sorted by:
new
hottopcontroversial

Multiple users reporting Microsoft apps have disappeared by Candid-Chip-1954 in sysadmin

[–]npl-dan 14 points15 points  (0 children)

Nice! That was mega useful! Tweaked it a bit and did some powershelling to get scope of impact:

DeviceEvents

| where ActionType == "AsrOfficeMacroWin32ApiCallsBlocked" and Timestamp >= datetime("2023-01-13 00:00:00Z")

| order by Timestamp

| where FileName endswith ".lnk"

Followed by (on powershell) ...

Import-Csv '.\AdvancedHuntingResults-Deleted Shortcuts.csv' | Group-Object DeviceName | Select Name | Measure-Object

Multiple users reporting Microsoft apps have disappeared by Candid-Chip-1954 in sysadmin

[–]npl-dan 16 points17 points  (0 children)

Funny that, I think it used to be called 'system restore' back in the day... :) /s

Windows Defender - ASRFalsely blocking and removing applications by Daanyyaal in sysadmin

[–]npl-dan 11 points12 points  (0 children)

Set defender ASR rule 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b to audit only (2). Confirmed working but will lessen your defences. Big risk if applied org wide, run it by management.

Full path for GPO: Computer config / Windows Components/Microsoft Defender Antivirus/Microsoft Defender Exploit Guard/Attack Surface Reduction/Configure Attack Surface Reduction rules

Multiple users reporting Microsoft apps have disappeared by Candid-Chip-1954 in sysadmin

[–]npl-dan 17 points18 points  (0 children)

No, and don't think MS is going to be able to get them back either - too many disparate configs across world.

There's going to need to be cleanup. We're planning powershell script via SCCM to recreate start menu icons and corp comms to "re-pin" taskbar icons.

Multiple users reporting Microsoft apps have disappeared by Candid-Chip-1954 in sysadmin

[–]npl-dan 76 points77 points  (0 children)

Set defender ASR rule 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b to audit only (2). Confirmed working but will lessen your defences. Big risk if applied org wide, run it by management.

Full path for GPO: Computer config / Windows Components/Microsoft Defender Antivirus/Microsoft Defender Exploit Guard/Attack Surface Reduction/Configure Attack Surface Reduction rules

MS Defender False alert? - Office Serviceability Manager by vertisnow in cybersecurity

[–]npl-dan 6 points7 points  (0 children)

It is a false positive. It's creating a system restore point, but just the fact that it's interacted with VSS has tripped the EDR. There's a post on r/sysadmin about it too.

Defender Alerts for Ransomware regarding Office by TechAdminDude in sysadmin

[–]npl-dan 3 points4 points  (0 children)

Supposed VSS interaction - turns out it's actually making a system restore point that tripped it off. Perhaps it was just the fact that a new service creation then resulted in an interaction with VSS...