Kevin BeaumontJan 13, 2023
Microsoft have made a big boo boo in #Defender again. If you have attack surface reduction enabled for macros, it is deleting all user shortcuts from Start Menu (including Office etc) #ASRmageddon https://www.reddit.com/r/sysadmin/comments/10ar1vb/comment/j45qy7c/?utm_source=share&utm_medium=ios_app&utm_name=iossmf&context=3
Multiple users reporting Microsoft apps have disappeared

I was able to get this to restore icons on a per-user basis $AllPrograms = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC\" #...

reddit
Show threadKevin BeaumontJan 13, 2023

The fix to #ASRmageddon is disable the ASR rules across the org and then (lol) recreate all the user shortcuts on all the machines somehow.

Good luck and happy Friday the 13th

Show threadKevin BeaumontJan 13, 2023
It looks like #ASRmageddon may be a big incident for lots of orgs in Europe speaking to people, as it has removed Start Menu, Task bar and Desktop shortcuts.
Show threadKevin Beaumont
MS have acknowledged #ASRmageddon in the M365 admin portal.
Jan 13, 2023 at 1:13pmWeb
Show threadKevin BeaumontJan 13, 2023

If you want to find out if you have the ASR rule enabled and on which devices:

security.microsoft.com -> Vulnerability Management -> Recommendations -> Search (right hand side) for Win32 -> look for "Block Win32 API calls from Office macros"

It's not enabled by default, but Defender prompts to enable and Microsoft Security Baselines for 21H2 tell you to enable it.

It looks like they're rolling it back, a rule had been pushed which triggered the ASR rule in error on any app. #ASRmageddon

Show threadKevin BeaumontJan 13, 2023
#ASRmageddon
Show threadKevin BeaumontJan 13, 2023
One of the impacted #ASRmageddon orgs is.. Microsoft.
Show threadKevin BeaumontJan 13, 2023

Spoken to a bunch of UK orgs in healthcare and policing who are dealing with #ASRmageddon just now. Status: 😬😬😬😬🫑🀣

Everybody is dreading Monday, when people try to relaunch apps.

Show threadKevin BeaumontJan 13, 2023
Microsoft are still trying to roll back #ASRmageddon
Show threadKevin BeaumontJan 13, 2023
It's the official #ASRmageddon logo, no rights reserved
Show threadOSPF110 β˜•Jan 13, 2023
@GossiTheDog Now its official πŸ˜‚
Show threadJernej Simončič �Jan 13, 2023
@GossiTheDog You should've put this in the waste basket:
Show threadIndigoJan 13, 2023
@GossiTheDog I'm a little sad it's ASR and not ARS, just for the wonderful memes we could make out of that particular pun.
Show threadArwel OwenJan 15, 2023
@GossiTheDog Bloody hell Kev, did I teach you nothing about presentation. πŸ€”
Show threadEpisodeIVJan 13, 2023
@GossiTheDog Wow. Not being able to roll back a change in a reasonable time frame is probably more of a red flag than pushing it out in the first place. Wild!
Show threadMatt KirbyJan 13, 2023
@GossiTheDog "We recommend that you remove the security control *we* broke until we can un-break it"
Show threadChristian GreinerJan 13, 2023

@GossiTheDog We have faced this, too - but until now only on one computer. But I guess monday will be no fun working at the helpdesk. 🀣

Do you know, why the problem only exists in Europe?

Show threadMarcosJan 13, 2023
@GossiTheDog 950 devices affected on my end today. The other 5000 had all ASR in block EXCEPT the macro one yay! Still, I am concerned for Monday…..support staff will have a lot of work
Show threadISO8601Jan 15, 2023

@GossiTheDog Both MPLog *and* the Defender logs don't show everything which was deleted. Monday will be shit.

My standalone test VM had loads of desktop icons deleted, but there's no mention in any on-device logs: Chrome x2, Waterfox, Waterfox Classic, Reader x2, Edge x2, TeamViewer, VLC, Proton, Irfanview.

Doing a before/after on c:\programdata\microsoft\windows\start menu\programs shows that only one entry was deleted - YogaDNS - so presumably Defender onlydeleted things which were accessed. So "only" the things which people use regularly were presumably deleted... ugh

Show threadAaron πŸžπŸ³οΈβ€πŸŒˆ Jan 13, 2023
@GossiTheDog hug Ops to the incident teams on this one
Show threadPhil RandalJan 13, 2023
@GossiTheDog instant karma
Show threadThe Wicked One 😈Jan 13, 2023
@GossiTheDog This is rather lovely and should help to speed up a solution 😁
Show threadOngion πŸ₯šπŸžJan 13, 2023
@GossiTheDog Oh boy is it ever! At least I had read your toots earlier, and knew what was happening when I logged in today πŸ˜…
Show threadCoolBlenderKittenJan 13, 2023
@GossiTheDog
*Giggle*
Show thread Why Not Zoidberg? πŸ¦‘Jan 13, 2023

@GossiTheDog ...How. I mean how did they manage this?

I thought it was bad enough when Defender started putting Microsoft Access (the exe file) in quarantine a few years back.

Show threadChris  Jan 13, 2023
@GossiTheDog We're skirting by this one, I hope. Thanks, all the time zones to the east of us!
Show threadritdawJan 13, 2023
@GossiTheDog Only turned this rule on last week, painful!
Show threadMark Faithfull Jan 14, 2023
@GossiTheDog I just don’t get how things like this can happen. Is regression testing something that isn’t done these days anymore?