Control EMET with Group Policy

Q: Is it possible to centrally control the Microsoft Enhanced Mitigation Experience Toolkit (EMET) configuration settings through Group Policy?

A:Yes, EMET 3.0 supports the central configuration of EMET settings using Group Policy Object (GPO) settings. So, if you have EMET installed on some of your Windows systems in your Active Directory (AD) domain so that developers can test application compatibility when the Address Space Layout Randomization (ASLR) attack mitigation feature is enabled, for example, you can use Group Policy to control EMET settings.

Related: Q. What's the Enhanced Mitigation Experience Toolkit (EMET)?

When you install EMET, the EMET.admx and EMET.adml administrative template files are automatically installed to the Program FilesEMETDeploymentGroup Policy Files folder. To effectively leverage these files from your GPOs, you must copy the .admx file to the WindowsPolicyDefinitions file system folder and the .adml file to the WindowsPolicyDefinitionsen-US folder. After moving the files, you can centrally configure system-wide and application-specific EMET attack mitigation settings from the Computer ConfigurationAdministrative TemplateWindows ComponentsEMET GPO container, as Figure 1 shows.

Figure 1: The Enhanced Mitigation Experience Toolkit (EMET) GPO settings

For example, to exempt the Google Chrome application from ASLR on all machines in your domain that have EMET installed, you can use the Application Settings GPO setting, as Figure 2 shows. To configure this option, open the setting, set it to Enabled, then click the Show button at the bottom. Finally, enter "chrome.exe -MandatoryASLR" in the Show Contents screen to add the domain-wide ASLR opt out exception for chrome.exe.

Figure 2: Defining an application exception for chrome.exe by using EMET GPO settings

After you've centrally configured EMET GPO settings, the GPO client-side engine writes them to the local system registry at HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftEMET. But this step alone isn't sufficient to apply the EMET settings automatically on the level of the EMET client-side logic. To make them effective in EMET, you must run the following EMET_Conf.exe command during system startup or user logon:

EMET_Conf --refresh

(Note the use of a double dash before refresh.) Also keep in mind that the EMET settings you configure through Group Policy take precedence over the settings an administrator or user configures locally by using the EMET GUI or command-line tools.

Learn More: Using EMET to Disable Specific Applications