Intune Proactive Remediation - CVE-2022-30190

Detect_MSMSDT-Key.ps1

function Get-MSMSDTKey {
    [CmdletBinding()]
    param()

    # Add registry hive 'HKEY_CLASSES_ROOT' as a PSDrive named 'HKCR'.
    $null = New-PSDrive -Name "HKCR" -PSProvider "Registry" -Root "HKEY_CLASSES_ROOT"

    # Test if the 'ms-msdt' key exists in 'HKCR'.
    $testPathResult = Test-Path -Path "HKCR:\ms-msdt"

    # Remove the 'HKCR' PSDrive.
    Remove-PSDrive -Name "HKCR"

    # Return the test result
    return $testPathResult
}

$msmsdtKeyExists = Get-MSMSDTKey

if ($msmsdtKeyExists -eq $true) {
    # If the key exists, then exit with code '1' to indicate that remediation needs to be done.
    Write-Host "'HKEY_CLASSES_ROOT\ms-msdt' key exists. Needs to be remediated."
    exit 1
}
else {
    # If the key does not exist, then exit with code '0' to indicate that no remediation needs to be done.
    Write-Host "'HKEY_CLASSES_ROOT\ms-msdt' key does not exist. No remediation needed."
    exit 0
}

Remediate_MSMSDT-Key.ps1

function Remove-MSMSDTKey {
    [CmdletBinding()]
    param()

    # Add registry hive 'HKEY_CLASSES_ROOT' as a PSDrive named 'HKCR'.
    $null = New-PSDrive -Name "HKCR" -PSProvider "Registry" -Root "HKEY_CLASSES_ROOT"

    try {
        # Remove the 'ms-msdt' key in 'HKCR'.
        Remove-Item -Path "HKCR:\ms-msdt" -Recurse -Force -ErrorAction "Stop"
    }
    catch {
        # Throw a terminating error generated by 'Remove-Item'
        $errorDetails = $PSItem
        $PSCmdlet.ThrowTerminatingError($errorDetails)
    }
    finally {
        # Remove the 'HKCR' PSDrive, even if the removal fails.
        Remove-PSDrive -Name "HKCR"
    }
}

try {
    # Remove the key on the system.
    Remove-MSMSDTKey -ErrorAction "Stop"

    # If no error occurred, then return '0' as an exit to indicate success.
    exit 0
}
catch {
    # If an error occurred, then return the exception message and exit with '1' as the exit code.
    return $PSItem.Exception.Message
    exit 1
}