Microsoft 365 Service Health Notification - Microsoft 365 suite, Microsoft 365 Defender
Incident Report for AppRiver
Resolved
Some users are unable to utilize the Application shortcuts on the Start menu and taskbar
ID: MO497128


Status
Service Restored

Impacted services
Microsoft 365 suite

Details
Title: Some users are unable to utilize the Application shortcuts on the Start menu and taskbar

User Impact: Users were unable to utilize the Application shortcuts on the Start menu, taskbar, and desktop.

More info: Shortcut icons in the Start menu, taskbar, or desktop may have no longer been visible or may not have worked as intended. Additionally, for some users, they may have received errors when trying to run Executable (.exe) files, if they had dependencies on an affected shortcut file path. Further information remains published here: https://link.edgepilot.com/s/5324b7bf/ZLBpdLzsi0qwXnFzzOxzIA?u=https://github.com/microsoft/MDE-PowerBI-Templates/blob/master/ASR_scripts/ASR_rule_Block_Win32_API_calls_from_Office_Macro_issue_Q%2526A.md

We've completed an update deployment within the security intelligence build(s) 1.381.2164.0 and later, on Friday, January 13, 2023, at 6:03 PM UTC. This fix update did not restore previously removed shortcut files, but it did prevent any additional shortcut files from being removed by the incorrect detection logic.

Customers are encouraged to update Microsoft Defender to build 1.381.2164.0 or later.

- Customers utilizing automatic updates for Microsoft Defender antivirus do not need to take additional action to receive the updated security intelligence build.

- Administrators who manage updates directly can download the latest update and deploy it across their environment(s), more information here: https://link.edgepilot.com/s/96498117/930N4w0NO0KCygFIjgN1Iw?u=https://www.microsoft.com/en-us/wdsi/defenderupdates

Final status: We previously completed an update deployment within the security intelligence build(s) 1.381.2164.0 and later, on Friday, January 13, 2023, at 6:03 PM UTC, which has corrected the behavior. Customers are encouraged to update Microsoft Defender to build 1.381.2164.0 or later. Further updates regarding this issue will be made available through the Microsoft Tech Community post: https://link.edgepilot.com/s/c7dc1941/xlwiSRgsxE_svlGT2P1uEw?u=https://aka.ms/asrfprecovery.

Scope of impact: This issue may have affected users within your organization; it was not specific to Office apps and could have impacted any application's shortcut file. There was no impact for customers who (1) did not have the “Block Win32 API calls from Office macro” rule turned on in block mode or, (2) did not update to an affected security intelligence build(s) 1.381.2134.0, 1.381.2140.0, 1.381.2152, and 1.381.2163.0.

Start time: Friday, January 13, 2023, at 8:51 AM UTC

End time: Thursday, January 19, 2023, at 6:47 AM UTC

Root cause: During a recent update to the Windows Security and Microsoft Defender for Endpoint service, user devices experienced a series of false positive detections for the Attack Surface Reduction (ASR) rule "Block Win32 API calls from Office macro" after updating to an affected security intelligence build(s) 1.381.2134.0, 1.381.2140.0, 1.381.2152, and 1.381.2163.0. These detections resulted in the identification of certain Windows shortcut (.lnk) files that matched the incorrect detection pattern and were subsequently removed.

Next steps:

- We're improving our testing and deployment procedures to reduce the possibility of broad impact during scenarios related to this.

- We're making improvements to our detection behaviors, to further reduce the time to detection for related scenarios.

- We’re incorporating additional updates to prevent the incorrect removal of files not intended to be within scope for the ASR scan logic.
Posted Jan 20, 2023 - 14:48 CST
Identified
Some users are unable to utilize the Application shortcuts on the Start menu and taskbar
ID: MO497128


Status
Restoring Service

Impacted services
Microsoft 365 suite

Restored services
Microsoft 365 apps, Microsoft 365 Defender

Details
Title: Some users are unable to utilize the Application shortcuts on the Start menu and taskbar

User Impact: Users are unable to utilize the Application shortcuts on the Start menu, taskbar, and desktop.

More info: Shortcut icons in the Start menu, taskbar, or desktop may no longer be visible or may not work as intended. Additionally, for some users, they may receive errors when trying to run Executable (.exe) files, if they have dependencies on an affected shortcut file path. More information has been published here: https://link.edgepilot.com/s/5ac402ec/B1Y_ORYnEEOQULQ18x5tpA?u=https://github.com/microsoft/MDE-PowerBI-Templates/blob/master/ASR_scripts/ASR_rule_Block_Win32_API_calls_from_Office_Macro_issue_Q%2526A.md

We've completed an update deployment within the security intelligence build(s) 1.381.2164.0 and later, on Friday, January 13, 2023, at 6:03 PM UTC. This fix update will not restore previously removed shortcut files, but it will prevent any additional shortcut files from being removed by the incorrect detection logic.

Customers are encouraged to update Microsoft Defender to build 1.381.2164.0 or later.

- Customers utilizing automatic updates for Microsoft Defender antivirus do not need to take additional action to receive the updated security intelligence build.

- Administrators who manage updates directly can download the latest update and deploy it across their environment(s), more information here: https://link.edgepilot.com/s/66fd2f18/LHJ1noeDckKKKNwX-jqXqg?u=https://www.microsoft.com/en-us/wdsi/defenderupdates

Microsoft has confirmed the effectiveness of steps that administrators and users can take to re-create start menu links for a significant subset of the affected applications that were removed. These steps have been consolidated into the PowerShell script in the following link to help admins take recovery actions within their environment. Users or admins must be a local administrator on the machine that the script will be run on: https://link.edgepilot.com/s/08c13429/JMP0-XLSYU_NU3MeR9HysQ?u=https://aka.ms/asrfprecovery

Current status: An additional update has been made to the Microsoft Tech Community post: https://link.edgepilot.com/s/08c13429/JMP0-XLSYU_NU3MeR9HysQ?u=https://aka.ms/asrfprecovery. The blog continues to include the latest version of the script, provides resources for some admins to identify affected machines or files within their environment, and additional steps intended to further aid customers in recovering affected shortcut files.

Scope of impact: This issue may affect users within your organization; it is not specific to Office apps and can impact any application's shortcut file. There is no impact for customers who (1) did not have the “Block Win32 API calls from Office macro” rule turned on in block mode or, (2) did not update to an affected security intelligence build(s) 1.381.2134.0, 1.381.2140.0, 1.381.2152, and 1.381.2163.0.

Start time: Friday, January 13, 2023, at 8:51 AM UTC

Root cause: During a recent update to the Windows Security and Microsoft Defender for Endpoint service, user devices experienced a series of false positive detections for the Attack Surface Reduction (ASR) rule "Block Win32 API calls from Office macro" after updating to an affected security intelligence build(s) 1.381.2134.0, 1.381.2140.0, 1.381.2152, and 1.381.2163.0. These detections resulted in the identification of certain Windows shortcut (.lnk) files that matched the incorrect detection pattern and were subsequently removed.

Next update by: Friday, January 20, 2023, at 8:00 PM UTC
Posted Jan 20, 2023 - 14:40 CST
Update
Some users are unable to utilize the Application shortcuts on the Start menu and taskbar
ID: MO497128


Status
Restoring Service

Impacted services
Microsoft 365 suite, Microsoft 365 apps, Microsoft 365 Defender

Details
Title: Some users are unable to utilize the Application shortcuts on the Start menu and taskbar

User Impact: Users are unable to utilize the Application shortcuts on the Start menu and taskbar.

More info: The shortcut icons in the taskbar or Start menu may no longer be visible or may not work as intended. Additionally, for some users, they may receive errors when trying to run Executable (.exe) files, if they have dependencies on the shortcut file path.

We've completed a hotfix deployment within the build 1.381.2164.0 on Friday, January 13, 2023, at 6:03 PM UTC. This fix update will not restore previously removed shortcut files, but it will prevent any additional shortcut files from being incorrectly removed.

Microsoft has confirmed steps that users can take to recreate start menu links for a significant subset of the affected applications that were deleted. These steps have been consolidated into the PowerShell script in the following link. Users must be a local administrator on the machine that the script will be run on: https://link.edgepilot.com/s/49ebf4e9/9CDT6TkuSk2yRN7WoLCSDQ?u=https://aka.ms/asrfprecovery

Current status: We've provided an update to https://link.edgepilot.com/s/49ebf4e9/9CDT6TkuSk2yRN7WoLCSDQ?u=https://aka.ms/asrfprecovery that includes additional details regarding the issue as well as instructions to deploy the script using Microsoft Intune. We're continuing to perform extensive internal tests and are also reviewing customer feedback so we can improve upon the provided workaround details and include additional apps and scenarios. We'll provide updates to https://link.edgepilot.com/s/49ebf4e9/9CDT6TkuSk2yRN7WoLCSDQ?u=https://aka.ms/asrfprecovery as we validate our findings.

Scope of impact: This issue likely affects users within your organization and is not specific to Office apps, and can impact any application's shortcut file. There is no impact for customers who do not have the “Block Win32 API calls from Office macro” rule turned on in block mode or did not update to security intelligence update build 1.381.2140.0.

Start time: Friday, January 13, 2023, at 8:51 AM UTC

Root cause: During a recent update to the Windows Security and Microsoft Defender for Endpoint service, user devices experienced a series of false positive detections for the Attack Surface Reduction (ASR) rule "Block Win32 API calls from Office macro" after updating to security intelligence build 1.381.2140.0. These detections resulted in the identification of certain Windows shortcut (.lnk) files that matched the incorrect detection pattern and were subsequently removed.

Next update by: Monday, January 16, 2023, at 8:00 PM UTC
Posted Jan 16, 2023 - 19:44 CST
Update
Some users are unable to utilize the Application shortcuts on the Start menu and taskbar
ID: MO497128

Status
Service Degradation

Impacted services
Microsoft 365 suite, Microsoft 365 apps, Microsoft 365 Defender

Details
Title: Some users are unable to utilize the Application shortcuts on the Start menu and taskbar

User Impact: Users are unable to utilize the Application shortcuts on the Start menu and taskbar.

More info: The shortcut icons may not appear or would not work. Additionally, for some users, they may receive errors when trying to run Executable (.exe) files, if they have dependencies on the shortcut file path.

While we investigate the underlying issue, users can directly launch Office Apps by using the Office App, or through the Microsoft 365 app launcher. More details on the Microsoft 365 app launcher can be found here: https://link.edgepilot.com/s/0089c8d8/ls0liFZiGEGdjqyMQ68B0w?u=https://support.microsoft.com/en-us/office/meet-the-microsoft-365-app-launcher-79f12104-6fed-442f-96a0-eb089a3f476a

If appropriate, admins can put the Attack Surface Reduction (ASR) rule into Audit Mode to avoid further impact. Please note that you may need to re-enable the rule once the issue has been fully resolved. This can be done through one of the following methods:

- Using Powershell: Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions AuditMode

- Using Intune: https://link.edgepilot.com/s/771f333b/3PjdizBHPkWZud3MgDosxQ?u=https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide%23mem

- Using Group Policy: https://link.edgepilot.com/s/14f6930a/8JY0szeno02Hou9rpBMmYQ?u=https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide%23group-policy

- For clarity, note that ASR rule "Block Win32 API calls from Office macros" with ID: 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b is the offending rule.

If determined appropriate for your environment, you can also set the rule to disabled mode. Please note, that you may need to manually re-enable the rule once the issue has been full resolved. In that case, please use the following Powershell command:

Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions Disabled

Current status: The hotfix has completed its deployment within the build 1.381.2164.0. If you have automatic updates enabled the tool will fetch the update at the next time the service performs a check for an update. This fix update will not restore previously removed shortcut files, but it will prevent any additional shortcut files from being incorrectly removed. We're investigating shortcut files that have already been affected by this issue.

Additional guidance on manual mitigation steps detailed in the “more info” section remain available for customers who have not yet adopted the new build containing the fix.

Scope of impact: This issue likely affects users within your organization and is not specific to Office Apps, and can impact any application's shortcut file. There is no impact for customers who do not have the “Block Win32 API calls from Office macro” rule turned on in block mode or did not update to security intelligence update build 1.381.2140.0.

Start time: Friday, January 13, 2023, at 8:51 AM UTC

Next update by: Friday, January 13, 2023, at 10:00 PM UTC
Posted Jan 13, 2023 - 15:23 CST
Investigating
Some users are unable to utilize the Application shortcuts on the Start menu and taskbar
ID: MO497128

Status
Service Degradation

Impacted services
Microsoft 365 suite, Microsoft 365 Defender

Details
Title: Some users are unable to utilize the Application shortcuts on the Start menu and taskbar

User Impact: Users are unable to utilize the Application shortcuts on the Start menu and taskbar.

More info: The shortcut icons may not appear or would not work.

While we investigate the underlying issue, users can directly launch Office Apps by using the Office App, or through the Microsoft 365 app launcher. More details on the Microsoft 365 app launcher can be found https://link.edgepilot.com/s/ce8ff825/jqKvGi9W4U6z10hyWcViOw?u=https://support.microsoft.com/en-us/office/meet-the-microsoft-365-app-launcher-79f12104-6fed-442f-96a0-eb089a3f476a .

Current status: We've identified that a specific rule was resulting in impact. We've disabled the rule and we're testing to verify that this provides relief.

Scope of impact: Impact is specific to some users who are served through the affected infrastructure.

Next update by: Friday, January 13, 2023, at 3:00 PM UTC
Posted Jan 13, 2023 - 09:17 CST
This incident affected: Office 365.