Control EMET with Group Policy

Microsoft Enhanced Mitigation Experience Toolkit (EMET) 3.0 supports the central configuration of EMET settings using Group Policy Object (GPO) settings; here's how to apply them.

Jan De Clercq

May 1, 2013

2 Min Read
Control EMET with Group Policy

Q: Is it possible to centrally control the Microsoft Enhanced Mitigation Experience Toolkit (EMET) configuration settings through Group Policy?

A:Yes, EMET 3.0 supports the central configuration of EMET settings using Group Policy Object (GPO) settings. So, if you have EMET installed on some of your Windows systems in your Active Directory (AD) domain so that developers can test application compatibility when the Address Space Layout Randomization (ASLR) attack mitigation feature is enabled, for example, you can use Group Policy to control EMET settings.

Related: Q. What's the Enhanced Mitigation Experience Toolkit (EMET)?

When you install EMET, the EMET.admx and EMET.adml administrative template files are automatically installed to the Program FilesEMETDeploymentGroup Policy Files folder. To effectively leverage these files from your GPOs, you must copy the .admx file to the WindowsPolicyDefinitions file system folder and the .adml file to the WindowsPolicyDefinitionsen-US folder. After moving the files, you can centrally configure system-wide and application-specific EMET attack mitigation settings from the Computer ConfigurationAdministrative TemplateWindows ComponentsEMET GPO container, as Figure 1 shows.

 logo in a gray background |

For example, to exempt the Google Chrome application from ASLR on all machines in your domain that have EMET installed, you can use the Application Settings GPO setting, as Figure 2 shows. To configure this option, open the setting, set it to Enabled, then click the Show button at the bottom. Finally, enter "chrome.exe -MandatoryASLR" in the Show Contents screen to add the domain-wide ASLR opt out exception for chrome.exe.

 logo in a gray background |

After you've centrally configured EMET GPO settings, the GPO client-side engine writes them to the local system registry at HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftEMET. But this step alone isn't sufficient to apply the EMET settings automatically on the level of the EMET client-side logic. To make them effective in EMET, you must run the following EMET_Conf.exe command during system startup or user logon:

EMET_Conf --refresh

(Note the use of a double dash before refresh.) Also keep in mind that the EMET settings you configure through Group Policy take precedence over the settings an administrator or user configures locally by using the EMET GUI or command-line tools.

Learn More: Using EMET to Disable Specific Applications

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like