Friday, June 03, 2022

How to mitigate CVE-2022-30190, known as "Follina" also known as MS-MSDT vulnerability with SCCM.

Step1, From SCCM, create a new script under software library.

Here is a script body.

reg delete HKEY_CLASSES_ROOT\ms-msdt /f

Step 2, use CMpivot to create a new collection.

Now select a computer collection, perhaps start with a small collection, right click and start CMPivot.

On query window type script below and run.

Registry('HKLM:\SOFTWARE\Classes\ms-msdt') | where Property == 'EditFlags'

You might ask why we are checking KHLM not HKCR. Here is a reason:

HKEY_CLASSES_ROOT is not a real physical hive (it stores no data), it is just a merged view of HKEY_CURRENT_USER\Software\Classes and HKEY_LOCAL_MACHINE\Software\Classes. Updates to the underlying keys are instantly visible in HKEY_CLASSES_ROOT. (source:

In fact, you can't query HKCR using CMpivot, it will return nothing.

Once you got list of systems, on the top right corner of the CMPivot, click "Create collection"

Give it a good name and create the collection.

Right click the collection you created and run the script you created from the Step 1.

Keep doing this against all systems.