Missing Application Shortcuts on Windows Computers

The Endpoint Engineering Services (EES) team has been working hard over the weekend to develop, test, and deploy a script to restore as many icons lost as possible.  To date here is quick summary of what has occurred:

1. Identified, tested and confirmed a process to restore a limited set of icons deleted as a result of Friday’s incident

2. Identified and shared with the Campus the parameters needed to restore application icons and requested feedback

3. Deployed the process necessary to restore a limited set icons to UCF IT (eating our own ice cream here), Labs, and Classrooms

4. Confirmed with Donnie classrooms look good and appear to be in a healthy state in preparation for Tuesday classes

5. Deployed our script to all computer objects (non-servers) in the NET Domain to restore a limited set of deleted icons

a. 13,603 objects in NET Domain

b. 5,643 objects offline (Devices could be powered off or not connected via VPN)

c. 17 failures

d. 7,943 online

i. 5,493 were successfully updated

j. 2,450 Unknown status

The team has developed a GPO that will be deployed to the domain that will do the following: 

· Creates a temporary folder on the desktop named "Shortcut Recovery" that will contain icons unable to be restored by the above mentioned script. 

· User will be asked to copy, drag and drop, and/or pin the shortcuts to a location of their choosing to restore functionality. 

· Only shortcuts for applications already installed will appear to assist in avoiding any further confusion. 

· VPN will be required for machines in remote locations. 

Common applications such as Zoom do not follow the standard registry setting such as the Microsoft products.  This requires additional programming and development to capture these unique applications and their respective file paths.

Finally, the limited set of icons we are able to restore via our script are listed below.  The limiting factor is the need for the application and .exe to be listed in the “App Paths” registry.

UCF IT continues to work on restoring applications shortcuts that disappeared from some UCF computers after a Microsoft update deleted shortcuts on computers globally.

This fix will not restore shortcuts on your desktop or your taskbar. Follow the instructions below under "Accessing Your Applications" to restore shortcuts in those locations.

If you do not see shortcuts back within the Start or Search menus today, please submit a ticket to your department technology staff or contact the UCF IT Support Center at 407-823-5117 or itsupport@ucf.edu

Users are seeing taskbar and start menu icons being removed. This affects Microsoft and non-Microsoft applications.

WHO IS IMPACTED?
All Windows 10 and Windows 11 users; no Mac impact at this time

WHAT ARE WE DOING ABOUT IT?
We have identified a path forward to restore some application shortcuts to the Start Menu. We are further working with the campus IT Community to identify all applications affected and developing a comprehensive approach to address this issue. NOTE: not all application shortcuts may be recreated via this method and may require additional steps.

WHAT HAPPENS NEXT?
Users should expect a continued degraded performance with the loss of icons as the teams work diligenty to deploy the restoration process.

WHAT DO I NEED TO DO?
If you are unable to open Office applications on your device, log into office365.ucf.edu and use the web version.

Users are seeing taskbar and start menu icons being removed. This affects Microsoft and non-Microsoft applications.

WHO IS IMPACTED?
All Windows 10 and Windows 11 users; no Mac impact at this time

WHAT ARE WE DOING ABOUT IT?
Microsoft and UCF IT have deployed a permanent fix to prevent further loss of icons from user's computers. Microsoft and UCF IT are currently investigating a path forward to restore icons removed from affected machines.

WHAT HAPPENS NEXT?
Users should expect a continued degraded performance with the loss of icons as the teams work diligenty to identify a restoration process.

WHAT DO I NEED TO DO?
If you are unable to open Office applications on your device, log into office365.ucf.edu and use the web version.

Users are seeing taskbar and start menu icons being removed. This affects Microsoft and non-Microsoft applications.

WHO IS IMPACTED?
All Windows 10 and Windows 11 users; no Mac impact at this time

WHAT ARE WE DOING ABOUT IT?
We are continuing to investigate this issue.

WHAT HAPPENS NEXT?
Microsoft has communicated a workaround and we are reviewing the information.

WHAT DO I NEED TO DO?
If you are unable to open Office applications on your device, log into office365.ucf.edu and use the web version.

Investigating - WHAT IS HAPPENING?
Users are seeing taskbar and start menu icons being removed.

WHO IS IMPACTED?
All WIndows 10 and Winows 11 users; no Mac impact at this time

WHAT ARE WE DOING ABOUT IT?
We are currently investigating this issue.

WHAT HAPPENS NEXT?
We are awaiting futher infromation from Microsoft as they investigate the issue.

WHAT DO I NEED TO DO?
If you are unable to open Office applications on your device, log into office365.ucf.edu and use the web version.

Shortcuts on the task bar, desktop and start menu used for accessing applications on Windows computers are disappearing for some users. Affected users are unable to launch applications from “shortcuts” pinned to their taskbars, start menu, or desktop. This also includes the ability to search and launch applications from the Search Bar on Windows workstations. This is a Microsoft issue that is affecting Windows computers beyond UCF.

If your computer is affected, you may see an error like the one below when you try to open an application, and then the shortcut will disappear.

How to Provide Feedback to IT about missing application shortcuts

The EES team is diligently working to develop a method to restore the various icons and shortcuts deleted by the recent Microsoft incident.  The team has been able to develop, test and verify a small number of application links and icons can be restored.  However, in order to restore these items the application executable must reside in the following Windows Registry path:

1. “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths” registry
   
2. Users can export this folder
   
3. We are requesting users rename the *REG file with a .TXT file extension.
   

Here is where EES needs your help: if you have an application that resides in the “App Paths” registry location and need to have it restored, send us (UCFTeam-UCFIT-EndpointEngineeringServices@groups.ucf.edu) the shortcut name (ex. FileZilla) and the executable name (ex. filezilla.exe) with the export file.  We will continue to build out the script with the information provided and make it available for all to consume.

NOTE: This script will only restore the link to the Public/All Users Start Menu.  Users will need to manually pin applications to their own Taskbar or Start Screen.

If you encounter this issue on your Windows workstation, there are workarounds you may use to locate and launch applications:

To pin to your Taskbar

• Open the Start menu by clicking on the Windows icon on the bottom-left of the screen.
• Type the name of the application, for example “Outlook”
• Right-click on the application and select “Pin to Taskbar”

Alternatively

• Open the application
• Right-click on the active icon in the Taskbar
• Select “Pin to Taskbar”

To create a Desktop icon

• Open the Start menu by clicking on the Windows icon on the bottom left of the screen
• Locate the application, click, hold and drag the icon to the Desktop

If the shortcut is not in your Start Menu

Our team has placed a folder named “Shortcut Recovery” on UCF IT managed devices.

• This folder should be visible on your Desktop. If it is not visible, restart your computer.
• You can open the application and create Start Menu and Taskbar shortcuts directly from this folder using the steps mentioned above.

To be able to get the "Shortcut Recovery" folder on your desktop, the computer must be joined to the NET domain and have the VPN enabled and connected (when not already on the campus network wired or wireless)

To verify that you have the latest version of the Cisco VPN Client installed with the "Start Before Logon" module please search Software Center

or copy and paste the following into the run box by using the "Win + R " keyboard shortcut and paste the following into the box and press OK. 

softwarecenter:SoftwareID=ScopeId_B19BE719-8966-4398-8AA4-E79BBECC1DA0/Application_1b19378c-84e7-4e9d-b984-72e197208a48

We are identifying and populating this folder with application shortcuts not included in the scripts provided by Microsoft.

Additional option

• The shortcuts may have been removed but the application is still installed in most cases. You can open   File Explorer, Teams, OneDrive, or a local storage device (flash drive) and open a file associated with the program.

Recovery Desktop Icons via OneDrive Web Interface

Go to the OneDrive website, and sign in with either your Microsoft account or your work or school account. 

In the navigation pane, select Recycle bin.

Select the files or folders you want to restore by pointing to each item and clicking the circle check box that appears, and then click Restore.

Open application directly from Run Box

You may be able to (results vary) hit the Windows + R keys together, then type an application’s name (this is true for Outlook, but not all Microsoft products, and varies for other applications) to launch an application in that manner.

Open Shortcuts from the "Shell:AppsFolder"

You may be able to (results vary) hit the Windows + R keys together, then type shell:AppsFolder and some applications with icons that appear *may* launch from that location.

3.    You may be able to manually locate Windows applications within their primary folders at the following locations:

· C:\Program Files

· C:\Program Files (x86)

· C:\Program Files\Microsoft Office\root\Office16

· C:\Program Files\Mozilla Firefox

· C:\Program Files\Google\Chrome\Application

If you have taken the steps above and are still missing shortcuts or cannot open a file associated with an application (PDF), please contact itsupport@ucf.edu with the application name (Adobe Acrobat) and location of where the icon was and where it was pointing to if possible.

Thank you for your patience as our teams have worked through this issue.

Last updated: Jan 15, 2023

Background
On January 13, 2023, after updating to security intelligence versions between 1.381.2134.0 and 1.381.2163.0, some Windows Security and Microsoft Defender for Endpoint customers may have experienced false positive detections for the Attack Surface Reduction (ASR) rule "Block Win32 API calls from Office macro", if the rule was enabled in Block mode. These detections resulted in deletion of files that matched the incorrect detection logic - primarily impacting Windows shortcut (.lnk) files.

The incorrect detection logic was fixed in security intelligence version 1.381.2164.0 (and newer). This updated version stops the issue false positives from happening. Devices that have been impacted prior to the fix, require explicit mitigation of the deleted files.

There is no data loss for customers who did not configure to “block” mode the ASR rule “Block Win32 API calls from Office macro” or did not deploy security intelligence versions 1.381.2134.0, 1.381.2140.0, 1.381.2152, or 1.381.2163.0. 

Review the following frequently asked questions for additional information on the impact scope and recommended mitigation steps.

· What is the timeframe of the incident?
Time in UTC: Jan 13, 2023 10:00:00 - Jan 13, 2023 15:53:00

· What Windows OS versions were impacted?
All supported versions of Windows 10 and Windows 11. Non-Windows operating systems (Mac, Linux, Mobile) and Windows Server 2012R2/2016/2019/2022 were not impacted.

What is end user experience on impacted devices?

· Application shortcuts are removed, leading to inability to launch common and LOB applications via Start Menu / Taskbar / Desktop.

· When such impaired shortcut is clicked, an end user is presented with an error dialog that the item cannot be open/ application cannot be found.

· Application icons on Taskbar are replaced with a placeholder icon – indicating that the shortcut is no longer valid.

· In File Explorer, impacted shortcut files may be removed.

· Initial reports indicate that file types other than .lnk can be impacted. So far, the top observed non .lnk file extensions are library-ms, temp, cs, ps1, and url. Support channels are actively monitored to assess any additional impact.

How to recover/reconstruct deleted links manually
To recreate Start Menu shortcuts manually, run repair for affected applications from Settings. Running repair will recreate deleted links. The application repair is effective for productivity programs like Microsoft 365, Microsoft Edge, and Microsoft Visual Studio.

To repair an application, an end user can follow these steps:

Windows 10:

i. Select Start  > Settings  > Apps > Apps & features

ii. Select the app you want to fix.

iii. Select Modify link under the name of the app if it is available.

iv. A new page will launch and allow you to select repair.

Windows 11:

v. Type “Installed Apps” in the search bar.

vi. Click “Installed Apps”.

vii. Select the app you want to fix.

viii. Click on “…”

ix. Select Modify or Advanced Options if it is available.

x. A new page will launch and allow you to select repair.

For Office applications installed using Click-to-Run, an end user can leverage Office Click-to-Run repair mechanism.

Click-to-Run repair mechanism can be invoked in both user session and system session – depending upon how the original install was done. If the original installation was done using user session, then run the repair also in the user session.

What links (.lnk) are covered by Microsoft v1 restoration script?
The following application shortcuts, taken from telemetry as the most commonly impacted applications, will be recreated on Start menu after running AddShortcutsV1.ps1 restoration script. Links will be added only for applications present on a device.

"Adobe Acrobat"
"Adobe Photoshop 2023"
"Adobe Illustrator 2023"
"Adobe Creative Cloud"
"Firefox Private Browsing"
"Firefox"
"Google Chrome"
"Microsoft Edge"
"Notepad++"
"Parallels Client"
"Remote Desktop"
"TeamViewer"
"Royal TS6"
"Elgato StreamDeck"
"Visual Studio 2022"
"Visual Studio Code"
"Camtasia Studio"
"Camtasia Recorder"
"Jabra Direct"
"7-Zip File Manager"
"Access"
"Excel"
"OneDrive"
"OneNote"
"Outlook"
"PowerPoint"
"Project"
"Publisher"
"Visio"
"Word"
"PowerShell 7 (x64)"
"SQL Server Management Studio"
"Azure Data Studio"
"Zoom"
"Internet Explorer"
"Skype for Business"
"VLC Player"
"Cisco Jabber"
"Microsoft Teams"
"PuTTY"
"WordPad"
"AutoCAD”

Limitations of the restoration scripts

· The script assumes that applications are installed in their default installation path.

· For applications not listed in the prior step (17), the Microsoft authored script can be customized to include organizational line of business (LOB) applications and any additional applications common in the organizational environment.

· The script specifically restores Start Menu shortcuts (.lnk files). and .URL files in the user's profile's Favorites and Desktop directories, if those URL files exist in the Volume Shadow Copy Service.

· If any non .lnk files were impacted, the script will not restore those. Desktop icons are not restored.

· The script has to be modified for non-English Windows versions to account for localized application installation location.

How to gradually roll out security intelligence updates
As a safe deployment practice, organizations should consider gradual rollout of security intelligence updates. Review this documentation for detailed guidance on gradual rollout of security updates: [Manage the gradual rollout process for Microsoft Defender updates] (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-gradual-rollout?view=o365-worldwide)

Is there a rollback mechanism for ASR rules?
ASR rules deployment mechanism does not currently provide a rollback option. The fastest route to mitigate an ASR rule issue is to configure the problematic ASR rule to run in "audit" mode. [Enable attack surface reduction rules] (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide)

To mitigate the current data loss issue, customers need to take additional actions to recover/reconstruct impacted files. More information on recovery options can be found at https://aka.ms/asrfprecovery.

What data is collected by Microsoft restoration script to measure the script effectiveness?
The Microsoft restoration script collects and stores in the Windows registry the following data to evaluate the script effectiveness: the version of the restoration script, when it was run, the effectiveness of various methods, and the error message that script received if it fails.  This information will be analyzed by Microsoft to help improve the effectiveness of the tool.   To opt out of saving this information, run the script with the –Telemetry=$false option. 

How to sign a PowerShell script
If your organizational policy only allows running signed PowerShell scripts, reference the following article to sign your restoration scripts: [about Signing - PowerShell] (https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_signing?view=powershell-7.3)