How to Fix CVE-2022-30190 vulnerability using Microsoft Intune

On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.

A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.

Currently at the time of writing this blog post, there is no patch available from Microsoft to fix this issue but there is a workaround suggested by Microsoft to disable MSDT URL protocol. Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system.

Most of the Windows Client and Windows Server Operating Systems are impacted. For full information, you can follow the microsoft advisory link https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190.

Workaround:

The Workaround to fix this vulnerability immediately is to delete the ms-msdt registry key. If you have couple of machines to fix this vulnerability on, then you can simply open the registry editor on each PC and browse to HKEY_CLASSES_ROOT and find ms-msdt and delete this key. Alternatively, you can open command prompt as administrator on each PC and type below commands.

First line of the command will take the backup of the registry key ms-msdt and second line of the code will delete the registry key.

reg export HKEY_CLASSES_ROOT\ms-msdt msdtregkeybackup.reg
reg delete HKEY_CLASSES_ROOT\ms-msdt /f

Using Microsoft Endpoint Manager Admin center

If you are using Microsoft Endpoint Manager and using Microsoft Intune to manage all your organization machines then you can simply create a powershell script and push it via Intune. I have created below Powershell script and saved it in a file called msdtregfix.ps1.

if(Test-path C:\msdtregbackup)
{
    reg export HKEY_CLASSES_ROOT\ms-msdt C:\msdtregbackup\msdtkey.reg /y
    reg delete HKEY_CLASSES_ROOT\ms-msdt /f
}
else
{
    New-item "C:\msdtregbackup" -itemtype Directory
    reg export HKEY_CLASSES_ROOT\ms-msdt C:\msdtregbackup\msdt.reg /y
    reg delete HKEY_CLASSES_ROOT\ms-msdt /f
}

Steps:

  • Login on Microsoft Endppoint Manager Admin Center using link https://endpoint.microsoft.com.
  • Browse to Devices -> Windows -> Powershell Scripts.
  • Click on Add -> Type any suitable Name for example: CVE-2022-30190 Vulnerability Fix.
  • Script Location -> Browse to your Powershell Script
  • Run this script using the logged on credentials –> No
  • Enforce script signature check–> No
  • Run script in 64 bit PowerShell Host–> Yes
  • Assignments -> Assign your script to an Azure AD security Group and add your test devices in that group. Once the testing is completed, push this powershell script to all users devices.
  • Review + Add.

Screenshots:

CVE-2022-30190 Intune
CVE-2022-30190 Intune
CVE-2022-30190 Fix powershell monitoring intune