Apps and icons disappear due to Microsoft Defender ASR rules • A Registration

Technicians have reported that Microsoft Defender for Endpoint attack surface reduction (ASR) rules are broken, removing icons and application shortcuts from the taskbar and Start menu.

The problems were first noticed today, Friday the 13th, by several IT professionals, and it seems many people are scratching their heads as to the cause. Some have said they are experiencing it on both Windows 10 and Windows 11.

“I noticed it around 8:45 UTC,” a technician at an independent software store told us. “The ASR rule removes icons from the taskbar and Start menu, and in some cases also removes Microsoft Office.”

ASR is designed to make your computer more secure against macros, etc. blocking it, but the cleanup is certainly more dramatic than expected. “It just happened, we don’t know what caused it.

“We suspected a KP – a patch on Tuesday – went wrong, but I’ve spoken to a lot of others this morning and we think it’s definitely related to the ASR rules.”

A thread on Reddit indicates that this is not an isolated incident with other sysadmins stepping in. The person who started the conversation said:

“We recently got into Defender for Endpoint, and this morning we’ve had several reports that the program’s shortcuts (Chrome, Firefox, Outlook) have all disappeared after restarting their machines, which has happened to me as well. It seems to be blocking the rule: ” Block Win32 API calls from an Office macro”.

Another said they were seeing “exactly the same problem” and had to “press rule update to put this rule in Audit mode instead of Disable – because that trashes almost all third-party apps and even internal apps, as you said – Slack, Chrome, Outlook.”

“Same. Huge number of planes bombed in the last hour. Happy Friday,” said another. All Microsoft applications, including Excel and Word, also went AWOL, another administrator said.

Until now, Microsoft has remained silent publicly about the issue, although it published document number MO497128 in the Microsoft 365 Suite category, not in the Defender category. Warning:

A technician claimed that the issue was with the latest Defender signature (1.381.2140.0). They said that after that it appears that “all shortcuts in ProgramData\Microsoft\Windows\Start Menu\Programs are immediately deleted”.

Deleting the ASR rules worked for one IT professional, and another said he changed the rule to Audit “and it seems to work. The difficulty is that InTune’s policy doesn’t take effect very quickly, and on some machines we also need to patch Office as outlook.exe is literally missing (not just the shortcut).

Agreeing with this, one poster said: “Set the defender ASR 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b rule for inspection only. He confirmed that it works but reduces protection. If a high risk is applied to the entire organization, it should be managed by management.”

Disappointment then turned to anger. “How the hell did this update pass Microsoft testing/QA? They test before updating right? Guys? Right?”.

And: “Yeah, Microsoft screwed up. False Attack Surface alerts for most Start menu shortcuts.”

Another added: “The protector really is the gift that keeps on giving!”

We’ve reached out to Microsoft for comment and will update if Redmond gets its hands on the keyboard. ®