This post is a partial remediation for Microsoft service issue MO497128 whereby an update to attack surface reduction rules, specifically the “Block Win32 API calls from Office macro” has caused shortcuts to be removed from Windows devices.

Microsoft have provided a blog post and script to restore some shortcuts from the start menu however as part of this issue I have observed shortcuts have also been removed from some OneDrive locations e.g. if you are synchronising your desktop to OneDrive.

I have written the script included in this post to find deleted shortcuts and restore them. This is done centrally at tenant level meaning end users need to take no action and when they log on the links will be restored automatically. The script is provided under the MIT license, please ensure you understand how it works before running it in your environment. It can be run in audit only by setting the “auditOnly” variable to $true, this effectively runs the script without restoring any files but will generate the audit and CSV logs (akin to a “what if”).

Before you restore anything make sure you have the "Block Win32 API calls from Office macro" attack surface reduction rule is set to either audit mode or off or that you are on the “fixed” definitions (1.381.2164.0).

The script needs both the PNP and SharePoint Online PowerShell modules installed, there are two lines you can uncomment if you do not have these but there is no validation in the script to check they are present.

You will be prompted for credentials twice at the start, once for PNP and once for SharePoint, these will then be cached for onward use e.g. making individual connections to each OneDrive via Connect-PNPOnline.

The general logic is as follows:

1. Get all active OneDrive sites

2. Loop through each OneDrive and

   1. Add the administrator as a secondary site collection admin so we can query each OneDrive’s recycle bin

   2. Search for deleted .lnk files from the 13th January 00:00 onwards

   3. Restores the files back to their original location

   4. Removes the specified administrator as a secondary site collection admin

Files generated:

1. ODLinkRestoreResults.csv contains a list of all the files restored with some info about them e.g. original OneDrive URL, file location, deleted date.

2. ODLinkRestoreSiteReport.csv contains a list of all the OneDrive locations and if there were any issues adding or removing site collection admin access e.g. could indicate if a site couldn't be processed or if an error occurred when removing site collection admin.

3. ASRLinkRestore.txt running detailed audit log of the script processing.

Github link to script, also shown below: