Forum Discussion
Solved
Antivirus deletes all shortcuts from the desktop
After this morning's update of security intelligence to version 1.381.2140.0, defender is deleting on all clients all links to applications; does anyone have the same problem?
- We've had the same problem .. all shortcuts on every device has been deleted
- Also affected here. Latest from MS...
January 13, 2023 1:06 PM ยท Quick update
We've identified that a specific rule was resulting in impact. We've reverted the rule to prevent further impact whilst we investigate further. This quick update is designed to give the latest information on this issue. We have the same issue and many more.
https://www.reddit.com/r/sysadmin/comments/10ar1vb/multiple_users_reporting_microsoft_apps_have/Set the following ASR rule to Audit.
Block Win32 API calls from Office macros
Rule-ID 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b
Then you can restore the links. Microsoft needs to fix this ASAP
Has Microsoft made any comment
- Now there is the advisory on Service health in Microsoft365 Admin portal: Some users are unable to utilize the Application shortcuts on the Start menu and taskbar
MO497128, Last updated: January 13, 2023 12:57 PM
Estimated start time: January 13, 2023 12:43 PM
- yeah we are seeing this across multiple orgs too. We are testing the suggested fix
- I modified the rule: Block Win32 API calls from Office macros
from Block to Audit mode
in MDM Security Baseline
category Microsoft Defender- The support team have confirmed this is a known issue from today .. and recommend doing this until the fix. They also tell me that they will get the shortcuts put back.. but we'll see
yongrheemsftMicrosoft
@michelariis, please open a MS CSS support ticket, and mark it as a Sev-A.
Thx,
Yong Rhee - MSFT- We also see some other files affacted, for examples .xml files and Microsoft Store Apps like Picture.library-ms and some other.
We are also affected, started around 10:30am GMT+2. We saw Defender deleting .lnk files and also blocking/deleting Windows Store Apps from Microsoft. We changed the affected ASR rule and try to force all clients to sync, but it may be to late from my reports we got so far.
