Automatically refreshing EMET GPO’s

If' you’ve tried configuring EMET via GPO’s you’ve probably come to realize that while the GPO’s may process normally and change registry keys locally on the system it does not actually affect the running configuration of EMET.   From the user guide for EMET see the following

“Once EMET Group Policies are enabled, they will be written out to the registry at HKLM \SOFTWARE\Policies\Microsoft\EMET. To make them effective in EMET, the following command must be executed:
EMET_Conf –refresh”

So from an architectural standpoint EMET does not have a “service” running as system or something with local admin privileges.  It does have a GUI System Tray Icon however this runs in your user mode context.  EMET is basically a dll, emet.dll that gets injected into process by means of the application compatibility framework.  This app compat framework uses a database file that keeps a list of process names/paths to executables that are affected when they start and what should be loaded within those processes. In order for the app compat database to be updated the emet_conf –refresh command has to be run to pull the GPO Reg key settings and import them into that database as it requires admin privileges (yeah make sure you elevate if you run it manually).

So with that said how I can make sure that my changes to GPO’s get applied on a periodic basis. Group Policy Preferences to the rescue.  Basically we will create a task scheduler item with a trigger on Application Event ID 1704 source SceCli.  So every time we see GPO’s refresh (more specifically security policy been applied successfully) this will trigger the command emet_conf –refresh.

Keep in mind that XP/2003/Vista requires the GPO Preferences CSE to be installed on your client systems to utilize GPP.

First start off by editing your existing GPO that you are utilizing to configure settings for your EMET clients. Instead of the normal EMET location we want to go under Computer Configuration>Preferences>Control Panel Settings>Scheduled Tasks

   image

Right click in the open area on the right and create a new Scheduled Task (At least Windows 7).  Give the Task a great name like “EMET CONFIG REFRESH”, assign a user account to run as "NTAUTHORITY\SYSTEM” may need to check the “Run with highest privileges” if UAC is enabled.

image

Next tab over to the Triggers tab and click New, we want to select trigger “On an event”, Application event log, source SceCli, event id 1704 and then click ok.

image

The next step is to add an Action on the Action tab.  Click New on there and set the action as “Start a program” browse to where the emet_conf resides and select it, add the argument –refresh (it’s 2 dashes autocorrect keeps “fixing mine to a long line Sad smile)

image

And that should be it.  Click Ok/Apply out of everything and on next GPO refresh you should have a new eventid triggered task that updates EMET configuration based on last GPO processing Smile.

Thanks and Good luck hopefully this helps you out let me know if I messed anything up on here.