EMETv4 GPO system settings ignored

I've just installed EMET v4 and am testing a GPO deployment.

I've enabled most settings in the GPO, but the system settings don't seem to be taken up by clients (at least the one I'm testing).

(I've tried rebooting, and explicitly running EMET_Conf.exe --refresh)

EMET_Conf.exe --list appears correct, showing:

C:\Program Files (x86)\EMET 4.0>EMET_Conf.exe --list
EMET configuration for Application mitigations (Registry) is:
Executable             Path                         Mitigations
----------             ----                         -----------

EMET configuration for Application mitigations (GPO) is:
Executable             Path                         Mitigations
----------             ----                         -----------
7z.exe                 *\7-Zip                      DEP SEHOP NullPage HeapSpray
 EAF MandatoryASLR BottomUpASLR LoadLib MemProt Caller SimExecFlow StackPivot
[snip huge list]

The system settings, however, are missing from the GPO:

C:\Program Files (x86)\EMET 4.0>EMET_Conf.exe --list_system
EMET configuration for System mitigations (Registry) is:
DEP: Application Opt In
SEHOP: Disabled
ASLR: Application Opt In
Pinning: Disabled

EMET configuration for System mitigations (GPO) is:

[this is just blank]

Any thoughts?

The GPO definitely sets the system settings (screenshot: http://i.imgur.com/w7k4HMv.png) and the group policy is applied, per gpreport (screenshot: http://i.imgur.com/EYk2aejh.png).

Is there something else I need to do to get the group policy to take effect for the system settings?

June 18th, 2013 12:34am

Still having this issue -- is there a way to delete / reset the EMETv4 registry settings?

(FWIW, this is on 100% updated Windows 8 Pro machines.)

Free Windows Admin Tool Kit Click here and download it now
June 18th, 2013 10:30pm

Hi nsemenko,

To delete EMET v4 registry settings, please follow the steps and screenshots in the following thread:

http://social.technet.microsoft.com/Forums/en-US/emet/thread/0b10c1e4-cbdb-4dba-af3a-1fdf3a7a6a98

Please see my post dated the 19th of May that mentions the following registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\EMET

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET

These keys are also mentioned in the following blog post:

http://blogs.technet.com/b/srd/archive/2013/06/17/emet-4-0-now-available-for-download.aspx

I hope this helps. Thank you.

June 19th, 2013 12:12am

After deleting those registry keys & removing/reinstalling EMETv4, the GPO settings are still simply missing. No idea where to go from here.

Again, it's only the system-wide settings that are blank. The app-specific policies are correctly taken from the GPO.

Free Windows Admin Tool Kit Click here and download it now
June 19th, 2013 7:20pm

Looking further, this is an issue on 100% of our domain computers (running Windows 8).

Deploying EMETv4 via GPO: Works great!

Setting application EMET policies via GPO: Works great!

Setting system EMET policies via GPO: Completely ignored. Don't appear on any machine.

Has anyone successfully set system policies via GPO in EMETv4?

June 20th, 2013 10:37pm

I have noticed the same behavior from Windows 7 - application settings GPO good; system default posture via GPO nope.

There could be an argument that change default system postures could destroy your whole fleet, especially if you change DEP with bitlocker on. However, this feature set is exposed in the supplied GPO tools, and is also referenced in the containing documentation.

My guess is, that I would never be changing the default system postures in any case, but it is somewhat untidy to be configuring the same tool in multiple places.

Confirmation from Microsoft about whether this is still supported by GPO, or is a bug that will be remedied would be very helpful.

Free Windows Admin Tool Kit Click here and download it now
June 21st, 2013 3:05am

I thought we were experiencing the same issue (Windows 7 x86/64 domain), but found otherwise. It appears the --list_system parameter is not working properly, yet the EMET_Conf --list results in our case do include system mitigations, confirmed against the contents of the HKLM\Software\Policies\Microsoft\EMET registry key.

It may also be necessary to explicitly set the ALLUSERS property in the MSI to 1 (via transform, etc.) and redeploy EMET 4.0, as after subsequently logging on with the Administrator account on a target machine and opening the GUI, a Repair installation was invoked, but thereby halted by EMET_Agent.exe running, and ultimately lead to the EMET Agent status: Not Running error some users experienced running 4.0 Beta.

June 21st, 2013 8:09pm

I thought we were experiencing the same issue (Windows 7 x86/64 domain), but found otherwise. It appears the --list_system parameter is not working properly, yet the EMET_Conf --list results in our case do include system mitigations, confirmed against the contents of the HKLM\Software\Policies\Microsoft\EMET registry key.

Are you sure --list isn't just showing the app settings? That's very strange. (our app-specific GPO settings are correctly showed by --list, but any GPO system settings just vanish.)

I've tried directly modifying the HKLM\Software\Policies\Microsoft\EMET settings -- they don't seem to do /anything/ in EMET, even after a restart or EMET_Conf --refresh.

Free Windows Admin Tool Kit Click here and download it now
June 21st, 2013 10:56pm

You are quite right, thank you for pointing that out. I apologize for not having looked into it further. I had assumed our system settings were correctly applied via GPO, but it seems they may have migrated from 3.0 during deployment, as they matched those I had set in GPO, and which differ from the default values. I figured there was simply an issue with them being displayed under the correct heading of Registry vs. GPO.

Interestingly, changes made in GPO are reflected in the HKLM\Software\Policies\Microsoft\EMET registry keys on target machines; but, as you first pointed out, are not applied to EMET, nor shown as having been updated by the --list_system parameter in either Registry or GPO. By your detailing the issue, I am not sure you confirmed that behavior as well.

In any event, while our system mitigations are as desired, from here on out they are not modifable via either Registry or GPO, so we are in the same boat...

June 22nd, 2013 1:27am

Looking further, this is an issue on 100% of our domain computers (running Windows 8).

Deploying EMETv4 via GPO: Works great!

Setting application EMET policies via GPO: Works great!

Setting system EMET policies via GPO: Completely ignored. Don't appear on any machine.

Has anyone successfully set system policies via GPO in EMETv4?

I have exactly the same problem but with Win 7 and 8.

I believe is a bug.

Free Windows Admin Tool Kit Click here and download it now
June 25th, 2013 2:26pm

We are aware of this issue, it's a minor visualization bug and we are tracking it. GPO settings for system mitigations are applied correctly and they are not ignored by EMET. Its a visualization issue in EMET_CONF tool. The workaround is to use reg query to enumerate the GPO settings for System Mitigations:

reg query HKLM\Software\Policies\Microsoft\EMET\SysSettings

June 25th, 2013 9:25pm

We are aware of this issue, it's a minor visualization bug and we are tracking it. GPO settings for system mitigations are applied correctly and they are not ignored by EMET. Its a visualization issue in EMET_CONF tool. The workaround is to use reg query to enumerate the GPO settings for System Mitigations:

reg query HKLM\Software\Policies\Microsoft\EMET\SysSettings

  • Proposed as answer by GerardoDG Wednesday, June 26, 2013 5:44 AM
Free Windows Admin Tool Kit Click here and download it now
June 25th, 2013 9:25pm

Just to add to this. I too am noticing that my system wide settings are not displaying in the EMET 4.0 GUI but only in Windows 8 x64 (fully patched). Win7 seems to behave correctly. It's good to know the settings are in fact applied, just not showing visually.

Will the fix be a new version of emet...or simply a small update, perhaps via wsus? I would hate to deploy this to my enterprise and have to turn around and do it again. I'd rather wait for a working version.

This is good info though and thanks to everyone!

July 2nd, 2013 3:27pm

Just to add to this. I too am noticing that my system wide settings are not displaying in the EMET 4.0 GUI but only in Windows 8 x64 (fully patched). Win7 seems to behave correctly. It's good to know the settings are in fact applied, just not showing visually.

Will the fix be a new version of emet...or simply a small update, perhaps via wsus? I would hate to deploy this to my enterprise and have to turn around and do it again. I'd rather wait for a working version.

This is good info though and thanks to everyone!

  • Proposed as answer by BassY_DummY Sunday, September 15, 2013 7:10 AM
Free Windows Admin Tool Kit Click here and download it now
July 2nd, 2013 10:24pm

We have the same issue (W7 64bit, W2008 64bit, W2008 R2). On newly installed stations and terminal servers EMET GUI shows different settings on each server and station. Even though they are controlled by the same GPO.

For Example:
Server1: DEP Opt Out, SEHOP Opt Out, ASLR Opt In, Pinning Enabled
Server2: DEP Opt In, SEHOP Opt In, ASLR Opt In, Pinning:Enabled

The options can be modified by administrator. I assume they should be locked and not allowed to be modified.

  • Proposed as answer by BassY_DummY Sunday, September 15, 2013 7:10 AM
July 5th, 2013 3:31pm

I fear this bug is worse than just a visualization issue. When I install EMET (Win7), my system is at the default of DEP: OptIn. I set the GPO for EMET to make DEP OptOut...not only does the EMET gui not show a change but when I run BCDEDIT /v it still says OptIn as well next to the NX option. The registry is set via GPO to DEP: 2 which should be OptOut according to the admx template. FYI I am running the emet_conf --refresh command after GPO applies.

Enumerating DataExecutionPrevention_SupportPolicy with wbemtest also shows that DEP is still set to OptIn. I have to imagine bcdedit and the wmi repository are showing the correct settings meaning EMET GPO is doing nothing with regard to DEP, at least.

This leads me to believe that EMET is in fact NOT setting DEP via GPO. This could mean disaster for machines with Bitlocker enabled.

I would argue this version is not ready for mass deployment :(.

Please advise, perhaps I am missing something. Thanks.



  • Edited by axeshr3dder Tuesday, July 30, 2013 1:01 PM info omission
  • Proposed as answer by axeshr3dder Wednesday, July 31, 2013 3:22 PM
Free Windows Admin Tool Kit Click here and download it now
July 30th, 2013 3:33pm

Probably your GPO configuration is broken like http://social.technet.microsoft.com/Forums/security/en-US/0da08146-c6da-4e3b-aa0f-2c39258f7819/space-characters-break-emet-gpo-configuration

What does emet_conf --list show?

  • Proposed as answer by BassY_DummY Sunday, September 15, 2013 7:10 AM
July 31st, 2013 3:02pm

Well I can tell you the same GPO works for EMET 3.0 and does set the system wide mitigation settings correctly.

Emet_conf --list shows a blank GPO settings list like the original poster mentioned. I am talking strictly system settings and not application settings. I'm not sure what your link is trying to tell me there. I am not adding registry keys with reg.exe. Thank you.

  • Proposed as answer by BassY_DummY Sunday, September 15, 2013 7:10 AM
Free Windows Admin Tool Kit Click here and download it now
July 31st, 2013 3:54pm

When Emet_conf --list doesn't reflect your configuration it or EMET may be broken.

The relevant part of http://social.technet.microsoft.com/Forums/security/en-US/0da08146-c6da-4e3b-aa0f-2c39258f7819/space-characters-break-emet-gpo-configuration is NOT the use of reg.exe but that multiple space characters in the configuration break the EMET configuration. You can verify whether you are affected by this via a powershell script:

$Keys=@("HKLM:\SOFTWARE\Policies\Microsoft\EMET\AppSettings",
        "HKLM:\SOFTWARE\Policies\Microsoft\EMET\Defaults")
$Keys | ForEach-Object {
 Push-Location
 Set-Location -Path $_
 Get-Item . |
 Select-Object -ExpandProperty property |
 ForEach-Object {
   if (((Get-ItemProperty -Path . -Name $_).$_) -like "*  *") {
     New-Object psobject -Property @{
       "property"=$_;
       "Value" = (Get-ItemProperty -Path . -Name $_).$_
     }
  }
}
Pop-Location
}

It lists corrupted entries in applied EMET Group Policy which conatin multiple spaces ("*  *")

  • Proposed as answer by BassY_DummY Sunday, September 15, 2013 7:10 AM
July 31st, 2013 5:52pm

I appreciate that. My app settings are fine. It's the system settings that this thread is concerned with (DEP, ASLR, and SEHOP). Or HKLM\Software\Policies\Microsoft\Emet\SysSettings. My earlier post states that GPO configuration of EMET 4.0 regarding systems settings are in fact not taking place. This has been proven by viewing the BCDEDIT output and the WMI repository for Win32_OperatingSystem.

  • Proposed as answer by BassY_DummY Sunday, September 15, 2013 7:10 AM
Free Windows Admin Tool Kit Click here and download it now
July 31st, 2013 6:10pm

Hi,

Just want to clarify this.. So, is there a bug or not? Want to know before I start working on this and applying to my environment.

Thanks!

  • Proposed as answer by BassY_DummY Sunday, September 15, 2013 7:10 AM
August 19th, 2013 10:22pm

Indeed there is a bug. The question is how big. Microsoft please release EMET 4.01. We are still waiting

  • Proposed as answer by BassY_DummY Sunday, September 15, 2013 7:10 AM
Free Windows Admin Tool Kit Click here and download it now
August 19th, 2013 10:40pm

Thanks Boreks!  I will put this on hold then since EMET 3.0 is working fine in our environment.

  • Proposed as answer by BassY_DummY Sunday, September 15, 2013 7:11 AM
August 20th, 2013 12:19am

Is there an ETA for an update to allow configuration of sys settings from GPO for 4.0?

New to EMET, so no previous clutter, deploying via SCCM, trying to turn on DEP via GPO, failing miserably to do so, as confirmed by bcdedit /v.

Free Windows Admin Tool Kit Click here and download it now
November 8th, 2013 1:46pm

I'm skipping this version.  Waiting for the next version.  We are currently in EMET 3.0 and it works fine.
November 8th, 2013 7:39pm

By the way. EMET 4.1, released a couple of weeks ago, fixes this GPO issue. Thanks. EMET 4.1
  • Proposed as answer by axeshr3dder Tuesday, December 03, 2013 7:05 PM
Free Windows Admin Tool Kit Click here and download it now
December 3rd, 2013 10:03pm

Double space characters don't seem to be a problem any more in EMET 4.1.

Thank you

December 10th, 2013 3:23pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics