Follina Zero Day Workaround - Import-Restore ms-Msdt Key

What the Follina ms-msdt workaround reversal does

This Automox Worklet™ reverts the Follina CVE-2022-30190 ms-msdt workaround on Windows endpoints. The mitigation Microsoft published on May 30, 2022 deleted the HKEY_CLASSES_ROOT\ms-msdt registry key to block the Microsoft Support Diagnostic Tool (MSDT) protocol handler that the Follina exploit abused. This Worklet imports a previously exported ms-msdt.reg backup file to restore that key. Run it once Microsoft's June 2022 Patch Tuesday cumulative updates are in place. The relevant updates are KB 5014697 for Windows 11, KB 5014699 for Windows 10, and KB 5014702 for Server 2019, plus the corresponding rollups on other supported releases.

The Worklet uses reg.exe import to write the saved ms-msdt subtree back into HKEY_CLASSES_ROOT. The remediation script reads the backup directory from a single configurable variable, $regExportdir (default C:\regExport), and looks for a hard-coded filename of ms-msdt.reg in that directory. Both are produced by the companion "Follina Zero Day Workaround - Export-Delete ms-msdt Key" Worklet. The evaluation script mounts HKEY_CLASSES_ROOT as the HKCR PSDrive and checks HKCR:\ms-msdt with Test-Path. It exits 0 when the key is present and exits 1 when the key is missing, flagging the endpoint for remediation.

Output is captured in the Automox activity log. Successful imports print "Successfully imported Key." and exit 0. Endpoints where the key is already present print "Key is already present on this device" and exit 0. Endpoints missing the backup file print "Exported regkey is not present. Cancelling..." and also exit 0, so the catalog records the skip without flagging it as a hard failure; check activity-log output to find endpoints that still need their ms-msdt.reg staged. If reg.exe import runs but HKCR:\ms-msdt is still missing afterward, the script prints "Failed to import registry key" and exits 5.

Why reverse the Follina CVE-2022-30190 mitigation

Follina (CVE-2022-30190) was a remote code execution flaw in the ms-msdt URI protocol handler that allowed a crafted Word or RTF document to launch MSDT and execute arbitrary PowerShell with the user's privileges. Microsoft's emergency guidance was to delete the HKEY_CLASSES_ROOT\ms-msdt key, which severed the URI scheme association and stopped the exploit chain. That workaround also disabled every legitimate caller of ms-msdt, including the Get Help app, the Diagnostics and Recovery Toolset (DaRT), Windows troubleshooting wizards, and any internal helpdesk scripts that launched MSDT diagnostic packs. Once Microsoft shipped the permanent fix in the June 14, 2022 cumulative updates, leaving the key deleted blocks recovery tooling without adding any security benefit.

This Worklet handles the revert side of the Follina emergency response. Once the June 14, 2022 cumulative update has been confirmed on every endpoint, run this Worklet against your Windows workstation and server groups to restore the HKEY_CLASSES_ROOT\ms-msdt key from the backup the companion "Follina Zero Day Workaround - Export-Delete ms-msdt Key" Worklet created. Applying the original deletion is outside the scope of this Worklet. Endpoints that no longer need the mitigation regain Get Help, DaRT, and Windows troubleshooting on the next agent check-in.

How the ms-msdt key restoration works

1. Evaluation phase: The script mounts HKEY_CLASSES_ROOT as the HKCR PSDrive (New-PSDrive -PSProvider Registry -Name HKCR -Root HKEY_CLASSES_ROOT) if it is not already mounted, then runs Test-Path -Path "HKCR:\ms-msdt". If the key exists the script exits 0 and the endpoint is reported compliant. If the key is missing (the expected state on endpoints where the Export-Delete companion Worklet was run), the script exits 1 and the endpoint is flagged for remediation. The temporary HKCR drive is removed before exit.

2. Remediation phase: The script checks HKCR:\ms-msdt with Test-Path. If the key is already there, it writes "Key is already present on this device" and exits 0. Otherwise it validates "$regExportdir\ms-msdt.reg" (default C:\regExport\ms-msdt.reg) with Test-Path. If the backup file is missing, the script writes "Exported regkey is not present. Cancelling..." and exits 0 without changing any registry state. If the backup is present, the script invokes %SystemRoot%\system32\reg.exe via Start-Process with the argument list 'import $regExportdir\ms-msdt.reg' and -Wait, then re-tests HKCR:\ms-msdt. On success it writes "Successfully imported Key." and exits 0; if the key is still missing after the import, it writes "Failed to import registry key" and exits 5.

Requirements for restoring the ms-msdt key

• Windows 7 SP1, Windows 8.1, Windows 10, Windows 11, or Windows Server 2008 R2 through Server 2022 (any edition that previously had HKEY_CLASSES_ROOT\ms-msdt deleted by the Follina workaround)

• PowerShell 2.0 or later, which ships with every supported Windows release the Automox agent runs on

• Administrator or SYSTEM context for the agent (Automox default), required to write to HKEY_CLASSES_ROOT and invoke reg.exe import

• The ms-msdt.reg backup file present on each target endpoint at the configured directory (default C:\regExport). The companion Worklet "Follina Zero Day Workaround - Export-Delete ms-msdt Key" creates this file before deleting the live key. The filename ms-msdt.reg is hard-coded in remediation.ps1

• Microsoft's June 2022 cumulative update (KB 5014697, KB 5014699, KB 5014702, KB 5014678) or any later monthly rollup that supersedes them, applied to the endpoint before the Worklet runs

• One policy variable to set in remediation.ps1: $regExportdir, the directory that holds ms-msdt.reg (default C:\regExport). The path must match the directory used by the Export-Delete companion Worklet

Expected endpoint state after reverting the workaround

HKEY_CLASSES_ROOT\ms-msdt is fully restored with the URL Protocol value, the (Default) display name, the DefaultIcon subkey, and the shell\open\command entry that maps ms-msdt:// URIs to %SystemRoot%\system32\msdt.exe. The MSDT protocol handler responds to ms-msdt: URIs again, which means the Get Help app, Windows troubleshooting wizards, DaRT recovery images, and any internal helpdesk tooling that uses ms-msdt return to their normal behavior. The June 2022 cumulative update remains the active fix for CVE-2022-30190, so restoring the registry key does not reintroduce the vulnerability.

Validate by running reg.exe query "HKCR\ms-msdt" /s from an elevated command prompt (expect the full subtree, including DefaultIcon and shell\open\command). In PowerShell, mount the HKCR drive with New-PSDrive -PSProvider Registry -Name HKCR -Root HKEY_CLASSES_ROOT, then run Test-Path HKCR:\ms-msdt (expect True) and Get-ItemProperty HKCR:\ms-msdt to inspect the URL Protocol entry. From the command prompt, msdt.exe /id PCWDiagnostic should now launch the Program Compatibility troubleshooter. The Automox activity log shows "Successfully imported Key." on endpoints that needed remediation, "Key is already present on this device" on endpoints that were already compliant, "Exported regkey is not present. Cancelling..." on endpoints where the backup file is missing, and "Failed to import registry key" on endpoints where reg.exe ran but the key did not return. For audit evidence, store the reg.exe query output alongside the policy run identifier, the KB number of the active cumulative update, and the timestamp of the Worklet completion.