An EMET customer pointed out that for the Default Sets in the .admx GPO’s the “Disabled” setting wasn’t actually doing anything.
After some review of it appeared that these 3 settings have an <enabledList> however no <disabledList> in the GPO to control them which in turn meant the Disabled button didn’t perform a removal of the registry keys. Setting to Not Configured would remove them however in a tiered GPO situation an Enabled would take precedence over a Not Configured Setting.
I’ve attached an updated emet.admx file to this post that contains settings that will make the Disabled setting properly work. If you use emet.admx in your environment I recommend replacing the copy you currently have in your SYSVOL Policy Definitions folder (the emet.adml doesn’t need any changes).
Here is the link to get an updated copy. http://1drv.ms/1wl5EN6