CVE described on MSRC. Remediated using ECM (aka SCCM) Config Items:
- See the remediation and Discovery scripts in repo.
- Config Item does a boolean
$falsecheck for compliance.
In production, we found the need to remediate purge copies other than ClientAccessible ones; we've seen Backup and DataVolumeRollback types that couldn't be deleted.
Unfortunately, vssadmin cleary states that "only shadow copies that have the ClientAccessible type can be deleted."
In order to purge them anyway, we needed to shrink the size of the storage down to the smallest amount allowed (320MB); this will cause Windows to purge the oversized shadow copy.
We then bring it back to a normal/unbounded size.