Office 365 Monitoring - Service Outages Blog

Microsoft Defender ASR Rule Leads to Disappearing App Shortcuts

Written by ENow Software | Jan 13, 2023 3:00:00 PM

On January 13, 2023, at ~7:12 AM ET, Microsoft communicated via tweet (@MSFT365status) that they were investigating an issue in which some users were unable to "access" application shortcuts via the Windows Start menu and/or the Taskbar.

first

 

 

Twitter and Reddit chatter from the public was immediate, given the large number of users impacted.  Many responses on Twitter were from system admins and IT teams suggesting the matter was a bit more complicated than Microsoft first disclosed, and the general community sentiment on social media was that this would be a very busy Friday for most organizations' help desk teams.

Approximately one hour after their first message, @MSFT365status provided a second message to the community which stated that a "specific rule" was the cause of the service incident, that a rule reversion was in place, and that Microsoft was continue to investigate matter. But no expanded explanation was provided on Twitter by Microsoft initially. Additional information on the service incident could be found in the Microsoft admin center, provided you had or your team had access to the admin center.

 

 

As this issue persisted, more information came to light. The "specific rule" was in fact the Microsoft Defender for Endpoint ASR rule which appeared to have triggered in error and affected app shortcuts. This triggered Defender ASR rule was deleting application shortcuts from the desktop, from the Start menu and from the task bar.

Microsoft's next message indicated that the reversion was still in progress and that it would take several hours for the reversion to complete, but they gave no estimate as to when the matter would fully resolve.

 

 

Approximately 5 hours after their first report, and with still no issue resolution, Microsoft repeated that the rule reversion was still in progress, and that any impacted customers should place the "offending" ASR rule into audit mode for the time being. Social media responses from a very frustrated community continued to pour in.

 

 

It was not until approximately 10 hours after first report that Microsoft was able to communicate to the public that their "fix" had been completed and that no additional impact should occur. Responses from many on social media were quick to respond that no remediation effort on Microsoft's behalf could repair the damage already done.

Oddly enough, Microsoft was still unable to provide additional and specific details as to the root cause and they indicated that their investigation continued.

 

 

After several status quo tweets by Microsoft, they did post two meaningful updates on January 14 and 15, in which they provided customers links and information on how to recreate start menu links and perform other steps towards returning to business as usual.  This was progress of a sort, despite the continued social media responses from a beleaguered community, especially those IT professionals working through the weekend on the issue.

 

 

 

Some two days after their first reporting of the issue, and with an entire weekend of overused help desks across many organizations worldwide, Microsoft messaged that a final version of a script was available to aid customers to hopefully recover any affected shortcut files.

 

 

On January 17, 4 days after the service incident began, Microsoft communicated their last message as to MO497128, indicating that yet another version of the remedy script was available.

 

 

There have been no further communications from @MSFT365status as to this incident.

 

The Importance of Microsoft 365 Monitoring

In a cloud-world, outages are bound to happen. While Microsoft is responsible for restoring service during outages, IT needs to take ownership of their environment and user experience. It is crucial to have greater visibility into business impacts during a service outage the moment it happens.

ENow’s Microsoft 365 Monitoring and Reporting solution enables IT Pros to pinpoint the exact services effected and root cause of the issues an organization is experiencing during a service outage by providing:

  • The ability to monitor networks and entire environments in one place with ENow’s OneLook dashboard which makes identifying a problem fast and easy without having to scramble through Twitter and the Service Health Dashboard looking for answers.
  • A full picture of all services and subset of services affected during an outage with ENow’s remote probes which covers several Microsoft 365 apps and other cloud-based collaboration services.

Identify the scope of Microsoft 365 service outage impacts and restore workplace productivity with ENow’s Microsoft 365 Monitoring and Reporting solution. Access your free 14-day trial today!