stated: “Set defender ASR rule 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b to audit solely. Confirmed working however will decrease your defenses. Big threat if utilized org broad, run it by administration.”

Frustration then turned to anger. “How within the hell did this replace make it previous Microsoft testing/QA?? They check earlier than they push updates, proper? Guys? Right?”.

And: “Yep Microsoft have fucked it. False Attack Surface alerts for many of Start Menu shortcuts.”

One extra added: “Defender actually is the Gift that retains on giving!”

We have requested Microsoft to remark and will replace when Redmond makes it to the keyboard. ®

Leave a Comment