Technicians report that Microsoft Defender’s attack surface reduction (ASR) rules have gone crazy and are removing app icons and shortcuts from the taskbar and Start menu.
The issues were first noticed early today, Friday the 13th, by several people in IT, and many seem to be scratching their heads as to the cause. Some have said that they are experiencing this on both Windows 10 and Windows 11.
“I noticed it around 8:45 (UTC),” a tech at an independent software store told us. “The ASR rule removes icons from the taskbar and Start menu, and in some cases also uninstalls Microsoft Office.”
ASR is designed to make a PC more secure by blocking macros, etc., but the cleanup is definitely more dramatic than expected. “It just happened, we don’t know what caused it.
“We suspected it was a KB – a Tuesday patch – that went wrong, but we’ve talked to a lot of others this morning and we think it’s definitely related to the ASR rules.”
A thread on Reddit indicates that this is not an isolated incident with other sysadmins stepping in. The person who started the conversation said:
“We recently integrated our property with Defender for Endpoint and have had a number of reports this morning that their program shortcuts (Chrome, Firefox, Outlook) have all disappeared after a restart of their machine, which has also happened to me .seems to block the rule: “Block Win32 API calls from Office macro”.
Another said they were running into the “exact same problem” and had to “push a policy update to set this rule to Audit mode instead of Block – because it kills almost all third-party apps and even first-party ones, so like you said – Slack, Chrome, Outlook.”
“As. Huge number of cars bombed in the last hour. Happy Friday,” said another. All Microsoft applications, including Excel and Word, are also gone, another system administrator said.
Microsoft has so far remained publicly silent on the issue, although it published MO497128 in the Microsoft 365 Suite category and not in the Defender category, warning:
A tech claimed that the problem is related to the newest Defender signature (1.381.2140.0). They said it then shows “all shortcuts located in ProgramData\Microsoft\Windows\Start Menu\Programs will be deleted instantly”.
Deleting ASR rules worked for one IT pro, and another said he changed the rule to Audit “and it seems to work. The difficulty is that the InTune policy doesn’t apply very quickly and we have to repair Office on some machines because outlook.exe is missing (not just the shortcut).”
Agreed, one poster said: “Set ASR defender rule 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b for audit only. It works confirmed, but it will lower your defense. High risk if applied organization-wide, drive it by management.”
Frustration then turned to anger. “How the hell did this update pass Microsoft’s testing/QA? They test before they push updates right? boys? Right?”.
And: “Yes, Microsoft to hell with it. False Attack Surface Alerts for Most Start Menu Shortcuts.”
Another added: “The Defender really is the gift that keeps on giving!”
We’ve asked Microsoft for comment, and we’ll update when Redmond arrives at the keyboard. ®