Follina Zero Day Workaround - Export-Delete ms-Msdt Key

What the Follina zero-day mitigation does

This Automox Worklet™ exports and deletes the ms-msdt registry key from HKEY_CLASSES_ROOT on Windows endpoints. By removing this key, you disable the MSDT protocol handler, which prevents malicious Microsoft Office documents from executing arbitrary code through the Follina vulnerability (CVE-2022-30190).

The Worklet first mounts HKEY_CLASSES_ROOT as a PowerShell drive, validates the presence of the ms-msdt key, and creates a backup export before permanent deletion. This ensures you maintain a registry export for recovery purposes while immediately eliminating the attack vector.

Zero-day exposure from Follina vulnerability

The Follina vulnerability enables remote code execution through malicious Microsoft Word documents. When users open weaponized documents, the MSDT protocol handler executes attacker commands without user interaction or security warnings. This critical zero-day affects millions of Windows endpoints before Microsoft releases official patches, creating immediate exploitation risk.

Office documents become delivery vehicles for ransomware, credential theft, and lateral movement tools. Organizations handling sensitive documents face targeted attacks exploiting the MSDT protocol before security patches become available. Waiting for official patch release and deployment leaves your endpoints vulnerable during the window between disclosure and remediation.

How MSDT protocol removal works

1. Evaluation phase: Checks whether the ms-msdt key exists in HKEY_CLASSES_ROOT. If present, the endpoint is flagged for remediation; if absent, no action is needed.

2. Remediation phase: Exports the ms-msdt key to a local backup directory (C:\regExport by default), then uses reg.exe to permanently delete the key from the registry.

Follina mitigation requirements

• Windows 7 or later (Windows 10, Windows 11, Windows Server 2016, 2019, 2022)

• Administrator privileges required to modify HKEY_CLASSES_ROOT

• Export directory path configurable via $regExportdir variable (defaults to C:\regExport)

• FixNow compatible for immediate on-demand execution during security incidents

Outcomes after blocking MSDT exploitation

The ms-msdt registry key removal prevents Follina zero-day exploitation immediately. Malicious Office documents fail to trigger the MSDT protocol handler, blocking arbitrary code execution attempts before Microsoft releases official security patches. Your endpoints gain protection against weaponized documents without waiting for patch availability or deployment scheduling.

The backup file at your export directory preserves the original registry configuration for recovery. HKEY_CLASSES_ROOT verification confirms the ms-msdt subkey removal completed successfully. After Microsoft publishes security patches, you restore the key through the companion Import-Restore Worklet, transitioning from emergency mitigation to permanent patch-based protection.

How to validate follina zero day workaround - export-delete ms-msdt key changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for follina zero day workaround - export-delete ms-msdt key.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Export-Delete, Import-Restore, Test-Path.

4. Validate remediation effects from script operations such as Export-Delete, On-Demand, Import-Restore, then rerun evaluation for compliance.

Expected state after follina zero day workaround - export-delete ms-msdt key changes

After remediation, endpoints reflect the target follina zero day workaround - export-delete ms-msdt key configuration and report compliant status in Automox.

You can confirm results by correlating activity logs with evaluation checks (Export-Delete, Import-Restore, Test-Path) and remediation actions (Export-Delete, On-Demand, Import-Restore).