Follina Zero Day Workaround - Export-Delete ms-Msdt Key

What the Follina ms-msdt mitigation does

This Automox Worklet™ exports and deletes the ms-msdt registry key from HKEY_CLASSES_ROOT on Windows endpoints. Removing the key disables the MSDT URL protocol handler, which is the mechanism Follina (CVE-2022-30190) abuses to load a remote payload from a weaponized Microsoft Office document. With the handler gone, the document still opens, but the protocol invocation that pulls attacker code into msdt.exe fails immediately.

The Worklet mounts HKEY_CLASSES_ROOT as a PowerShell drive (HKCR:\), validates that the ms-msdt subkey is present, and writes a .reg export to a configurable directory (C:\regExport by default) using reg.exe export. Only after the export succeeds does the Worklet issue reg.exe delete /f against HKCR\ms-msdt. The companion Worklet Follina Zero Day Workaround – Import-Restore ms-msdt Key reverses the change once Microsoft's June 2022 cumulative update is deployed.

Evaluation is idempotent and read-only. If the ms-msdt key is missing because the patch is already in place or the workaround has already run, the script exits 0 and the endpoint reports compliant. There is no need to scope the policy by build number; the registry state is the source of truth.

Why mitigate Follina before the patch lands

Follina turns any opened Word, RTF, or HTML email body into a code-execution primitive. The exploit chain uses an external reference inside an Office document to invoke ms-msdt:/ with a crafted PCWDiagnostic package, which msdt.exe then expands into a PowerShell command line. No macros, no Protected View prompt, and on some preview-pane configurations no click is required. CISA added CVE-2022-30190 to the Known Exploited Vulnerabilities catalog, and active exploitation was observed in the wild before Microsoft shipped a fix in the June 14, 2022 cumulative update.

Running this Worklet against your Windows workstation and server groups severs the ms-msdt URI scheme across managed endpoints in hours rather than waiting for the June 14, 2022 cumulative update to clear test, approval, and rollout queues. Same-day mitigation matters most on remote and field laptops, where the gap between zero-day disclosure and patch deployment otherwise stretches across whatever maintenance window the slowest endpoint can hold.

How MSDT protocol removal works

1. Evaluation phase: Mounts HKEY_CLASSES_ROOT as the HKCR:\ PowerShell drive if it is not already mapped, then runs Test-Path against HKCR:\ms-msdt. A present key returns exit code 1 (remediation required); a missing key returns exit code 0 (compliant). The drive mapping created by the script is removed before exit so the registry provider is left in its original state.

2. Remediation phase: Creates the export directory at $regExportdir if it is missing, calls reg.exe export HKCR\ms-msdt <path>\ms-msdt.reg /y to capture a backup, then runs reg.exe delete HKCR\ms-msdt /f to remove the key. The script re-tests HKCR:\ms-msdt and exits 5 with a Failed to delete registry key message if the delete did not stick, otherwise it writes Successfully Exported Key to <path> and exits 0.

ms-msdt removal requirements

• Windows 7 or later, including Windows 10, Windows 11, and Windows Server 2016, 2019, and 2022. Both workstation and server SKUs are supported.

• Administrator privileges on the target endpoint. The Automox agent runs as SYSTEM, so no additional credential handling is needed in the policy.

• $regExportdir variable controls where ms-msdt.reg is written. Default is C:\regExport. Point it at a path your endpoint management workflow can collect from if you want a fleet-wide rollback archive.

• FixNow-compatible. Trigger the policy as an on-demand action during an active incident instead of waiting for the next evaluation cycle.

• Pair with Follina Zero Day Workaround – Import-Restore ms-msdt Key for rollback once Microsoft's CVE-2022-30190 cumulative update is deployed.

Expected state after blocking Follina

After remediation, Test-Path HKCR:\ms-msdt on the endpoint returns False, and reg.exe query HKCR\ms-msdt exits with The system was unable to find the specified registry key or value. The .reg backup at $regExportdir\ms-msdt.reg captures the original ProgID, Shell verbs, and CLSID associations so the handler can be restored verbatim once Microsoft's patch is in place. Endpoints that never had the key (already patched or already mitigated) skip the export step and report compliant on the next evaluation.

Validate the mitigation by opening a benign .docx that calls ms-msdt:/ in a test environment: the document opens, but the protocol invocation fails with a Windows cannot find ms-msdt error instead of launching msdt.exe. Automox activity logs will record Successfully Exported Key to <path> for endpoints that ran remediation and ms-msdt key is not present on this device for endpoints that were already clean. Once the June 14, 2022 cumulative update is deployed across the fleet, run the Import-Restore Worklet to re-register ms-msdt and return MSDT functionality for legitimate diagnostic packages.