To recover some of the Windows shortcuts that were deleted on Friday morning, Microsoft released a PowerShell script and an Advanced Hunting Query (AHQ) script.
Microsoft released a Microsoft Defender signature update on January 13th, 2018, that added a new rule to the Attack Surface Reduction condition known as “Block Win32 API calls from Office macro” in the Configuration Manager console and “Win32 imports from Office macro code” in the Intune console.
This rule blocks malware from using VBA macros to call Win32 APIs.
However, in the updated MS Defender rules, there was a bug that resulted in false positives showing up, removing shortcuts from the desktop, the Start menu, and the Windows Taskbar.
This disruptive rule triggered widespread disarray in corporate environments, with users being unable to access their programs and Windows administrators rushing to reestablish the shortcuts for their own apps.
Microsoft later reverted the change in the new signature update 1.381.2164.0, but warned admins that it could take a few hours for the latest signatures to propagate to all environments.
On Saturday morning, Microsoft recently introduced advanced queries for finding affected shortcuts and a script to re-enable shortcuts for a number of commonly deleted applications.
Microsoft confirmed a process consumers can use to cause the start menu links to return for a significant subset of the applications that had been deleted.
These commands, now remedied, have been compiled into the PowerShell script provided here to allow administrators to take restoration tasks in their environment.
To analyze the effect this bug will have on your business operations, you can use Microsoft Defender search queries to retrieve information from Friday relating to the faulty rule.
You can use this PowerShell script shared on GitHub if you wish to check the value of the HKLM\ SOFTWARE \Microsoft\ Windows\ CurrentVersion\ App Paths\registry key, which is used by thirty-three different software programs.
If a program is installed, the script checks to see whether a corresponding shortcut exists in the Start Menu and, if not, creates it.
The list of applications whose shortcuts will be recreated are:
Certain applications missing from an organization’s PowerShell script can be modified by adding a shortcut to the script’s $programs array, if necessary.
Microsoft also provides procedures for using this script with Intune on desktop computers in a Windows domain.
For those who wish to manually recreate the shortcuts, Microsoft shared the steps to repair the installation of a program.
You should anticipate this process to take much longer than normal, as often it will involve reinstalling the whole system. Also, not all apps offer a repair service.
A PowerShell script that is readily available is supposed to help Windows admins recreate shortcuts. However, administrators find the script unsuccessful.
The script only focuses on thirty-three programs, so it won’t be able to recreate the keyboard shortcuts for most other applications typically installed on a computer.
Unfortunately, this does not change Microsoft Office shortcuts that had been installed per-user, which is most 365 C2R installations. This is the default installation behavior for M365 deployed through Intune, so if this can be reflected in the script – this would be very helpful.
Windows administrators pointed out, though the script just recreates shortcuts in the Start Menu, it doesn’t recreate those deleted from the Windows Taskbar Quick Launch toolbar or the Windows desktop.
Users can utilize tools such as Shadow Explorer or ShadowCopyView to see if shortcuts are saved in previous snapshots and copy them back to the system drive.
For those with numerous devices, using PowerShell to check and recover Shadow Volume Copy files from a Shadow Volume may also be possible.
As a result of the bug, Linux users and management personnel will have to deal with the enormous headache of manually recreating numerous lost shortcuts.
Found this article interesting? Follow Terraeagle on Facebook, Twitter, and LinkedIn to read more exclusive content we post.