Microsoft Windows Server | WI497249

Impact: Errors might be observed when trying to run exe files. Changes to Microsoft Defender can help. Originating KB URL: N/A Originating Build: N/A Resolved KB URL: N/A Date Resolved: 2023-01-18T20:22:46.7954437-08:00 Vendor Message History: ======================= Published: 2023-01-19T04:23:41.063+00:00 ---------------------------------------- After installing security intelligence update build 1.381.2140.0 for Microsoft Defender, application shortcuts in the Start menu, pinned to the taskbar, and on the Desktop might be missing or deleted. Additionally, errors might be observed when trying to run executable (.exe) files which have dependencies on shortcut files. Affected devices have the Atack Surface Reduction (ASR) (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction) rule "Block Win32 API calls from Office macro" enabled. After installing security intelligence build 1.381.2140.0, detections resulted in the deletion of certain Windows shortcut (.lnk) files that matched the incorrect detection pattern. Windows devices used by consumers in their home or small offices are not likely to be affected by this issue. Workaround: Changes to Microsoft Defender can mitigate this issue. The Atack Surface Reduction (ASR) (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction) rules in Microsoft Defender are used to regulate software behavior as part of security measures. Changing ASR rules to Audit Mode can help prevent this issue. This can be done through the following options: - Using Intune: Enable attack surface reduction rules | Defender for Endpoint: Microsoft Endpoint Manager (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide#mem) - Using Group Policy: Enable attack surface reduction rules | Defender for Endpoint: Group Policy (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide#group-policy) Microsoft Office applications can be launched through the Microsoft 365 app launcher. More details on the Microsoft 365 app launcher can be found in Meet the Microsoft 365 app launcher (https://support.microsoft.com/office/meet-the-microsoft-365-app-launcher-79f12104-6fed-442f-96a0-eb089a3f476a) Next steps: This issue is resolved in security intelligence update build 1.381.2164.0. Installing security intelligence update build 1.381.2164.0 or later should prevent the issue, but it will not restore previously deleted shortcuts. You will need to recreate or restore these shortcuts through other methods. For additional information and help recovering missing shortcuts, see Recovering from Attack Surface Reduction rule shortcut deletions (https://aka.ms/asrfprecovery) (updated on January 17, 2023 to include additional guidance and scripts to help with recovery). Affected platforms: - Client: Windows 11, version 22H2; Windows 10, version 22H2; Windows 11, version 21H2; Windows 10, version 21H2; Windows 10, version 20H2; Windows 10 Enterprise LTSC 2019; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise 2015 LTSB - Server: None Published: 2023-01-13T23:35:08.87+00:00 ---------------------------------------- After installing security intelligence update build 1.381.2140.0 for Microsoft Defender, application shortcuts in the Start menu, pinned to the taskbar, and on the Desktop might be missing or deleted. Additionally, errors might be observed when trying to run executable (.exe) files which have dependencies on shortcut files. Affected devices have the Atack Surface Reduction (ASR) (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction) rule "Block Win32 API calls from Office macro" enabled. After installing security intelligence build 1.381.2140.0, detections resulted in the deletion of certain Windows shortcut (.lnk) files that matched the incorrect detection pattern. Windows devices used by consumers in their home or small offices are not likely to be affected by this issue. Workaround: Changes to Microsoft Defender can mitigate this issue. The Atack Surface Reduction (ASR) (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction) rules in Microsoft Defender are used to regulate software behavior as part of security measures. Changing ASR rules to Audit Mode can help prevent this issue. This can be done through the following options: - Using Intune: Enable attack surface reduction rules | Defender for Endpoint: Microsoft Endpoint Manager (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide#mem) - Using Group Policy: Enable attack surface reduction rules | Defender for Endpoint: Group Policy (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide#group-policy) Microsoft Office applications can be launched through the Microsoft 365 app launcher. More details on the Microsoft 365 app launcher can be found in Meet the Microsoft 365 app launcher (https://support.microsoft.com/office/meet-the-microsoft-365-app-launcher-79f12104-6fed-442f-96a0-eb089a3f476a) Next steps: This issue is resolved in security intelligence update build 1.381.2164.0. Installing security intelligence update build 1.381.2164.0 or later should prevent the issue, but it will not restore previously deleted shortcuts. You will need to recreate or restore these shortcuts through other methods. Affected platforms: - Client: Windows 11, version 22H2; Windows 10, version 22H2; Windows 11, version 21H2; Windows 10, version 21H2; Windows 10, version 20H2; Windows 10 Enterprise LTSC 2019; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise 2015 LTSB - Server: None