Microsoft Defender update kills Start Menu shortcuts and program files on Windows

Facepalm: Microsoft Defender should provide plenty of security features for Windows-based home and enterprise customers. Some of those features, however, are turning against users and making system administrators regret yet another unlucky Friday the 13th.

Last Friday was a rather unlucky day for Windows users and system administrators worldwide. According to multiple reports, Microsoft Defender for Endpoint turned into a shortcut and file "killer" that fateful day, after the security suite began to delete application shortcuts from the Windows Taskbar and Start Menu, sometimes even removing the linked program files from disk.

The issue was experienced by multiple system admins on Windows 10 and Windows 11, and its likely cause was soon pinned down to an ASR rule modified by a recent update for Defender. Attack surface reduction (ASR) rules target certain software behaviors like launching executables and scripts, running obfuscated scripts or "performing behaviors that apps don't usually initiate during normal day-to-day work," Microsoft explains.

The ASR rule in question is "Block Win32 API calls from Office macro," sysadmins discovered, and it went haywire after Microsoft released the 1.381.2140.0 signature update for Defender. In some cases, the modified rule pushed the system antimalware to both remove the shortcuts and uninstall the Office productivity suite altogether.

In addition to Office, many other programs were affected by the shortcut and file-killer update, including Google Chrome, Mozilla Firefox, Slack, Visual Studio, Notepad++, Adobe Acrobat, and more. A subsequent bulletin from Microsoft confirmed that the issue was indeed the updated "Block Win32 API calls from Office macro" ASR rule.

As a mitigation measure, the Redmond corporation said system administrators could change ASR behavior to "Audit Mode" by using Intune or Windows's own Group Policy. A definitive solution then came a day later, with a new ASR rule included in the 1.381.2164.0 update for Defender. However, shortcuts and programs deleted by the AV were lost for good, Microsoft said, as they had to be recreated or reinstalled from scratch.

A further update posted on Microsoft Community Hub offered a partial solution to this last issue, with a PowerShell script designed to recreate the deleted shortcuts for 33 of the most popular programs affected by the bug (see list below). Needless to say, the script didn't bring joy to those sysadmins that were forced to reinstall deleted programs or recreate the shortcuts that were deployed per-user in a multi-user organization.