Control EMET with Group Policy

Control EMET with Group Policy

Q: Is it possible to centrally control the Microsoft Enhanced Mitigation Experience Toolkit (EMET) configuration settings through Group Policy?

A:Yes, EMET 3.0 supports the central configuration of EMET settings using Group Policy Object (GPO) settings. So, if you have EMET installed on some of your Windows systems in your Active Directory (AD) domain so that developers can test application compatibility when the Address Space Layout Randomization (ASLR) attack mitigation feature is enabled, for example, you can use Group Policy to control EMET settings.

Related: Q. What's the Enhanced Mitigation Experience Toolkit (EMET)?

When you install EMET, the EMET.admx and EMET.adml administrative template files are automatically installed to the \Program Files\EMET\Deployment\Group Policy Files folder. To effectively leverage these files from your GPOs, you must copy the .admx file to the \Windows\PolicyDefinitions file system folder and the .adml file to the \Windows\PolicyDefinitions\en-US folder. After moving the files, you can centrally configure system-wide and application-specific EMET attack mitigation settings from the \Computer Configuration\Administrative Template\Windows Components\EMET GPO container, as Figure 1 shows.

The Enhanced Mitigation Experience Toolkit (EMET) GPO settings
Figure 1: The Enhanced Mitigation Experience Toolkit (EMET) GPO settings

For example, to exempt the Google Chrome application from ASLR on all machines in your domain that have EMET installed, you can use the Application Settings GPO setting, as Figure 2 shows. To configure this option, open the setting, set it to Enabled, then click the Show button at the bottom. Finally, enter "chrome.exe -MandatoryASLR" in the Show Contents screen to add the domain-wide ASLR opt out exception for chrome.exe.

Defining an application exception for chrome.exe by using EMET GPO settings
Figure 2: Defining an application exception for chrome.exe by using EMET GPO settings

After you've centrally configured EMET GPO settings, the GPO client-side engine writes them to the local system registry at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET. But this step alone isn't sufficient to apply the EMET settings automatically on the level of the EMET client-side logic. To make them effective in EMET, you must run the following EMET_Conf.exe command during system startup or user logon:

EMET_Conf --refresh

(Note the use of a double dash before refresh.) Also keep in mind that the EMET settings you configure through Group Policy take precedence over the settings an administrator or user configures locally by using the EMET GUI or command-line tools.

Learn More: Using EMET to Disable Specific Applications

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.