Microsoft releases scripts to restore shortcuts deleted in faulty Windows Defender update

Microsoft has released scripts in an attempt to help users fix an issue caused by a faulty Windows Defender update issued on 13 January.

The tech giant pushed a Microsoft Defender for Endpoint update which caused users to experience a “series of false positive detections” for the Attack Surface Reduction (ASR) rule: 'Block Win32 API calls from Office macro'. The result had the unintended effect of deleting Windows shortcut (.lnk) files, and only affected update builds between 1.381.2134.0 and 1.381.2163.0.

Microsoft published instructions on 14 January detailing how to help system administrators restore shortcuts that were accidentally deleted by the update. First, the tech giant is advising customers to update to build 1.381.2164.0 or later. However, this will not restore deleted files.

When the update was initially deployed and system administrators were looking for ways to repair their systems, one of the suggested fixes suggested by administrators was to turn “Block Win32 calls from Office macros” into audit mode. Microsoft has now said this can safely be turned back into block mode once the new update has been installed and deployed.

The tech giant has also outlined steps clients can take to retrieve deleted Windows shortcuts. It said this works for “a significant subset of the affected applications that were deleted". The steps are provided in a PowerShell script, with Version 1.1 available on GitHub.

Microsoft has provided Microsoft Defender advanced hunting queries (AHQs) to help administrators find shortcuts that have been affected by the rule "Block Win32 API calls from Office macro". There are three AHQs in total:

1. The first retrieves block events from devices running the ASR rule which has block mode enabled
2. The second retrieves events from devices running the ASR rule, which have enabled both block and audit mode
3. The third AHQ retrieves the number of devices running the ASR rule and finds out whether it exceeds 10,000 devices

Some administrators have voiced concerns about the scripts provided by Microsoft, claiming that they don’t report all the shortcuts that have been lost.

“We have many devices that have lost at least all office shortcuts. The AH[Q] only reports a few of them,” wrote one user on the Microsoft community website.

“This script isn't a definitive fix, it misses various apps as discussed by others. You cannot simply customise it/add all your apps as indicated and does not really 'restore' anything - it just creates a new shortcut as the original folders in start menu [and] programs still exist but the shortcut is not restored there,” said one user.

“Also doesn't address anything other than the start menu [such as] quick access [or] toolbar shortcuts. Three days on and [this is] the best Microsoft can do? And the next update is 8pm tonight UTC.”

Since users have experienced problems with the scripts, members of the community have developed their own solutions and are sharing links to GitHub with their own scripts.

Tech workers have been engaged in online discussions, trying to fine-tune the crowdsourced solutions to the Windows Defender issues.

The community-developed scripts are lacking in functionality for non-English speaking countries, however, a large list of applications have been added with more being added throughout Monday.

At the time of writing, major applications from Microsoft, Adobe, Google, Mozilla, Dell, Nvidia, RingCentral, and many more are supported with users reporting positive results.