Microsoft and community try to mitigate Defender ASR mess • The Register

Techies are fearing the worst in efforts to get well from Microsoft’s bug laden Defender for Endpoint pre-weekend rollout after updates eliminated icons and functions shortcuts from Home windows 11 and 10 desktop, Taskbar and Begin Menu.

The replace dispatched to customers on the morning of January 13 brought on nightmares for Windows admins, forcing Microsoft to problem Superior Searching Queries and a PowertShell script the next day in a bid to assist spot and get well functions.

In a submit on its Tech Group discussion board on 14 January, Microsoft said:

“Home windows Safety and Microsoft Defender for Endpoint prospects might have skilled a sequence of false optimistic detections for the Assault Floor Decision (ASR) rule ‘Block Win32 API calls from Workplace macro’ after updating to safety intelligence builds between 1.381.2134.0 and 1.381.2163.0. These detections resulted within the deletion of recordsdata that matched the wrong detection logic primarily impacting Home windows shortcut (.lnk) recordsdata.”

There are millions of directors throughout the globe now having to restore their environments, which is inflicting a serious affect on productiveness

Microsoft is at present advising prospects to replace to 1.381.2164.0 (the most recent up to date safety intelligence construct) or later. It means block mode might be safely turned on nonetheless, crucially, this may not restore deleted recordsdata.

Those that did not have the “Block Win32 API name from Workplace macro” turned on in block mode or did not replace to the builds 1.381.2134.0, 1.381.2140.0, 1.381.2152 and 1.381.2163.0 weren’t hit by the mess. Sources advised us Microsoft halted the replace earlier than it reached customers in North America.

“Microsoft has confirmed steps that prospects can take to recreate begin menu hyperlinks for a big subset of the affected functions that have been deleted. These have been consolidated into the PowerShell script beneath to assist enterprise directors take restoration actions of their setting,” mentioned the Home windows large.

Model 1.1 of the script is offered here, and directions to deploy the script utilizing Microsoft InTune are here.

IT execs the Reg spoke to on the situation of anonymity advised us Microsoft had screwed up royally right here and one mentioned the availability of scripts was like “pissing within the wind.” Model 1 of the script has round 20 functions and model 1.1 has in extra of 30.

“The overwhelming majority of utility shortcuts that folks use are usually not there. I can not see a approach that Microsoft can get well, it is a everlasting delete. They’re completed properly with this one.”

On Microsoft’s Tech Group discussion board, one admin mentioned: “I think these these hyperlinks have been misplaced indefinitely and us directors are going to need to get well the Star Menu, and the customers are going to need to rein each Taskbar and Fast Launch shortcut manually.

“Who on earth launched that replace with out checking the affect? There are millions of directors throughout the globe now having to restore their environments, which is inflicting a serious affect on productiveness.”

One other commenter on the discussion board said they doubted AHQ was enough. “In our case a whole bunch of Workplace hyperlinks have been deleted, however solely 16 have been displayed within the superior hunt… How can I discover every little thing which was blocked (and [by] blocked I imply deleted?)”

Others ask for credit or some kind of compensation to pay for the “big burden on IT to repair it” manually and a few known as for a rollback function for Defender.

“I’ll eat my hat if Microsoft has a repair,” one hard-pressed Home windows admin advised The Register.

We requested Microsoft to touch upon Friday and it has but to reply with an announcement. ®