#ASRmageddon – All your shortcuts are belonging to us….

Wow, 3 months since last post already. I blame it on a crazy busy end of the year at work combined with all the different closing-parties for the kids on school, activities and so-on – and everything that needed sorting out for Christmas. Christmas for me was all about mental wellness and spending some much needed quality time with the wife, the kids and family in general.

2023 is here, and boy has it been busy already. And what better way to start the first blog of the new year on a big Friday 13th crisis – at least if you are using Microsoft ASR(Attack Surface Reduction)-rules.

In short it seems that a bad definition update was rolled out (version 1.381.2140), making ASR-rule Block Win32 API calls from Office macro (if you had it configured in “Block”-mode) go crazy and delete all the users shortcuts from Start-menu, Taskbar and Desktop. Now that is just super fun on a Friday when the calls are coming in asking why – and it really sets a good mood for the weekend where you can look forward to how your Monday will play out… 😊

Now, Microsoft have made an official post (you can find it here; https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/recovering-from-attack-surface-reduction-rule-shortcut-deletions/ba-p/3716011 ) with some why’s and how-to’s – but basically they are just stopping it from happening if you set the ASR-rule in audit and update the definition update – there seems to be no way for them to automatically get all the shortcuts back. But here is where the communities really show their strength, once again, and post “fixes” way before the official ones starts to come in!

They have now posted a script that includes a list of programs (that you can change the way it suits your environment) and how you deploy it with Intune. But this just fix the mentioned programs in the script AND it only adds them to the Start-Menu. If your users have pinned programs to Taskbar this won’t fix that. But there is hope for this as well – over at reddit a human with the nickname steve_ce (Thank you steve_ce, you possibly just saved our Monday!) posted this script (https://www.reddit.com/r/sysadmin/comments/10ar1vb/comment/j49ed62/ ). What it does is, and I quote; “It will grab binary registry with taskbar info, fix up some formatting, and regex math shortcut paths from it. It uses the file name in the shortcut to find the shortcut that should still exist in other folders. If it finds it, it will copy it into the proper TaskBar folder.” Checking the regedit-values seems like a much more correct way of doing this then making a custom program list – maybe Microsoft will update their script to do something like this?

DISCLAIMER-ALERT; please do check, doublecheck and test any scripts you find before you deploy in production and in large-scale!

We are currently testing both in our environment as I am writing this blog, and it looks promising. Hopefully it will decrease the impact on the end-users logging in on Monday and also on the number of support-cases this will potentially develop.

Thanks again to all the amazing and awesome people troubleshooting and sharing findings and solution – hopefully this post will also reach out to someone and pointing them in the right direction and make the days to come a little bit less painful.

Ending thoughts

Working with IT for several years, there is no surprise that sometimes s*** happens and we learn from it. The most concerning thing in this so called #ASRmageddon is for me 2 things;

  • How on earth could a bad definition update with so catastrophic outcome ever pass testing?
  • With the amount of great and skilled technicians working in Microsoft, how does it take so long to come up with official fixes? I mean, the first unofficial fixes was out only hours after impact.
    • And also – after all the mentioning the last years on Zero Trust and Least Privilege – it is just straight out not ok to post official Microsoft fixes that requires local admin privileges, not ok at all! The fixes should support deployment through Intune/EndpointManager and it should work when the user without privileged rights is logged in.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.