Microsoft Defender Deletes Desktop, Taskbar And Start Menu Shortcuts

Friday the 13th proved to be unlucky for users of Microsoft Defender for Endpoint as the program automatically deleted shortcuts from the Start menu, desktop and taskbar. Additionally, it also caused issues with Office apps.

The culprit behind all these troubles was later found to be a flawed Microsoft Defender for Endpoint ASR (attack surface reduction) rule. Luckily at the time of writing this article, Microsoft has released a fix.

However, Microsoft has clearly stated that it can’t restore Defender-deleted shortcuts on Windows 11 and 10 for users. Consequently, if you or any of your friends experienced the aforementioned problem then you have to manually recreate the lost shortcuts.

The clients that were affected by the problem include,

Windows 11, version 22H2; Windows 10, version 22H2; Windows 11, version 21H2; Windows 10, version 21H2; Windows 10, version 20H2; Windows 10 Enterprise LTSC 2019; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise 2015 LTSB

Microsoft has officially explained the problem and stated that,

After installing security intelligence update build 1.381.2140.0 for Microsoft Defender, application shortcuts in the Start menu, pinned to the taskbar, and on the Desktop might be missing or deleted. Additionally, errors might be observed when trying to run executable (.exe) files which have dependencies on shortcut files. Affected devices have the Attack Surface Reduction (ASR) rule “Block Win32 API calls from Office macro” enabled.

After installing security intelligence build 1.381.2140.0, detections resulted in the deletion of certain Windows shortcut (.lnk) files that matched the incorrect detection pattern.

Soon after the problem came to light, a workaround was worked out which was later also officially validated by Microsoft.

Workaround: Changes to Microsoft Defender can mitigate this issue. The Atack Surface Reduction (ASR) rules in Microsoft Defender are used to regulate software behavior as part of security measures. Changing ASR rules to Audit Mode can help prevent this issue. This can be done through the following options:

  • Using Intune: Enable attack surface reduction rules | Defender for Endpoint: Microsoft Endpoint Manager
  • Using Group Policy: Enable attack surface reduction rules | Defender for Endpoint: Group Policy

Microsoft Office applications can be launched through the Microsoft 365 app launcher. More details on the Microsoft 365 app launcher can be found in Meet the Microsoft 365 app launcher

With the release of security intelligence update build 1.381.2164.0, the problem has been completely resolved and Microsoft has advised Affected admins and users to update their Defender security intelligence version to 1.381.2164.0 or later. As mentioned earlier, the update will not restore previously deleted shortcuts, and users have to perform this task manually.