This post is a partial remediation for Microsoft service issue MO497128 whereby an update to attack surface reduction rules, specifically the “Block Win32 API calls from Office macro” has caused shortcuts to be removed from Windows devices.
Microsoft have provided a blog post and script to restore some shortcuts from the start menu however as part of this issue I have observed shortcuts have also been removed from some OneDrive locations e.g. if you are synchronising your desktop to OneDrive.
I have written the script included in this post to find deleted shortcuts and restore them. This is done centrally at tenant level meaning end users need to take no action and when they log on the links will be restored automatically. The script is provided under the MIT license, please ensure you understand how it works before running it in your environment. It can be run in audit only by setting the “auditOnly” variable to $true, this effectively runs the script without restoring any files but will generate the audit and CSV logs (akin to a “what if”).
Before you restore anything make sure you have the "Block Win32 API calls from Office macro" attack surface reduction rule is set to either audit mode or off or that you are on the “fixed” definitions (1.381.2164.0).
The script needs both the PNP and SharePoint Online PowerShell modules installed, there are two lines you can uncomment if you do not have these but there is no validation in the script to check they are present.
You will be prompted for credentials twice at the start, once for PNP and once for SharePoint, these will then be cached for onward use e.g. making individual connections to each OneDrive via Connect-PNPOnline.
The general logic is as follows:
Get all active OneDrive sites
Loop through each OneDrive and
Add the administrator as a secondary site collection admin so we can query each OneDrive’s recycle bin
Search for deleted .lnk files from the 13th January 00:00 onwards
Restores the files back to their original location
Removes the specified administrator as a secondary site collection admin
Files generated:
ODLinkRestoreResults.csv contains a list of all the files restored with some info about them e.g. original OneDrive URL, file location, deleted date.
ODLinkRestoreSiteReport.csv contains a list of all the OneDrive locations and if there were any issues adding or removing site collection admin access e.g. could indicate if a site couldn't be processed or if an error occurred when removing site collection admin.
ASRLinkRestore.txt running detailed audit log of the script processing.
Github link to script, also shown below:
Thanks for this Roland. In my own test successfully restored 5035 of 9231 records found.
Is there any more verbose logging I can set to see why I'm seeing entries like this ?
16-01-2023 10:40:45 - Attempting to restore file PowerPoint.lnk
16-01-2023 10:40:45 - Failed to restore file PowerPoint.lnk
16-01-2023 10:40:45 - Attempting to restore file Outlook.lnk
16-01-2023 10:40:45 - Failed to restore file Outlook.lnk
The Secondary admin is set correctly before it attempts the restore. I did try adding the Pause that you'd commented out in case there was some delay in setting permissions but the same issue.
That works perfect!!! thanks Roland!!!
Hey Leon, flip the $auditOnly variable to $false and it'll restore them. I'll update the script to set this as $false by default.
Thanks for the script, white testing against 1 single end user, it ran fine without issue and showed 1 file restored, but when i look into the end user's onedrive, the shortcut is still not shown on the desktop, but still shown in the recycle bin.
I've just updated to change the get-date to instead specify the day, month, year etc. so the localisation won't be a problem any more if you take a copy of the updated version.
$startDate=get-date-Year 2023-Month 1-Day 13-Hour 0-Minute 0-Second 0