Setting EMET Local Configuration via GPP
Our PG released EMET 5.0 yeah and it works pretty well and has some cool new functionality such as actually blocking on pin rules and the new ASR feature which I feel is very cool too. A big fix was the fact that there is a service now and that service will properly refresh GPO settings now for the client.
With that said however there are still reasons why you may want to use the “local” configuration settings vs the “admx” configuration settings. In general the local settings are more complete and you can do things like pinning rules and ASR which you cannot do via admx. Another item is that “local” settings show up in the local GUI vs admx/gpo settings can only be viewed locally on the system through usage of the emet_conf – –list command. One way of setting the local settings is via exporting an xml configuration and importing an xml configuration via the emet_conf utility. This can either be done via sccm package or task scheduler via GPP such as a previous blog article or pretty much anyway that you want to call out emet_conf. A coworker and I were discussing this and he brought up a new idea and said what if we just bypassed using the XML file and import/export and just directly set the registry keys that the xml file is configuring?? Great idea Shane
So first off for reference all of the configuration keys are under HKLM\Software\Microsoft\EMET. I knew in GPP we had a registry wizard that allowed you to import keys/values so I figured I could just go select a key and get everything under it…
wrong.. Apparently you must check every key and value individually, couple that with a non-resizable gui and using a pointer stick on a laptop in a hotel and possibly hundreds of clicks and I quickly gave up that thought. A little more research showed that apparently you can export and import properly formatted xml files of registry keys/values into GPP, a little further research showed there are some free utilities out there for converting a .reg file into the properly formatted xml file as well.
The following is what you need to do to create a GPP with all of your current EMET settings in it:
- Export your local HKLM\Software\Microsoft\EMET path to a .reg file
- Take your reg file to http://www.runecasters.com.au/reg2gpp and upload it there, follow the directions and just leave it as “Update” and leave the checkboxes blank. It will parse it and present you a download for an .xml file of the same name. (It would be nice to have a version of this utility in powershell) UPDATE!! there is powershell that someone wrote to do this see http://chentiangemalc.wordpress.com/2014/07/02/importing-reg-files-into-group-policy-preferences/ for a script you can download to convert a .reg into gpp formatted .xml.
- Take your new xml file and drag it into a GPO to apply to systems
- Link new GPO to systems you wish to apply settings to. This will let GPO’s properly refresh at 90-120 minutes, doesn’t require running import, configures ASR/Pinning and is also visible in the local GUI.
If you have any questions leave them in the comments and I’ll do my best to answer. Thanks