Fix Broken Desktop Shortcuts (GPO) Error KB5017308 Windows 10

A way to solve Broken Desktop Shortcuts (GPO) and 0x80070005 Access is Denied error message that occured after installing KB5017308 on Windows 10.

Broken Desktop Shortcuts (GPO) Error KB5017308

After installing the September 13, 2022 Security update on, Windows 10 several users are complaining about facing different problems. KB5017308 was the patch rolled out to Windows 10 21H2, 21H1, and 20H2 (End of service) changing their versions to 19044.2006, 19043.2006, and 19042.2006 respectively. On installation of this update, they find broken desktop shortcuts (based on GPO).

So KB5017308 breaks desktop shortcuts and icons (GPO). When trying to open the file/folder using the shortcut, 0x80070005 Access is Denied error appears. Event viewer also creates a log for this issue (for some users the ‘Event ID’ is 4098). A user in the Microsoft Answer community says, “Basically, I have shared folder with shortcuts on which I use WindowsSettings > Files GPO to replace or update shortcuts on %userprofile%\desktop\shortcut folder\shortcut.ink and 37 times like that for every shortcut”. Shortcuts creating problems were URLs with icon locations set to a file server. Some people say that this error occurs for non-admin users.

KB5017308 Breaks Desktop Shortcuts and icons (GPO) in Windows 10

Here is how to fix broken desktop shortcuts (GPO) after KB5017308 in Windows 10 –

Way-1: Change Setting in GPO

When the issue of broken shortcuts and icons occurs, 0x80070005 Access is Denied error message prompts on launching any of them. Because of this problem, people who have lots of file copy GPOs running that need user context (because of %username% env vars) are planning to pause or uninstall the Windows update. After KB5017308 broke the shortcuts, they became empty with 0 bytes and left without info.

  1. Go to GPO and uncheck – Run in user security context.
  2. Restart your computer.

Multiple sources also confirm that copying or creating files through GPO or creating GPO settings files stopped working after the patch.

Note – whenever Microsoft acknowledges this problem of Access denied 0x80070005 error message due to the destroyed and wrecked desktop icons we will be here to update. Furthermore, if any expert finds another solution we will add that to this post. The same day KB5017328 update was also rolled out to Windows 11 21H2 22000.978 to address MSA Issue.

Way-2: Uninstall KB5017308

Nevertheless, we don’t recommend uninstalling any Windows update but suppose the error is unbearable any emergency happens due to this you have an option to remove the patch from your computer. The same is applicable with broken desktop shortcuts and GPO malfunctioning bug caused by “KB5017308”. So, move forward with the below method –

  1. Press Windows+R.
  2. Type appwiz.cpl.
  3. Press Enter to launch Program and Features window.
  4. Click – View installed updates.
  5. Find KB5017308 and right-click on it.
  6. Select Uninstall.
  7. Click Yes to start uninstalling.

If you couldn’t remove the LCU then follow – How to Uninstall KB5017308 from Windows 10.

See – How to disable Windows 11 update permanently

Apart from this, you can block further updates using the following utilities – Windows 10 Update Disable Tool, or Top 10 Best Windows update blocker Software for Windows 11.

Methods
Way-1: Change Setting in GPO
Way-2: Uninstall KB5017308

That’s all!!

Repair any Windows problems such as Blue/Black Screen, DLL, Exe, application, Regisrty error and quickly recover system from issues using Reimage.
 
  
About Sunita
Love to play with Windows 10.Suggestion - Going for Registry change or system files edit then remember to take a backup or create a restore point before Starting.

  1. I appreciate you documenting your solution to this issue.
    We ran into the problem earlier this week.
    Changing the “run in logged-on user’s security context (user policy option)” worked for our environment.

    Thank you!

  2. We found that Way 1 did not work. But we found a different solution. We used our GPO that deploys our shortcut to also deploy the .ico file to the local machine. Then we changed our shortcut to use the local .ico file. That resolved the issue. We did not experience any issues deploying files as indicated in Way 1.

  3. You can use the solution “Go to GPO and uncheck – Run in user security context.” only if the file/shortcut/folder is changed locally on the system (then the SYSTEM-Account has access rights to do it). When the file/shortcut/folder is changed e.g. on the file server in the homeshare (because you use folder redirection), then the SYSTEM-account usually doesn’t have access rights. Therefore it is necessary to have the check “Run in user security context”. In these cases, you have problems after installing the September patches. You can only try to deploy the files/shortcuts/folders e.g. via powershell-logon-script or give Domain computers rights on all homeshares (not a good idea in my opinion).