Operations Management Suite, Backup, and other management and security services
Microsoft admins had a rough Friday the 13th this past January 13, thanks to a problem with Windows Security and Defender for Endpoint. The Attack Surface Reduction (ASR) rule pushed to some Windows 10 and 11 customers caused havoc for a number of users, thanks to false positives causing deletion of files connected to the "Block Win32 API calls from Office macro" rule. The result: Affected users lost pinned shortcuts and icons across their desktop, Taskbar and Start Menu.
On Saturday January 14, Microsoft released an updated build (1.381.2164.0) meant to help customers recover from the mess. However, the updated security intelligence build doesn't restore deleted files, meaning users will have to recreate links for "a significant sub-set of the affection applications that were deleted."
Microsoft created a PowerShell script to help customers recover a small number of the applications likely affected. Microsoft also is advising E5 and A5 admins with access to Defender for Endpoint Advanced Hunting to run certain queries to identify impacted devices. (Those without access to Advanced Hunting, like Defender for Business, are unable to do this.)
There's no word from Microsoft if the company believes it can create a fix which could recover the deleted files, but IT pros commenting on various blogs are doubtful. Admins are more interested in knowing how Microsoft could release this type of update without having checked for possible impacts -- another question that is highly unlikely to get a public or private answer.
"This doesn't seem like the kind of thing that should make it through testing," said Directions on Microsoft analyst Wes Miller.