Microsoft released Advanced Search Queries (AHQ) and a PowerShell script to find and recover some of the Windows app shortcuts deleted Friday morning by a buggy Microsoft Defender ASR rule.

Early in the morning of January 13, Microsoft released a new Microsoft Defender Signature Update that included a change to the Attack Surface Reduction (ASR) rule known as “Block API calls Win32 from Office macro” in Configuration Manager and “Win32 imports from Office macro code” in Intune.

This rule detects and prevents malware from using VBA macros to call Win32 APIs.

However, a bug in the updated rules caused Microsoft Defender to show false positivesby removing application shortcuts from the desktop, Start menu, and Windows taskbar.

This faulty rule caused widespread disruption in corporate environments, with users unable to quickly launch their applications and Windows administrators scrambling to restore shortcuts.

Microsoft later reverted the change to new signature update 1.381.2164.0, but warned administrators that it could take a few hours for the latest signatures to propagate to all environments.

Script published to recreate deleted shortcuts

On Saturday morning, Microsoft released advanced search queries to find affected shortcuts and a PowerShell script to recreate shortcuts for some of the most frequently deleted apps.

“Microsoft has confirmed steps customers can take to recreate the start menu links for a significant subset of the affected apps that have been removed,” Microsoft explained in a new supporting document.

“These have been bundled into the PowerShell script below to help enterprise administrators take recovery action in their environment.”

To determine the impact of this bug in your organization, Microsoft Defender Hunting Queries can be used to retrieve Friday events associated with the faulty rule.

In case of impact, you can use this PowerShell script shared on GitHubwhich will scan the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ registry key to check if thirty-three different programs are installed on a computer.

If a program is installed, the script will check if a corresponding shortcut exists in the Start menu and, if not, recreate it.

The list of applications whose shortcuts will be recreated are:

Organizations missing shortcuts for programs not listed above can modify the PowerShell script $programs table to include other applications.

Microsoft also shared steps to deploy this script using Intune to devices in a Windows domain.

For those who wish to recreate the shortcuts manually, Microsoft has shared the following steps to repair a program installation.

It should be noted that this process will take much longer, since in most cases it will reinstall the entire program. In addition, not all applications offer a repair function.

Repair an app in Windows 10:

1. To select Beginning > Settings > apps > Apps and Features

2. Select the app you want to fix.

3. Select the Edit link under the app name if available.

4. A new page will launch and allow you to select the repair.

Repair an app in Windows 11:

1. Type “Installed apps” in the search bar.

2. Click on “Installed apps”.

3. Select the app you want to fix.

4. Click on “…”

5. Select Edit or Advanced Options if available.

6. A new page will launch and allow you to select the repair.

Not a good enough solution

While the published PowerShell script will help recreate shortcuts for some apps, Windows admins are reporting that it doesn’t work well enough.

The script only focuses on thirty-three programs, so it won’t recreate shortcuts for many other commonly installed applications on a computer.

However, even targeted applications such as Microsoft Office do not have their shortcuts recreated in some cases.

“Unfortunately, this does not restore Microsoft Office shortcuts that were deployed per user – which is what most 365 C2R installs do. This is the default install behavior for M365 deployed through Intune, so if it can be reflected in the script – that would be very helpful”, a Windows administrator commented about the script.

Windows administrators have also pointed out that the script only recreates shortcuts in the Start menu, but fails to recreate those deleted from the Quick Launch toolbar on the Windows taskbar or Windows desktop.

As one admin noted, it may be possible to recover the Start menu, Quick Launch bar, and desktop shortcuts by recover them from Volume Shadow Copies.

Users can use tools such as Shadow Explorer or ShadowCopyView to check if the shortcuts were saved in previous snapshots and just copy them to the system drive.

For those with many devices, using PowerShell verifying and recovering files from Volume Shadow Copies may also be possible.

Overall, this bug has created a huge mess for Windows administrators and IT support, who will likely have to perform the tedious task of manually recreating some of the missing shortcuts.