• Attack surface reduction rule triggers a mess on Friday the 13

    Home » Forums » Newsletter and Homepage topics » Attack surface reduction rule triggers a mess on Friday the 13


    #Fridaythethirteenthmess Microsoft 365 Status on Twitter: “The revert is in progress and may take several hours to complete. We recommend placing the
    [See the full post at: Attack surface reduction rule triggers a mess on Friday the 13]

    Susan Bradley Patch Lady

    2 users thanked author for this post.
    Viewing 4 reply threads
    • #2523185

      Hi Susan:

      Thanks for the heads up.

      Is it safe to assume that home users with a Win 10/Win 11 Pro OS who used their Local Group Policy Editor (gpedit.msc) to “Block Office applications from creating child processes” (GUID Value: D4F940AB-401B-4EFC-AADC-AD5F3C50688A) as instructed in your post <here> in the AskWoody Plus Newsletter Issue 18.39 • 2021-10-11 are not affected by this problem?

      You post today suggests that the only rule added to Computer Configuration | Administrative Templates | Windows Components | Microsoft Defender Antivirus | Microsoft Defender Exploit Guard | Attack Surface Reduction that can cause shortcuts to disappear is “Block Win32 API calls from Office macros” (GUID Value: 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b).
      Dell Inspiron 5584 * 64-bit Win 10 Pro v22H2 build 19045.2486 * Firefox v108.0.2 * Microsoft Defender v4.18.2211.5-1.1.19900.2 * Malwarebytes Premium v4.5.20.230-1.0.1868 * Macrium Reflect Free v8.0.7279

      1 user thanked author for this post.
      • #2523194

        Correct it’s only the one rule – Office macros – that will trigger the issue.

        Susan Bradley Patch Lady

        1 user thanked author for this post.
      • #2523210

        Win 10 Pro 22H2 19045.2364

        I had the problem with shortcuts and programs disappearing with Security intellingence for Microsoft Defender  version 1.381.2140.0.

        Restored my C drive Image using Image for Windows.

        MS has released a new Microsoft Defender 1.381.2152.0.

        I am using Configure Defender. Changed Block Win 32 API calls from Office Macros to Audit. Changed Block win32 macros to audit

        Now all is good.


    • #2523204

      It’s worth knowing that any Orgs that have deployed MS Security Baselines will have ASR configured (by default).

      I’ve just spent the day clearing up this mess.  Thanks Microsoft…

    • #2523240

      Am I as a home W10 user affected by this? Is there something I need to do?

      • #2523258

        Unless you’ve specifically selected that ASR rule to block Office macros, otherwise, no.

        Susan Bradley Patch Lady

    • #2523322

      Microsoft : This issue is resolved in security intelligence update build 1.381.2164.0. Installing security intelligence update build 1.381.2164.0 or later should prevent the issue, but it will not restore previously deleted shortcuts. You will need to recreate or restore these shortcuts through other methods.


      Version: 1.381.2181.0


    • #2523331

      From aka.ms/asrfprecovery:

      To recover deleted Windows shortcut lnks

      Microsoft has confirmed steps that customers can take to recreate start menu links for a significant sub-set of the affected applications that were deleted. These have been consolidated into the PowerShell script below to help enterprise administrators take recovery actions in their environment.

      The first version of the script is available here: MDE-PowerBI-Templates/AddShortcutsV1.ps1 at master · microsoft/MDE-PowerBI-Templates · GitHub

      Microsoft will continue to enhance this script.

      For customers that prefer manual steps rather than the script running an application repair on affected applications will recreate deleted links. Users can run the Application Repair functionality for programs including Microsoft 365, Microsoft Edge, and Microsoft Visual Studio.

      To repair an application, follow these instructions:

      Windows 10:
      Select Start > Settings > Apps > Apps & features
      Select the app you want to fix.
      Select Modify link under the name of the app if it is available.
      A new page will launch and allow you to select repair.

      Windows 11:
      Type “Installed Apps” in the search bar.
      Click “Installed Apps”.
      Select the app you want to fix.
      Click on “…”
      Select Modify or Advanced Options if it is available.
      A new page will launch and allow you to select repair.

      Verifying environment impact [Business Admins]

      Customers can verify the impact of this issue in their environment through the following advanced hunting queries (AHQs):

      This AHQ can retrieve all devices with ASR rule “Block Win32 API calls from Office macro” enabled on “Block” mode:


      Quick Repair restored missing Office shortcuts to my Start menu. The longer Online Repair should be unnecessary.

      Windows 11 Pro version 22H2 build 22621.1192 + Microsoft 365/Edge

      1 user thanked author for this post.
    Viewing 4 reply threads
    Reply To: Attack surface reduction rule triggers a mess on Friday the 13

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: