![](https://learn.microsoft.com/media/logos/logo_edge.png)
Remove the ASR rule an Microsoft Defender Endpoint of block office to "audit" with workarround.
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Today all users in one of our customer's tenants started reporting their Edge and Chrome being removed from their desktop (shortcuts), Outlook issues were reported as well. When we set the asr policy Block Win32 API calls from Office macro to audit, everything started working again as expected. Office repair also repaired the office apps. Any one else noticed this behaviour? Thanks
Remove the ASR rule an Microsoft Defender Endpoint of block office to "audit" with workarround.
We've seen this behaviour across the board. The interesting thing is, we've had the Block Win32 API calls from Office macro rule enabled for ages without any issue. Suddenly, 90% of our devices are affected. Has there been any official word from Microsoft as to what has suddenly caused this? Or is this the intended behaviour and it's just that the rule hasn't been working until now.
[https://www.theregister.com/2023/01/13/happy_friday_13th_microsoft_defender/
I am also experiencing this issue. All of my taskbar links are broken, and lots of "Risky action blocked" notifications.
Risky action blocked
Blocked by: Attack surface reduction
Rule: Block Win32 API calls from Office macro
Affected items: C:\Users\USERNAME\OneDrive - COMPANYNAME\Start Menu\Programs\Startup\Send to OneNote.lnk
Also:
C:\Users\USERNAME\OneDrive - COMPANYNAME\Start Menu\Programs\Startup\Send to OneNote.lnk
C:\Users\USERNAME\OneDrive - COMPANYNAME\Start Menu\Programs\Accessories\Internet Explorer.lnk
C:\Users\USERNAME\OneDrive - COMPANYNAME\Start Menu\Programs\Outlook.lnk
C:\Users\USERNAME\AppData\Local\Microsoft\OneDrive\logs\Business1\SyncEngine-2023-01-13.1250.14448.4.odl
C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\8299.8354216.0.8354216-99b9f583c41a7a58feea69d80be60d78d2d08277\05632bbd-60c8-43b9-8d7e-e0133bad1c7d.ps1->(UTF-8)
We have the same problem with the rule ASR, for the moment we have disabled the rule but no take the change.