Microsoft Defender update deletes all shortcuts, here's what to do!

Did you know? No time for that today I'm afraid. Microsoft made a major f#ck-up, here's everything known so far, accompanied by handy tips to restore.

Friday the 13th update:🦠 Microsoft Defender update deletes all shortcuts, here's what to do

Reading time: 02:45

Microsoft Defender update deletes all shortcuts, here's what to do

As I was reading a Reddit post, somebody mentioned that it was 'Friday the 13th'.A day often related to "bad luck" and other unpleasant shenanigans.Although I'm not a superstitious guy, what happened yesterday might make me think twice next time.

Yesterday Microsoft made a booboo. Well, actually it's not just a booboo, they made a major f#ck-up.

Customers using any of the Defender for Endpoint products (plan 1, plan 2, and Defender for business) noticed their shortcuts from start and the taskbar, disappearing into the abyss.

No big deal you'd think, "just look it up and create a new one". But in a lot of cases it made the programs (Office apps, browsers, ...) unusable.Now let me tell you, there aren't a lot of bugs that really hinder me, or stuff that I can't restore myself. But this reaaally was a pain in the ass.I can only imagine the pain of Sysadmins running enterprise environments with 1000's of users. Say goodbye to your weekend, friends.

So what happened?Microsoft pushed an update to Defender suite's Attack Surface Reduction (ASR), specifically the “Block Win32 API calls from Office macro” rule.If you had this rule configured, and set to "Block", Defender would mark your shortcuts as malicious and then remove them.Not only did it remove the shortcut, but also the dependency with it. Causing a lot of programs to malfunction.

Luckily Reddit came to the rescue, and some users found the 'bug' pretty quick, advising admins to set the malfunctioning rule to "Audit".

Microsoft released a service report, confirming the issue and the remediation.Once the update was found, they stopped the deployment with the message "this rollback could take hours to reach your organization". Not really the news I was hoping for, let me tell you that.Some hours later even worse news came:

"We've completed a hotfix deployment within the build 1.381.2164.0 on Friday, January 13, 2023, 7:03 PM (6:03 PM UTC).This fix update will not restore previously removed shortcut files, but it will prevent any additional shortcut files from being incorrectly removed."

I can imagine this was what we already knew, but Microsoft confirming this made a lot of Sysadmins cancel their weekend plans.Especially those with no rollback scenario's.

Well enough with the bad news, there are a lot of stuff you can do. Let me help you out.

• Make sure you're not still on the faulty Defender build - Microsoft retracted the faulty one, and deployed a "good" one. Make sure you have the latest version, 1.381.2164.0.

• There is a script to recover your Shortcuts - the least Microsoft could do I guess. There were some other ones on Reddit as well, but always be careful running random code. This also triggers a repair on the app, so it should work again after this. Don't forget to reboot.

• For the manual guys and gals out there: repair your apps:

So yeah. Next Friday the 13th, I'm doing everything I can to get luck on my side. I hope Microsoft does the same.There's only one guy who really had fun with all this, I guess.

Security like I'm five

Don't have time for hours of research? Don't have 20 years of experience in security? Me neither, but I gotchu fam.In Security like I'm five I cover a range of security topics. I do all the hard work, and explain it to you in a practical matter. Lot's of meme's too. Good stuff, good stuff.This and Security weekly conveniently delivered to your mailbox a couple of times a week, for free.Pretty sweet deal if you ask me.

So sign up for the newsletter and be enlightened! (don't set the bar too high tho)