Why has Windows Defender started removing shortcuts on 13 January 2023?

Question

All of a sudden, Windows Defender has removed loads of shortcuts (.lnk files) from our Windows 10 and 11 computers. Dozens of computers affected.

Shortcuts have disappeared from both the desktop folder and the taskbar - with most disappearing instantly when the user double clicks the icon. Presumably the issue is machine wide, just most shortcuts are found in these locations.

Some shortcuts are however not affected and others that have been removed can be recreated and may not be removed.

Very odd!!

Answer 1

Disable (turn Off) the ASR rule "Block Win32 API calls from Office macros".

Ours was set to Warn, so you wouldn't expect it to delete or block access to files, but it did anyway!

I don't know what the link is to Win32 API calls or Office macros, but having disabled this rule and synced settings on 4 PCs - Windows 10 and 11 - the issue is instantly resolved.

Answer 2

Because it is buggy...

^{[Short answer to the question "Why has Windows Defender started removing shortcuts today (13/01/2023)?"]}

This issue is resolved in security intelligence update build 1.381.2164.0. Installing security intelligence update build 1.381.2164.0 or later should prevent the issue, but it will not restore previously deleted shortcuts. You will need to recreate or restore these shortcuts through other methods. For additional information, see Recovering from Attack Surface Reduction rule shortcut deletions.

Note that

Affected devices have the Attack Surface Reduction (ASR) rule "Block Win32 API calls from Office macro" enabled. After installing security intelligence build 1.381.2140.0, detections resulted in the deletion of certain Windows shortcut (.lnk) files that matched the incorrect detection pattern.

How to solve / avoid the problem

1. Not installing the security intelligence update build 1.381.2140.0. (To prevent)
2. Installing security intelligence update build 1.381.2164.0 or later. (To solve)
3. Changing ASR rules to Audit Mode (It may help to prevent).

• Using Intune: Enable attack surface reduction rules | Defender for Endpoint: Microsoft Endpoint Manager
• ​Using Group Policy: Enable attack surface reduction rules | Defender for Endpoint: Group Policy

Answer 3

Problem tracked also by Microsoft at Microsoft 365 Admin Center as "MO497128: Some users are unable to utilize the Application shortcuts on the Start menu and taskbar".

Also set the delayed distribution of Defender update definitions seems as possible if not already on workstations. Disable the particular ASR rule if you have option (MDM/MECM/GPO).

Answer 4

Us too, we pushed this out

set-mppreference -DisableRealtimeMonitoring $true

as a very very temporary workaround.