top of page
Writer's pictureChris Hudson

Microsoft Defender - A victim to Friday 13th?

What better way to start a notorious & unlucky Friday 13th morning than dealing with the introduction of a widespread Defender bug, causing an unsuspecting Attack Surface Reduction rule to run riot across an array of endpoint estates, blocking a plethora of legitimate actions and processes in quick succession, whilst removing our dearly beloved & widely relied upon shortcuts for key business applications.


The key symptoms observed can be summarized within the following statements: -

  1. Processes and activities are blocked considerably more than usual, resulting in ample end-user-facing prompts.

  2. Users are unable to search for or find applications via their start menu.

  3. Users are unable to open key applications such as the Office Suite, Google Chrome, and Microsoft Edge via their shortcuts; desktop, start menu, and taskbar.


Workaround

Whilst the below isn't an official or complete resolution for the primary and underlying issue, it may well aid in reducing the level of urgency & pressure that many IT departments are currently facing around the globe. The two key aspects of this workaround are: -

  1. Transition the affected Attack Surface Reduction rule (Block Win32 API calls from Office macro) into Audit mode indefinitely, until Microsoft has confirmed & provided a resolution to the issue. Please don't forget that some environments may have multiple ASR policies deployed via multiple mechanisms, i.e. Intune, Group Policy, SCCM, or even local script.

  2. Establish & deploy a remediation PowerShell script for the affected application shortcuts to quickly & confidently restore them for users.

I have provided a very quick draft version of an example and potential PowerShell remediation script below, which works to restore key business application shortcuts for users, primarily focusing on the Click-to-run Office applications (32-bit & 64-bit), Google Chrome, as well as Microsoft Edge. This script will successfully restore the specified application shortcuts back to the users' desktop, as well as the Start menu, but unfortunately not their taskbar.


Please feel free to use this script as a base example and modify it where necessary to accommodate any further requirements.


This script has been tested & successfully deployed both manually & locally, as well as via RMM tooling and MDM solutions such as Intune.


## 64-Bit Office

$TargetFile = "C:\program files\microsoft office\root\office16\winword.exe"
if (Test-Path $TargetFile) {
$ShortcutFile = "$env:Public\Desktop\Word.lnk"
$WScriptShell = New-Object -ComObject WScript.Shell
$Shortcut = $WScriptShell.CreateShortcut($ShortcutFile)
$Shortcut.TargetPath = $TargetFile
$Shortcut.Save()
Copy-Item "$env:Public\Desktop\Word.lnk" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Word.lnk" -Force
}

$TargetFile = "C:\program files\microsoft office\root\office16\excel.exe"
if (Test-Path $TargetFile) {
$ShortcutFile = "$env:Public\Desktop\Excel.lnk"
$WScriptShell = New-Object -ComObject WScript.Shell
$Shortcut = $WScriptShell.CreateShortcut($ShortcutFile)
$Shortcut.TargetPath = $TargetFile
$Shortcut.Save()
Copy-Item "$env:Public\Desktop\Excel.lnk" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Excel.lnk" -Force
}

$TargetFile = "C:\program files\microsoft office\root\office16\Outlook.exe"
if (Test-Path $TargetFile) {
$ShortcutFile = "$env:Public\Desktop\Outlook.lnk"
$WScriptShell = New-Object -ComObject WScript.Shell
$Shortcut = $WScriptShell.CreateShortcut($ShortcutFile)
$Shortcut.TargetPath = $TargetFile
$Shortcut.Save()
Copy-Item "$env:Public\Desktop\Outlook.lnk" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Outlook.lnk" -Force
}

$TargetFile = "C:\program files\microsoft office\root\office16\POWERPNT.exe"
if (Test-Path $TargetFile) {
$ShortcutFile = "$env:Public\Desktop\PowerPoint.lnk"
$WScriptShell = New-Object -ComObject WScript.Shell
$Shortcut = $WScriptShell.CreateShortcut($ShortcutFile)
$Shortcut.TargetPath = $TargetFile
$Shortcut.Save()
Copy-Item "$env:Public\Desktop\PowerPoint.lnk" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerPoint.lnk" -Force
}

## 32-Bit Office

$TargetFile = "C:\program files (x86)\microsoft office\root\office16\winword.exe"
if (Test-Path $TargetFile) {
$ShortcutFile = "$env:Public\Desktop\Word.lnk"
$WScriptShell = New-Object -ComObject WScript.Shell
$Shortcut = $WScriptShell.CreateShortcut($ShortcutFile)
$Shortcut.TargetPath = $TargetFile
$Shortcut.Save()
Copy-Item "$env:Public\Desktop\Word.lnk" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Word.lnk" -Force
}

$TargetFile = "C:\program files (x86)\microsoft office\root\office16\excel.exe"
if (Test-Path $TargetFile) {
$ShortcutFile = "$env:Public\Desktop\Excel.lnk"
$WScriptShell = New-Object -ComObject WScript.Shell
$Shortcut = $WScriptShell.CreateShortcut($ShortcutFile)
$Shortcut.TargetPath = $TargetFile
$Shortcut.Save()
Copy-Item "$env:Public\Desktop\Excel.lnk" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Excel.lnk" -Force
}

$TargetFile = "C:\program files (x86)\microsoft office\root\office16\Outlook.exe"
if (Test-Path $TargetFile) {
$ShortcutFile = "$env:Public\Desktop\Outlook.lnk"
$WScriptShell = New-Object -ComObject WScript.Shell
$Shortcut = $WScriptShell.CreateShortcut($ShortcutFile)
$Shortcut.TargetPath = $TargetFile
$Shortcut.Save()
Copy-Item "$env:Public\Desktop\Outlook.lnk" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Outlook.lnk" -Force
}

$TargetFile = "C:\program files (x86)\microsoft office\root\office16\POWERPNT.exe"
if (Test-Path $TargetFile) {
$ShortcutFile = "$env:Public\Desktop\PowerPoint.lnk"
$WScriptShell = New-Object -ComObject WScript.Shell
$Shortcut = $WScriptShell.CreateShortcut($ShortcutFile)
$Shortcut.TargetPath = $TargetFile
$Shortcut.Save()
Copy-Item "$env:Public\Desktop\PowerPoint.lnk" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerPoint.lnk" -Force
}

## Edge 

$TargetFile = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
if (Test-Path $TargetFile) {
$ShortcutFile = "$env:Public\Desktop\Microsoft Edge.lnk"
$WScriptShell = New-Object -ComObject WScript.Shell
$Shortcut = $WScriptShell.CreateShortcut($ShortcutFile)
$Shortcut.TargetPath = $TargetFile
$Shortcut.Save()
Copy-Item "$env:Public\Desktop\Microsoft Edge.lnk" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk" -Force
}

## Chrome

$TargetFile = "c:\program files\google\chrome\application\chrome.exe"
if (Test-Path $TargetFile) {
$ShortcutFile = "$env:Public\Desktop\Google Chrome.lnk"
$WScriptShell = New-Object -ComObject WScript.Shell
$Shortcut = $WScriptShell.CreateShortcut($ShortcutFile)
$Shortcut.TargetPath = $TargetFile
$Shortcut.Save()
Copy-Item "$env:Public\Desktop\Google Chrome.lnk" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk" -Force
}



Comments


bottom of page