EMET v5.1 ADMX Group Policy Template Issue - Default protection settings can't be disabled

I am configuring EMET v5.1 (from 11/18/14) settings via GPO using the custom EMET admx template provided by Microsoft. I am able to enable all the EMET settings via GPMC and disable most of them, but I am not able to disable these 3 EMET setting via GPMC in a GPO:

Default Protections for Internet Explorer

Default Protections for Popular Software

Default Protections for Recommended Software

When configuring any of these 3 EMET GPO settings to disabled and pressing apply or OK, GPMC keeps it at Not Configured, it does not change to disabled as it normally would. I have never before seen this in GPMC, where you try to disable a setting and it doesn't change to disabled.

Unless this is somehow intended by Microsoft for these 3 EMET GPO settings, I think that this is a glitch/bug in the EMET GPO Template or the way that it works in GPMC.

Looking for some Guidance from a MS Rep to replicate this issue or anyone else who can confirm if they also see this issue. I have tested on multiple Windows 8.1 Enterprise x64 Update 2 Workstations, with GPMC loaded and the latest EMET ADMX file loaded from the EMET client on 11/18/14. I have tested this in 2 separate domains, Note that we do not have Central ADMX Stores in either domain.

November 21st, 2014 10:35pm

I'd recommend not using our admx templates..

http://blogs.technet.com/b/kfalde/archive/2014/04/30/configuring-emet-via-gpo-gpp-w-o-using-the-admx-files.aspx  use that instead and use configuration xml files as this is much more full featured.

Free Windows Admin Tool Kit Click here and download it now
November 24th, 2014 9:17pm

Interesting, I see that article, however using local .xml file configuration appears to be a lot more complicated than using the GPO Templates to configure EMET. We want to use GPO to configure EMET so that we can easily change the settings and not have to mess with pushing/changing .xml file or managing scheduled tasks etc.

Normally we could disable some of the EMET settings in a GPO of higher precedence and then apply that to just some workstations that we want to disable some EMET settings on. However the 3 EMET settings I listed above can't be set to disabled in GPMC and it appears to be a glitch. I'm trying to figure out if this is a bug Microsoft is aware of with the template or if there is potentially something in our environment causing this.

November 25th, 2014 8:12pm

Does anyone else know about the admx template and if this is a known issue or the expected behavior by MS? We would like like to use the admx templates and group policy for ease of management versus using any local files on the systems.
Free Windows Admin Tool Kit Click here and download it now
November 28th, 2014 7:01pm

I haven't been able to test this however have you just tried setting them to Not Configured?  Not Configured in this case == Disabled.  From a reg key perspective either the reg keys are created for Popular Software or they are not created.  Since this is a admx/admin template there is no "tattooing" whereby you need a "Disabled" setting.

Again I strongly recommend using xml config files. If you set it up properly you typically only need to replace the XML file stored in the GPO if you need to make changes.

December 1st, 2014 9:59pm

So setting the setting to Not Configured will remove it, if there was only one GPO managing EMET. Our issue is that once we have a GPO (Primary EMET GPO) deployed enabling all these settings across all the workstations, we then will have a separate GPO (EMET Exception GPO), applying with a higher precedence, that we want to use to disable some of the enabled settings only on specific workstations (GPO will be filtered via security group)

Please correct me if I'm wrong here, but in terms of GPO Application/ Precedence, If we configure the settings in the EMET Exception GPO to Not Configured, they won't actually do anything  because the workstations will be getting the enabled settings from the Primary EMET GPO. When two group policies apply to the same client, if one has a enabled setting even if it is lower precedence than another gpo with a not configured setting, the enabled setting will always win over the not configured settings.

We need a disabled setting configured in our EMET Exception GPO set to higher precedence to actually override the enabled settings configured in the Primary EMET GPO of lower precedence.

Free Windows Admin Tool Kit Click here and download it now
December 3rd, 2014 12:32am

I had a similar requirement as yours and found that we were able to get around in a simpler method then what was listed here.  What we did was set GPO Preferences Registry changes which would then override the previously set EMET ADMX settings set from another global GPO.

To be specific we had some thirds applications which were add-ons to Microsoft Excel, and the EMET was preventing the application from talking to Excel.  So for the users that use this application we have a GPO which Does the following in the Preferences section:

Action: Replace

HIVE: HKEY_LOCAL_MACHINE

Key path: SOFTWARE\Policies\Microsoft\EMET\Defaults

Value name: Excel

Value type: REG_SZ

Value data: *\OFFICE1*\EXCEL.EXE -Caller -MandatoryASLR

December 23rd, 2014 12:06am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics