Follina Zero Day Workaround - Import-Restore ms-Msdt Key

What the Follina ms-msdt key restoration does

This Automox Worklet™ restores the ms-msdt registry key in HKEY_CLASSES_ROOT on Windows endpoints. The Worklet is specifically designed to reverse the Microsoft workaround that deleted this registry key to mitigate the Follina zero-day vulnerability (CVE-2022-30190).

The Worklet checks whether the ms-msdt registry key exists on the endpoint. If the key is missing, it locates a previously exported ms-msdt.reg file from a configurable directory and imports it using the Windows registry import utility. If the key is already present, the Worklet completes with no action.

exe to validate and import the registry backup file.

The Worklet provides detailed output to the Automox activity log, including confirmation of successful imports and error notifications if the backup file is missing or the import fails.

Why restore the ms-msdt registry key

Deleted ms-msdt registry keys block legitimate Windows diagnostic functionality. Organizations that applied Microsoft's initial Follina mitigation removed the ms-msdt key to close the vulnerability, but this workaround disabled the Diagnostics and Recovery Toolset (DaRT) and other Microsoft applications that rely on this protocol handler. IT teams cannot use these diagnostic tools until the key is restored.

Microsoft later released a security update (KB 5004961 and subsequent patches) that provided a more surgical fix. This approach allowed organizations to restore ms-msdt functionality without reintroducing the vulnerability. If you have deployed Microsoft's official security patches, you can safely restore the ms-msdt key using this Worklet.

Restoring ms-msdt eliminates false positives from security scanning tools and returns endpoints to a standard Windows configuration state.

How ms-msdt key restoration works

1. Evaluation phase: The Worklet checks HKEY_CLASSES_ROOT for the ms-msdt registry key. If the key is present, evaluation passes and no remediation runs. If the key is missing, the endpoint is flagged for remediation.

2. Remediation phase: The Worklet searches for the ms-msdt.reg backup file in the configured directory (default: C:\\regExport). If the backup file is found, it executes the Windows registry import utility (reg.exe import) to restore the key. After import, the Worklet validates that the key now exists. If validation succeeds, the Worklet exits with success status.

Ms-msdt key restoration requirements

• Windows 7 SP1 or later (all supported editions including Home, Pro, Enterprise, Server)

• PowerShell 2.0 or later

• Administrator or SYSTEM privileges required to modify HKEY_CLASSES_ROOT registry hive

• Backup file ms-msdt.reg must exist in the configured directory (default: C:\\regExport). Use the "Follina Zero Day Workaround - Export-Delete ms-msdt Key" Worklet to create this backup.

• Microsoft security updates KB 5004961 or later recommended before restoring the key

• Write access to HKEY_CLASSES_ROOT and the backup file location

Expected ms-msdt restoration outcome

After successful remediation, the ms-msdt registry key is restored in HKEY_CLASSES_ROOT with all its original subkeys and values. The key controls the association between ms-msdt protocol calls and the Diagnostics and Recovery Toolset executor on the endpoint. You can verify restoration by checking HKEY_CLASSES_ROOT\ms-msdt in Registry Editor or by confirming that DaRT and other diagnostic tools respond to ms-msdt protocol requests. The Automox activity log shows "Successfully imported Key" on successful endpoints.

Endpoints will now respond normally to legitimate DaRT requests and other diagnostic tools that use the ms-msdt protocol. The Automox activity log shows "Successfully imported Key" on successful endpoints. Endpoints that do not require remediation (key already present) show no log entry. Endpoints where the backup file is missing show "Exported regkey is not present. Cancelling..."

How to validate follina zero day workaround - import-restore ms-msdt key changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for follina zero day workaround - import-restore ms-msdt key.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Import-Restore, Export-Delete, Test-Path.

4. Validate remediation effects from script operations such as Import-Restore, On-Demand, Export-Delete, then rerun evaluation for compliance.