Microsoft Defender ASR rules cause apps and icons • Registry to disappear

Techs have reported that Microsoft Defender Endpoint Attack Surface Reduction (ASR) rules have gone away and that they are removing icons and application shortcuts from the taskbar and Start menu.

The issues were first noticed early today, Friday the 13th, by several IT folks and many seem to be scratching their heads as to the cause. Some said they are testing it on both Windows 10 and Windows 11.

“I noticed it around 8.45am UTC,” a technician at an independent software store told us. “The ASR rule removes icons on the taskbar and Start menu and in some cases uninstalls Microsoft Office as well.”

ASR is designed to make your computer more secure by blocking macros and such, but the cleanup is definitely more dramatic than expected. “It just happened, we don’t know why.

“We suspected it was a KB – patch from Tuesday – a bug but I’ve talked to a lot of others this morning and we think it’s definitely related to the ASR rules.”

a Thread on Reddit Indicates that this is not an isolated incident with other system administrators entering. The person who started the conversation said:

“We recently ported our properties to Defender for Endpoint and had a number of reports this morning that their program shortcuts (Chrome, Firefox, and Outlook all disappeared after restarting their machines, which also happened to me. It seems to be blocking the rule:” Block Win32 API Calls from Office Macros”.

Another said they were seeing “exactly the same issue” and had to “push a policy update to set this rule in checking mode instead of blocking – since it deletes almost all third party apps and even first party apps like you said – Slack, Chrome, Outlook.”

See also  Here's how Microsoft is delivering "good results" for Inflection AI VCs, Reid Hoffman promises

Another said, “Same thing. Lots of machines that have been hit with nuclear missiles in the last hour. Happy Friday.” Another system administrator said that all Microsoft applications including Excel and Word are gone as well.

Microsoft has so far been publicly silent on the issue, though it has published MO497128 under the Microsoft 365 Suite category and not the Defender category, warning:

A technician claimed that the problem is related to Latest Defender Signature (1.381.2140.0). They said it would then appear “All shortcuts in ProgramData\Microsoft\Windows\Start Menu\Programs will be deleted immediately.”

Deleting ASR rules for one IT pro worked, another said he changed the rule to Audit” and it seems to work. The difficulty is that the InTune policy is not being applied especially quickly and we also need to fix Office on some machines because outlook.exe is literally missing (not the shortcut Just). “

In agreement, the poster said: “ASR Defender set rule 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b for audit only. Confirm work but it will lower your defenses. High risk if applied enterprise wide, run it by management.”

Then the frustration turned to anger. “How the hell did this update pass Microsoft/QA testing?? They test before they push updates, right? Guys? Right?”.

And: “Yes, Microsoft has exploited it. False Attack Surface Alerts for most Start Menu shortcuts.”

Another added: “Defender is truly the gift that keeps on giving!”

We’ve asked Microsoft for comment and will update when Redmond hits the keyboard. ®

Leave a Reply

Your email address will not be published. Required fields are marked *