top of page
  • Writer's pictureRoland Lucas

Restore links deleted from OneDrive locations by attack surface reduction rules - MO497128

This post is a partial remediation for Microsoft service issue MO497128 whereby an update to attack surface reduction rules, specifically the “Block Win32 API calls from Office macro” has caused shortcuts to be removed from Windows devices.


Microsoft have provided a blog post and script to restore some shortcuts from the start menu however as part of this issue I have observed shortcuts have also been removed from some OneDrive locations e.g. if you are synchronising your desktop to OneDrive.


I have written the script included in this post to find deleted shortcuts and restore them. This is done centrally at tenant level meaning end users need to take no action and when they log on the links will be restored automatically. The script is provided under the MIT license, please ensure you understand how it works before running it in your environment. It can be run in audit only by setting the “auditOnly” variable to $true, this effectively runs the script without restoring any files but will generate the audit and CSV logs (akin to a “what if”).


Before you restore anything make sure you have the "Block Win32 API calls from Office macro" attack surface reduction rule is set to either audit mode or off or that you are on the “fixed” definitions (1.381.2164.0).


The script needs both the PNP and SharePoint Online PowerShell modules installed, there are two lines you can uncomment if you do not have these but there is no validation in the script to check they are present.


You will be prompted for credentials twice at the start, once for PNP and once for SharePoint, these will then be cached for onward use e.g. making individual connections to each OneDrive via Connect-PNPOnline.


The general logic is as follows:

  1. Get all active OneDrive sites

  2. Loop through each OneDrive and

    1. Add the administrator as a secondary site collection admin so we can query each OneDrive’s recycle bin

    2. Search for deleted .lnk files from the 13th January 00:00 onwards

    3. Restores the files back to their original location

    4. Removes the specified administrator as a secondary site collection admin

Files generated:

  1. ODLinkRestoreResults.csv contains a list of all the files restored with some info about them e.g. original OneDrive URL, file location, deleted date.

  2. ODLinkRestoreSiteReport.csv contains a list of all the OneDrive locations and if there were any issues adding or removing site collection admin access e.g. could indicate if a site couldn't be processed or if an error occurred when removing site collection admin.

  3. ASRLinkRestore.txt running detailed audit log of the script processing.

Github link to script, also shown below:


1,274 views11 comments

11 Comments


Paul Elmore
Paul Elmore
Jan 16, 2023

Thanks for this Roland. In my own test successfully restored 5035 of 9231 records found.


Is there any more verbose logging I can set to see why I'm seeing entries like this ?


16-01-2023 10:40:45 - Attempting to restore file PowerPoint.lnk

16-01-2023 10:40:45 - Failed to restore file PowerPoint.lnk

16-01-2023 10:40:45 - Attempting to restore file Outlook.lnk

16-01-2023 10:40:45 - Failed to restore file Outlook.lnk


The Secondary admin is set correctly before it attempts the restore. I did try adding the Pause that you'd commented out in case there was some delay in setting permissions but the same issue.

Like

Leon Yang
Leon Yang
Jan 15, 2023

That works perfect!!! thanks Roland!!!

Like

Roland Lucas
Roland Lucas
Jan 14, 2023

Hey Leon, flip the $auditOnly variable to $false and it'll restore them. I'll update the script to set this as $false by default.

Like

Leon Yang
Leon Yang
Jan 14, 2023

Thanks for the script, white testing against 1 single end user, it ran fine without issue and showed 1 file restored, but when i look into the end user's onedrive, the shortcut is still not shown on the desktop, but still shown in the recycle bin.

Like

Roland Lucas
Roland Lucas
Jan 14, 2023

I've just updated to change the get-date to instead specify the day, month, year etc. so the localisation won't be a problem any more if you take a copy of the updated version.


$startDate=get-date-Year 2023-Month 1-Day 13-Hour 0-Minute 0-Second 0


Like
bottom of page