Facepalm: Microsoft Defender should provide plenty of security features for Windows-based home and enterprise customers. Some of those features, however, are turning against users and making system administrators regret yet another unlucky Friday the 13th.

Last Friday was a rather unlucky day for Windows users and system administrators worldwide. According to multiple reports, Microsoft Defender for Endpoint turned into a shortcut and file "killer" that fateful day, after the security suite began to delete application shortcuts from the Windows Taskbar and Start Menu, sometimes even removing the linked program files from disk.

The issue was experienced by multiple system admins on Windows 10 and Windows 11, and its likely cause was soon pinned down to an ASR rule modified by a recent update for Defender. Attack surface reduction (ASR) rules target certain software behaviors like launching executables and scripts, running obfuscated scripts or "performing behaviors that apps don't usually initiate during normal day-to-day work," Microsoft explains.

The ASR rule in question is "Block Win32 API calls from Office macro," sysadmins discovered, and it went haywire after Microsoft released the 1.381.2140.0 signature update for Defender. In some cases, the modified rule pushed the system antimalware to both remove the shortcuts and uninstall the Office productivity suite altogether.

In addition to Office, many other programs were affected by the shortcut and file-killer update, including Google Chrome, Mozilla Firefox, Slack, Visual Studio, Notepad++, Adobe Acrobat, and more. A subsequent bulletin from Microsoft confirmed that the issue was indeed the updated "Block Win32 API calls from Office macro" ASR rule.

As a mitigation measure, the Redmond corporation said system administrators could change ASR behavior to "Audit Mode" by using Intune or Windows's own Group Policy. A definitive solution then came a day later, with a new ASR rule included in the 1.381.2164.0 update for Defender. However, shortcuts and programs deleted by the AV were lost for good, Microsoft said, as they had to be recreated or reinstalled from scratch.

A further update posted on Microsoft Community Hub offered a partial solution to this last issue, with a PowerShell script designed to recreate the deleted shortcuts for 33 of the most popular programs affected by the bug (see list below). Needless to say, the script didn't bring joy to those sysadmins that were forced to reinstall deleted programs or recreate the shortcuts that were deployed per-user in a multi-user organization.

Adobe Acrobat Adobe Photoshop 2023
Adobe Illustrator 2023 Adobe Creative Cloud
Firefox Private Browsing Firefox
Google Chrome Microsoft Edge
Notepad++ Parallels Client
Remote Desktop TeamViewer
Royal TS6 Elgato StreamDeck
Visual Studio 2022 Visual Studio Code
Camtasia Studio Camtasia Recorder
Jabra Direct 7-Zip File Manager
Access Excel
OneDrive OneNote
Outlook PowerPoint
Project Publisher
Visio Word
PowerShell 7 (x64) SQL Server Management Studio
Azure Data Studio