KB2267602 Defender Update Deletes Shortcuts & ASR Issues

 After installing the latest Defender update, KB2267602, some users are unable to utilize the application shortcuts on the Start menu and taskbar. Microsoft has acknowledged this issue by logging an incident ticket (MO497128) and is working on a fix.

After installing KB2267602 version 1.381.2140.0 on a device, the application shortcuts on the Start menu and taskbar are automatically deleted. Reports coming in from multiple customers being impacted by this due to attack surface reduction rules. The issues have been reported over Twitter and other social platform by multiple users.

Microsoft has published a new incident MO497128 confirming that KB2267602 Defender update indeed causes issues to users accessing the application shortcuts on Start Menu and Taskbar.


Tracking MO497128 Incident

If you have installed KB2267602 update on your devices and have been experiencing the issues, here are some updates related to MO497128 incident:

  • First Response from Microsoft: We’re reviewing customer report data to determine our next troubleshooting steps.
  • Second Response from Microsoft: We’re investigating recent changes to the Microsoft Defender service to identify the underlying root cause and formulate a mitigation plan.
  • Third Response from Microsoft: We’ve identified that a specific rule was resulting in impact. We’ve reverted the rule to prevent further impact whilst we investigate further. This quick update is designed to give the latest information on this issue.
  • Fourth Response from Microsoft: We reverted the offending ASR rule, however, this change is propagating throughout the environment and could take several hours to complete. We recommend that you take action to place the offending ASR rule into Audit Mode and prevent further impact until the update has completed deployment

https://forum.bedwantsinfo.nl/thread-65077.html

http://hondaikmciledug.co.id/HRIS/showthread.php?tid=9

http://zinaramirez.com/mybb/thread-98758.html

http://famstock.co.uk/showthread.php?tid=20712

https://whippedupgaming.com/showthread.php?tid=2892

http://ordemdospsicologos.org/forum/showthread.php?tid=1442

https://csgamearena.net/showthread.php?tid=36068

https://1776freedomproject.com/forum/showthread.php?tid=5294&pid=5636#pid5636

https://socalireefer.com/forum/showthread.php?tid=4304

http://forums.worldsamba.org/showthread.php?tid=41353

https://nakenprater.com/viewtopic.php?t=14054

https://nakenprater.com/viewtopic.php?t=13949

https://nakenprater.com/viewtopic.php?t=14092

https://nakenprater.com/viewtopic.php?t=13636

https://casualvalueinvestor.com/forum/index.php?topic=146407.0

https://casualvalueinvestor.com/forum/index.php?topic=124034.0

https://casualvalueinvestor.com/forum/index.php?topic=125562.0


To track this issue, you can visit the Microsoft 365 admin center health dashboard and select Service Health. Select the Service – Microsoft 365 Suite and here you can track all the details about this issue. If you wish to get the updates about the MO497128, you can select customize and configure email.


KB2267602 Defender Update Affecting ASR Rules

The KB2267602 update is causing the ASR (Attack Surface Reduction) rule to block Win32 API calls from Office Macro and even blocking applications such as OfficeClickToRun.

Notice that ASR is blocking the execution of applications on devices such as browser (explore.exe), office click to run, RuntimeBroker.exe etc.


KB2267602 Workaround – Modify ASR Rules

If you are deploying the defender updates with Intune, and if the rule is deleting the shortcuts from the taskbar and blocking the applications, here is a workaround for that. All you need to do is edit the ASR rule and under the Configuration Settings, change the setting Block Win32 API calls from Office macros to Off. If you set it to Audit it may not work as reported by users.


Workaround 1 – Launch the Office Apps via App Launcher

The following workaround has been suggested by Microsoft for users experiencing issues after installing the KB2267602 Defender update.

While we investigate the underlying issue, users can directly launch Office apps by using the Office app or through the Microsoft 365 app launcher. More details on the Microsoft 365 app launcher can be found in https://support.microsoft.com/en-us/office/meet-the-microsoft-365-app-launcher-79f12104-6fed-442f-96a0-eb089a3f476a.


https://gtjaifans.net/fluxbb/viewtopic.php?id=82605

https://gtjaifans.net/fluxbb/viewtopic.php?id=85560

http://www.forum.anomalythegame.com/viewtopic.php?f=25&t=12820

http://www.forum.anomalythegame.com/viewtopic.php?f=57&t=22541

http://www.forum.anomalythegame.com/viewtopic.php?f=57&t=11203

http://www.forum.anomalythegame.com/viewtopic.php?f=57&t=16640

http://forum.istra-mama.ru/viewtopic.php?t=2248

http://forum.istra-mama.ru/viewtopic.php?t=7295

http://forum.istra-mama.ru/viewtopic.php?t=2235

http://forum.istra-mama.ru/viewtopic.php?t=2621

https://www.itray.co.kr/bbs/board.php?bo_table=free&wr_id=83613

http://forumpojokpengawasan.jakarta.bawaslu.go.id/viewtopic.php?t=88959

http://forumpojokpengawasan.jakarta.bawaslu.go.id/viewtopic.php?t=24159

http://forumpojokpengawasan.jakarta.bawaslu.go.id/viewtopic.php?t=20635


Workaround 2: Configure ASR Rule to Audit Mode

The following workaround has been recommended by Microsoft for setups using Intune to manage defender updates.

We recommend that you put the ASR rule to Audit Mode to avoid further impact. This can be done through the following options:

  • Using PowerShell: Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions Audit Mode
  • Using Intune: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide#mem
  • Using Group Policy: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide#group-policy
  • Note that ASR rule “Block Win32 API calls from Office macros” with ID: 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b


Comments

Post a Comment

Popular posts from this blog

The 10 Best Apartment Websites of 2019

Condo discoverer sites are prospering, with most destinations joined by Android and iOS applications for in a hurry get to. To abstain from passing up key highlights, be that as it may, it's ideal to concentrate on the sites themselves. Here's are the ten best sites to discover lofts, regardless of whether its a studio or a shabby 2 room. 1.Hotpads: Most Feature-Packed Apartment Finder  Naturally, this component rich site gives you a guide of the zone, with a rundown see close by. In the guide see, you select symbols of structures to see subtleties and photographs of explicit loft postings. Photographs additionally incorporate Google Street View. Worked in inquiry channels incorporate condo, value run, number of office setup showers, rental sorts, and property types. You can choose from rental kinds, for example, customary, sublet, corporate, and space for lease, just as from property types, for example, loft, apartment suite, duplex, house, and townhouse. On the of
Read more

The 10 Best Sites for Free Stock Images

On the off chance that you need to download free stock pictures to add to your site, blog, social profiles or whatever else, you need to realize where to search for them on the web. The best destinations have enormous libraries of astounding pictures in each classification conceivable that you can use for essentially anything by any stretch of the imagination—without expecting to give attribution on the off chance that you'd favor not. We scoured the web to locate the most elite. Examine the accompanying rundown with the expectation of complimentary stock photographs that will overwhelm you. 1.Unsplash: Crowdsourced Photos from Photograpehrs Around the World  Unsplash is a notable top choice, highlighting probably the most expert looking photography you'll discover anyplace on the web. The majority of its photographs originate from the liberal picture takers who give them to the network to use for nothing, no attribution fundamental (however valued). You can make your
Read more

ConfigMgr 2212 Technical Preview Update Details

There will be no ConfigMgr 2212 Technical Preview release. Yes, you heard it right: Microsoft skipped the 2212 technical preview release, and the next TP release will be version 2301. Typically, Microsoft releases a technical preview version every single month of the year. In the past, we also saw two technical preview releases in a month. But for the first time ever, there won’t be a technical preview release. On this blog, I have been covered the installation and new features all the versions of technical preview that have been released so far. Did you know that there have been 97 technical preview versions released by Microsoft so far? The two previous technical preview releases were TP 2211 and TP 2210 and version 2212 was expected in the month of December 2022. Here is an updated guide consisting of all the SCCM technical preview releases. https://www.tnfnorth.com/viewtopic.php?t=2830 http://tnfnorth.com/viewtopic.php?t=7189 http://tnfnorth.com/viewtopic.php?t=155931 https://tnfno
Read more