Hi,

We are currently using EMET 3.0 and the policy is being controlled via Group Policy.  I noticed that EMET 4.0 has its own GPO/ ADM file and I wonder if they are the same with 3.0? If yes, is there still a need for me to re-import the adm files for EMET 4.0 or 3.0 GPO will work just fine?

If no, it looks like if I re-add the new ADM file it will overwrite the existing GPO regardless I create a new policy.  Group Policy Management already knows that there is an existing EMET GPO.

How should I handle this with no impact to my users? Or there's no need if I already have GPO for 3.0 in place? or can I remove 3.0 GPO, install 4.0 GPO and my EMET 3.0 users are supported?

I'd wait for a bit --

The 4.0 GPO is broken for system settings:

http://social.technet.microsoft.com/Forums/security/en-US/a07e9b8a-73a4-4d40-8b9a-da5b24257f85/emetv4-gpo-system-settings-ignored

Thanks for pointing that out!  I will wait then. But say for example this was fixed, would you know the answer to my questions?  Thanks so much!!

 

Unfortunately, I'm not sure RE GPO changes from 3.0 to 4.0. I've never run version 3.

According to the answer of the EMET team, the GPO for system settings is not broken. There is only a display bug when listing the mitigations in the terminal.

The GPOs for EMET 3.0 should (read: will) work fine with EMET 4.0 as they leverage the same registry values. Though, ADMX files for EMET 4.0 will provide more configuration options. This include the reporting settings (events, tooltip, error reports), whether EMET runs in audit mode, the visibility of EMET tray icon, ...

Thanks for the clarification. So.... do you know... what if I remove my EMET 3.0 GPO and replace it with the 4.0 AMDX files.  Will that work backwards to 3.0 EMET clients so I can slowly do the transition to the new version without affecting my 3.0 users?

I ran an XSL transform on the ADMX files to convert them to a more readable format and compared v3 vs. v4 using WinDiff - here is my impression:

- There are a few new policy settings (e.g. TrayIconMsg) that add entries to HKLM\Software\Policies\Microsoft\EMET\SysSettings, probably not impacting v3 since they will likely be ignored by v3.

- The "Default Protections for Microsoft Works[...]" policy setting was now displays as "Default Protections for Recommended Software".  Same registry location however so probably not impacting v3.

- Note that Java7 and Acrobat/Reader11 are now included in the v4 admx file so you don't have to manually type those application paths in the Application Settings policy setting.

- For some of the "Default Protections" entries (e.g. "Default Protections for Recommended Software")
  --the individual software program paths were renamed (e.g. "OFFICE10" and "OFFICE11" changed to "OFFICE1*")
  --or had more compatible settings added (e.g. "chrome.exe" changed to "chrome.exe -SEHOP")
  --or had more compatible settings removed (e.g. "OFFICE10" no longer uses "-DEP")
  --or had a new ROP exclusion (e.g. "itunes.exe" changed to "itunes.exe -Caller")
  --or were moved to other policy settings (e.g. Java was moved from "Default Protections for Popular Software" to "Default Protections for Recommended Software")
  --or added/removed (e.g. "MOE.exe" and "SykDrive.exe"). 
So you may have different pieces of software protected after editing group policy using the v4 admx files, primarily if you didn't have all three of the "Default Protection" policy settings enabled before.  And there may or may not be an issue related to the itunes setting.

If the old policy created with v3 admx files enabled all three "Default Protections for Internet Explorer", "Default Protections for Recommended Software", and "Default Protections for Popular Software" settings, and you don't run Office10, and if EMET v3 is OK with the new iTunes ROP entry (I have not tested), then the new policy created with v4 admx files doesn't appear functionally too different for EMET v3, but appears to be using some better settings.

Overall, it may impact your users, so you might want to keep the existing v3 GPO for EMET v3, and create a new v4 GPO using v4 admx/adml for EMET v4.  

Thank you so much for such detailed information.  I'm sure that a lot of people will find this very helpful.

My follow up questions is... you said, "so you might want to keep the existing v3 GPO for EMET v3, and create a new v4 GPO using v4 admx/adml for EMET v4. " - I tried to do that but I couldn't import because when I do that, I get a message like it exists already (referring to EMET v3 GPO).  How do I import EMET 4 GPO without conflicting it with the existing EMET 3.0?

Please check the original post for a picture of the error message I get when I import EMET 4.0 GPO.

Thanks!

To the best of my knowlege, it isn't possible to have EMET v3 admx and the EMET v4 admx file in the same computer's c:\windows\PolicyDefinitions folder together, since they both define the the same group policy, and have different conflicting settings.  The EMET admx file adds the EMET entry to the group policy editor GUI and serves as a translation table used to convert items checked in the group policy editor GUI into the registry entries stored in the GPO.

I am editing our existing EMET v3 configuration GPO using a computer that has the EMET v3 admx file installed, and editing our new EMET v4 configuration GPO using a different computer that has the new EMET v4 admx file installed.  Otherwise the GPO could get incorrect registry settings created for that version.  Not the easiest solution though.